kernel/linux.git/drivers/hid/bpf, branch v6.12.80

HID: bpf: prevent buffer overflow in hid_hw_request

2026-03-25T10:08:46+00:00

commit 2b658c1c442ec1cd9eec5ead98d68662c40fe645 upstream. right now the returned value is considered to be always valid. However, when playing with HID-BPF, the return value can be arbitrary big, because it's the return value of dispatch_hid_bpf_raw_requests(), which calls the struct_ops and we have no guarantees that the value makes sense. Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests") Cc: stable@vger.kernel.org Acked-by: Jiri Kosina Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman

HID: bpf: abort dispatch if device destroyed

2025-05-22T12:29:44+00:00

commit 578e1b96fad7402ff7e9c7648c8f1ad0225147c8 upstream. The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was previously a hidden failure until a recent x86 percpu change [1] made it access not-present pages. The bug will be triggered if the conditions below are met: A) a device under the driver has some LEDs on B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver) If condition A is met, hidinput_led_worker() is always scheduled *after* hid_bpf_destroy_device(). hid_destroy_device ` hid_bpf_destroy_device ` cleanup_srcu_struct(&hdev->bpf.srcu) ` hid_remove_device ` ... ` led_classdev_unregister ` led_trigger_set(led_cdev, NULL) ` led_set_brightness(led_cdev, LED_OFF) ` ... ` input_inject_event ` input_event_dispose ` hidinput_input_event ` schedule_work(&hid->led_work) [hidinput_led_worker] This is fine when condition B is not met, where hidinput_led_worker() calls hid_ll_driver->request(). This is the case for most HID drivers, which implement it or use the generic one from usbhid. The driver itself or an underlying driver will then abort processing the request. Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads to the bug. hidinput_led_worker ` hid_hw_output_report ` dispatch_hid_bpf_output_report ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) The bug has existed since the introduction [2] of dispatch_hid_bpf_output_report(). However, the same bug also exists in dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect because of the lack of [1], but confirmed bpf.destroyed == 1) the bug against the commit (i.e., the Fixes:) introducing the function. This is because hidinput_led_worker() falls back to hid_hw_raw_request() when hid_ll_driver->output_report() is uninplemented (e.g., logitech- djreceiver). hidinput_led_worker ` hid_hw_output_report: -ENOSYS ` hid_hw_raw_request ` dispatch_hid_bpf_raw_requests ` srcu_read_lock(&hdev->bpf.srcu) ` srcu_read_unlock(&hdev->bpf.srcu, idx) Fix the issue by returning early in the two mentioned functions if hid_bpf has been marked as destroyed. Though dispatch_hid_bpf_device_event() handles input events, and there is no evidence that it may be called after the destruction, the same check, as a safety net, is also added to it to maintain the consistency among all dispatch functions. The impact of the bug on other architectures is unclear. Even if it acts as a hidden failure, this is still dangerous because it corrupts whatever is on the address calculated by SRCU. Thus, CC'ing the stable list. [1]: commit 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets") [2]: commit 9286675a2aed ("HID: bpf: add HID-BPF hooks for hid_hw_output_report") Closes: https://lore.kernel.org/all/20250506145548.GGaBoi9Jzp3aeJizTR@fat_crate.local/ Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests") Cc: stable@vger.kernel.org Signed-off-by: Rong Zhang Tested-by: Petr Tesarik Link: https://patch.msgid.link/20250512152420.87441-1-i@rong.moe Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman

HID: bpf: fix cfi stubs for hid_bpf_ops

2024-09-27T18:15:21+00:00

With the introduction of commit e42ac1418055 ("bpf: Check unsupported ops from the bpf_struct_ops's cfi_stubs"), a HID-BPF struct_ops containing a .hid_hw_request() or a .hid_hw_output_report() was failing to load as the cfi stubs were not defined. Fix that by defining those simple static functions and restore HID-BPF functionality. This was detected with the HID selftests suddenly failing on Linus' tree. Cc: stable@vger.kernel.org # v6.11+ Fixes: 9286675a2aed ("HID: bpf: add HID-BPF hooks for hid_hw_output_report") Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests") Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina

HID: bpf: constify parameter rdesc of call_hid_bpf_rdesc_fixup()

2024-08-27T14:18:51+00:00

The parameter is never modified, so mark it as const. Also inline the return statement to avoid a type mismatch error. This is a prerequisite for constification changes in the HID core. Signed-off-by: Thomas Weißschuh Link: https://patch.msgid.link/20240803-hid-const-fixup-v2-1-f53d7a7b29d8@weissschuh.net Signed-off-by: Benjamin Tissoires

HID: bpf: prevent the same struct_ops to be attached more than once

2024-07-24T16:27:21+00:00

If the struct_ops is already attached, we should bail out or we will end up in various locks and pointer issues while unregistering. Link: https://patch.msgid.link/20240723-fix-6-11-bpf-v1-3-b9d770346784@kernel.org Signed-off-by: Benjamin Tissoires

hid: bpf: add BPF_JIT dependency

2024-07-22T14:52:05+00:00

The module does not do anything when the JIT is disabled, but instead causes a warning: In file included from include/linux/bpf_verifier.h:7, from drivers/hid/bpf/hid_bpf_struct_ops.c:10: drivers/hid/bpf/hid_bpf_struct_ops.c: In function 'hid_bpf_struct_ops_init': include/linux/bpf.h:1853:50: error: statement with no effect [-Werror=unused-value] 1853 | #define register_bpf_struct_ops(st_ops, type) ({ (void *)(st_ops); 0; }) | ^~~~~~~~~~~~~~~~ drivers/hid/bpf/hid_bpf_struct_ops.c:305:16: note: in expansion of macro 'register_bpf_struct_ops' 305 | return register_bpf_struct_ops(&bpf_hid_bpf_ops, hid_bpf_ops); | ^~~~~~~~~~~~~~~~~~~~~~~ Add a Kconfig dependency to only allow building the HID-BPF support when a JIT is enabled. Fixes: ebc0d8093e8c ("HID: bpf: implement HID-BPF through bpf_struct_ops") Signed-off-by: Arnd Bergmann Link: https://patch.msgid.link/96a00b6f-eb81-4c67-8c4b-6b1f3f045034@app.fastmail.com Signed-off-by: Benjamin Tissoires

Merge tag 'for-linus-2024071601' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid

2024-07-18T00:28:31+00:00

Pull HID updates from Benjamin Tissoires: - rewrite of the HID-BPF internal implementation to use bpf struct_ops instead of a tracing endpoint (Benjamin Tissoires) - add two new HID-BPF hooks to be able to intercept userspace calls targeting a HID device and filtering them (Benjamin Tissoires) - add support for various new devices through HID-BPF filters (Benjamin Tissoires) - add support for the magic keyboard backlight (Orlando Chamberlain) - add the missing MODULE_DESCRIPTION() macros in HID drivers (Jeff Johnson) - use of kvzalloc in case memory gets too fragmented (Hailong Liu) - retrieve the device firmware node in the child HID device (Danny Kaehn) - some hid-uclogic improvements (José Expósito) - some more typos, trivial fixes, kernel doctext and unused functions cleanups * tag 'for-linus-2024071601' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (60 commits) HID: hid-steam: Fix typo in goto label HID: mcp2221: Remove unnecessary semicolon HID: Fix spelling mistakes "Kensigton" -> "Kensington" HID: add more missing MODULE_DESCRIPTION() macros HID: samples: fix the 2 struct_ops definitions HID: fix for amples in for-6.11/bpf HID: apple: Add support for magic keyboard backlight on T2 Macs HID: bpf: Thrustmaster TCA Yoke Boeing joystick fix HID: bpf: Add Huion Dial 2 bpf fixup HID: bpf: Add support for the XP-PEN Deco Mini 4 HID: bpf: move the BIT() macro to hid_bpf_helpers.h HID: bpf: add a driver for the Huion Inspiroy 2S (H641P) HID: bpf: Add a HID report composition helper macros HID: bpf: doc fixes for hid_hw_request() hooks HID: bpf: doc fixes for hid_hw_request() hooks HID: bpf: fix gcc warning and unify __u64 into u64 selftests/hid: ensure CKI can compile our new tests on old kernels selftests/hid: add an infinite loop test for hid_bpf_try_input_report selftests/hid: add another test for injecting an event from an event hook HID: bpf: allow hid_device_event hooks to inject input reports on self ...

HID: bpf: Thrustmaster TCA Yoke Boeing joystick fix

2024-07-01T12:48:44+00:00

This joystick's original HID descriptor is wrong & it shows a ABS_MISC axis in Linux that doesn't exist on the hardware. Link: https://gitlab.freedesktop.org/libevdev/udev-hid-bpf/-/merge_requests/82 Signed-off-by: K S Iyer Link: https://patch.msgid.link/20240627-import-bpf-v1-6-0dbcda4a5b1f@kernel.org Signed-off-by: Benjamin Tissoires

HID: bpf: Add Huion Dial 2 bpf fixup

2024-07-01T12:48:39+00:00

Pretty much similar to the Inspiroy 2, but with 2 wheels and 8 buttons. This bpf also works in both normal and vendor mode. If the device is switched into vendor mode by huion-switcher, a udev property is set which is then retrieved by this bpf object. This allows to hide the now unused normal collections. Link: https://gitlab.freedesktop.org/libevdev/udev-hid-bpf/-/merge_requests/103 Link: https://gitlab.freedesktop.org/libevdev/udev-hid-bpf/-/merge_requests/104 Link: https://gitlab.freedesktop.org/libevdev/udev-hid-bpf/-/merge_requests/111 Link: https://patch.msgid.link/20240627-import-bpf-v1-5-0dbcda4a5b1f@kernel.org Signed-off-by: Benjamin Tissoires

HID: bpf: Add support for the XP-PEN Deco Mini 4

2024-07-01T12:48:37+00:00

The XP-PEN Deco Mini 4 is a UGEE device with a frame with 6 buttons. Its pen has 2 buttons and supports pressure reporting. Fix their report descriptors and transform the frame button events to support it. Link: https://gitlab.freedesktop.org/libevdev/udev-hid-bpf/-/merge_requests/88 Signed-off-by: José Expósito Link: https://patch.msgid.link/20240627-import-bpf-v1-4-0dbcda4a5b1f@kernel.org Signed-off-by: Benjamin Tissoires