From: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
To: bot+bpf-ci@kernel.org
Cc: andrii@kernel.org, ast@kernel.org, bentiss@kernel.org,
bpf@vger.kernel.org, chenyy23@mails.tsinghua.edu.cn,
clm@meta.com, daniel@iogearbox.net, eddyz87@gmail.com,
ihor.solodrai@linux.dev, jikos@kernel.org, jolsa@kernel.org,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, martin.lau@kernel.org,
martin.lau@linux.dev, memxor@gmail.com, shuah@kernel.org,
song@kernel.org, yonghong.song@linux.dev
Subject: Re: [PATCH bpf-next v2 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow
Date: Mon, 22 Jun 2026 05:50:40 +0000 [thread overview]
Message-ID: <20260622055040.1929254-1-chenyy23@mails.tsinghua.edu.cn> (raw)
In-Reply-To: <b3b148b42eb198ac7194c1c0547e47275b9f5d31133eececaf1389f17caed5af@mail.kernel.org>
On Sat, Jun 20, 2026 at 03:11:00PM +0000, bot+bpf-ci@kernel.org wrote:
> That wrapping check was introduced in 658ee5a64fcf, and the fix commit
> carries a Fixes: tag for it. Should this test commit carry the same tag?
>
> Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs")
Yes, I will add the same Fixes tag to the selftest patch in v3 so the
regression test is tied to the commit that introduced the wrapping check.
> This was raised on an earlier posting and does not look addressed:
> the callback stores the result in the get_data_overflow_check global
> and always returns 0, while the userspace test asserts on that global
> rather than on the callback return value.
>
> Could the callback just return the helper result so the test can check
> the return value directly, instead of routing it through a separate
> global?
The callback's return value is not something the test can observe
directly. call_hid_bpf_rdesc_fixup() consumes it as a kernel-side
contract: a negative value falls back to the original report descriptor,
and a positive value becomes the new descriptor size (*size = ret). Its
only userspace-visible effect is therefore the report descriptor size,
so checking the return value would amount to checking that size, which
means perturbing it.
Since the callback returns int and hid_bpf_get_data() returns a pointer,
the only way to return the helper result is to convert it, e.g.
return !hid_bpf_get_data(hid_ctx, 2, ~0ULL);
On a fixed kernel the helper returns NULL, so this returns 1 and the
dispatch path truncates the report descriptor to 1 byte mid-test. The
BSS variable records that the helper rejected the overflowing range
while the callback still returns 0 and leaves the descriptor untouched.
This matches the existing convention in progs/hid.c: callback_check and
callback2_check are BPF-side globals the userspace tests assert on, and
the existing hid_rdesc_fixup callback returns a positive size only when
it actually rewrites the descriptor (sizeof(rdesc) + 73). The overflow
probe does not rewrite anything, so it returns 0 and reports the
helper's rejection through the BSS variable.
Thanks,
Yiyang
next prev parent reply other threads:[~2026-06-22 5:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 16:35 [PATCH bpf-next 0/2] HID: bpf: Fix hid_bpf_get_data() range check Yiyang Chen
2026-06-16 16:35 ` [PATCH bpf-next 1/2] " Yiyang Chen
2026-06-16 17:18 ` bot+bpf-ci
2026-06-16 22:52 ` Emil Tsalapatis
2026-06-16 16:35 ` [PATCH bpf-next 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-16 23:03 ` Emil Tsalapatis
2026-06-20 14:22 ` [PATCH bpf-next v2 0/2] HID: bpf: Fix hid_bpf_get_data() range check Yiyang Chen
2026-06-20 14:22 ` [PATCH bpf-next v2 1/2] " Yiyang Chen
2026-06-20 14:22 ` [PATCH bpf-next v2 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-20 15:11 ` bot+bpf-ci
2026-06-22 5:50 ` Yiyang Chen [this message]
2026-06-22 6:52 ` [PATCH bpf-next v3 0/3] HID: bpf: Fix hid_bpf_get_data() range check Yiyang Chen
2026-06-22 7:30 ` [PATCH bpf-next v3 1/3] " Yiyang Chen
2026-06-22 7:30 ` [PATCH bpf-next v3 2/3] selftests/hid: Load only requested struct_ops maps Yiyang Chen
2026-06-22 7:30 ` [PATCH bpf-next v3 3/3] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-22 18:18 ` [PATCH bpf-next v3 1/3] HID: bpf: Fix hid_bpf_get_data() range check Eduard Zingerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622055040.1929254-1-chenyy23@mails.tsinghua.edu.cn \
--to=chenyy23@mails.tsinghua.edu.cn \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bentiss@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=jikos@kernel.org \
--cc=jolsa@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox