mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
To: bot+bpf-ci@kernel.org
Cc: andrii@kernel.org, ast@kernel.org, bentiss@kernel.org,
	bpf@vger.kernel.org, chenyy23@mails.tsinghua.edu.cn,
	clm@meta.com, daniel@iogearbox.net, eddyz87@gmail.com,
	ihor.solodrai@linux.dev, jikos@kernel.org, jolsa@kernel.org,
	linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org, martin.lau@kernel.org,
	martin.lau@linux.dev, memxor@gmail.com, shuah@kernel.org,
	song@kernel.org, yonghong.song@linux.dev
Subject: Re: [PATCH bpf-next v2 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow
Date: Mon, 22 Jun 2026 05:50:40 +0000	[thread overview]
Message-ID: <20260622055040.1929254-1-chenyy23@mails.tsinghua.edu.cn> (raw)
In-Reply-To: <b3b148b42eb198ac7194c1c0547e47275b9f5d31133eececaf1389f17caed5af@mail.kernel.org>

On Sat, Jun 20, 2026 at 03:11:00PM +0000, bot+bpf-ci@kernel.org wrote:
> That wrapping check was introduced in 658ee5a64fcf, and the fix commit
> carries a Fixes: tag for it. Should this test commit carry the same tag?
>
>   Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs")

Yes, I will add the same Fixes tag to the selftest patch in v3 so the
regression test is tied to the commit that introduced the wrapping check.

> This was raised on an earlier posting and does not look addressed:
> the callback stores the result in the get_data_overflow_check global
> and always returns 0, while the userspace test asserts on that global
> rather than on the callback return value.
>
> Could the callback just return the helper result so the test can check
> the return value directly, instead of routing it through a separate
> global?

The callback's return value is not something the test can observe
directly.  call_hid_bpf_rdesc_fixup() consumes it as a kernel-side
contract: a negative value falls back to the original report descriptor,
and a positive value becomes the new descriptor size (*size = ret).  Its
only userspace-visible effect is therefore the report descriptor size,
so checking the return value would amount to checking that size, which
means perturbing it.

Since the callback returns int and hid_bpf_get_data() returns a pointer,
the only way to return the helper result is to convert it, e.g.

	return !hid_bpf_get_data(hid_ctx, 2, ~0ULL);

On a fixed kernel the helper returns NULL, so this returns 1 and the
dispatch path truncates the report descriptor to 1 byte mid-test.  The
BSS variable records that the helper rejected the overflowing range
while the callback still returns 0 and leaves the descriptor untouched.

This matches the existing convention in progs/hid.c: callback_check and
callback2_check are BPF-side globals the userspace tests assert on, and
the existing hid_rdesc_fixup callback returns a positive size only when
it actually rewrites the descriptor (sizeof(rdesc) + 73).  The overflow
probe does not rewrite anything, so it returns 0 and reports the
helper's rejection through the BSS variable.

Thanks,
Yiyang


  reply	other threads:[~2026-06-22  5:51 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-16 16:35 [PATCH bpf-next 0/2] HID: bpf: Fix hid_bpf_get_data() range check Yiyang Chen
2026-06-16 16:35 ` [PATCH bpf-next 1/2] " Yiyang Chen
2026-06-16 17:18   ` bot+bpf-ci
2026-06-16 22:52   ` Emil Tsalapatis
2026-06-16 16:35 ` [PATCH bpf-next 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-16 23:03   ` Emil Tsalapatis
2026-06-20 14:22 ` [PATCH bpf-next v2 0/2] HID: bpf: Fix hid_bpf_get_data() range check Yiyang Chen
2026-06-20 14:22   ` [PATCH bpf-next v2 1/2] " Yiyang Chen
2026-06-20 14:22   ` [PATCH bpf-next v2 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-20 15:11     ` bot+bpf-ci
2026-06-22  5:50       ` Yiyang Chen [this message]
2026-06-22  6:52   ` [PATCH bpf-next v3 0/3] HID: bpf: Fix hid_bpf_get_data() range check Yiyang Chen
2026-06-22  7:30     ` [PATCH bpf-next v3 1/3] " Yiyang Chen
2026-06-22  7:30       ` [PATCH bpf-next v3 2/3] selftests/hid: Load only requested struct_ops maps Yiyang Chen
2026-06-22  7:30       ` [PATCH bpf-next v3 3/3] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-22 18:18       ` [PATCH bpf-next v3 1/3] HID: bpf: Fix hid_bpf_get_data() range check Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260622055040.1929254-1-chenyy23@mails.tsinghua.edu.cn \
    --to=chenyy23@mails.tsinghua.edu.cn \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bentiss@kernel.org \
    --cc=bot+bpf-ci@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=clm@meta.com \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=ihor.solodrai@linux.dev \
    --cc=jikos@kernel.org \
    --cc=jolsa@kernel.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=martin.lau@kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=memxor@gmail.com \
    --cc=shuah@kernel.org \
    --cc=song@kernel.org \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox