> commit 7c433bf4ab2de03b77e22dbd3984e39a386997a2 > Author: Yiyang Chen > Date: Tue Jun 16 16:35:06 2026 +0000 > > HID: bpf: Fix hid_bpf_get_data() range check > > hid_bpf_get_data() returns a pointer into the HID-BPF context data when > the caller-provided offset and size fit inside ctx->allocated_size. > > The current check adds rdwr_buf_size and offset before comparing the > result against ctx->allocated_size. Since both values are unsigned, a > very large size can wrap the sum below ctx->allocated_size and make the > helper return a pointer even though the requested range is not contained > in the backing buffer. > > Use a non-wrapping range check instead: reject offsets beyond the > allocation, then compare the requested size with the remaining bytes > after the offset. > > Fixes: 4171954f56fb ("HID: bpf/dispatch: regroup kfuncs definitions") > Signed-off-by: Yiyang Chen The Fixes tag points to commit 4171954f56fb, but that commit only moved hid_bpf_get_data() without changing its logic. Its commit message states "No code change, just move down the hid_bpf_get_data() kfunc definition". The vulnerable addition pattern 'rdwr_buf_size + offset > ctx->allocated_size' was actually introduced in commit 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs"), which changed the field from ctx->size to ctx->allocated_size while keeping the same overflow-prone check. Should the Fixes tag reference the commit that introduced the buggy code: Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs") > diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c > index d0130658091b..09b45c40d84f 100644 > --- a/drivers/hid/bpf/hid_bpf_dispatch.c > +++ b/drivers/hid/bpf/hid_bpf_dispatch.c > @@ -299,7 +299,8 @@ hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr > > ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx); > > - if (rdwr_buf_size + offset > ctx->allocated_size) > + if (offset > ctx->allocated_size || > + rdwr_buf_size > ctx->allocated_size - offset) > return NULL; > > return ctx_kern->data + offset; --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27633665618