On Tue Jun 16, 2026 at 12:35 PM EDT, Yiyang Chen wrote:
> Add a HID-BPF regression check for hid_bpf_get_data() requests whose
> size would overflow when added to the offset.
>
> The new rdesc fixup callback asks for offset 2 and size ~0ULL, then
> records whether the helper returns NULL. A vulnerable kernel returns a
> non-NULL pointer because the runtime check wraps the addition. A fixed
> kernel rejects the request. The test only checks the helper result and
> does not dereference the returned pointer.
>
> Also add KHDR_INCLUDES to the HID selftest build so hid_bpf.c sees the
> current kernel UAPI HID definitions on systems whose installed headers do
> not provide enum hid_report_type.
>
> Signed-off-by: Yiyang Chen <[email protected]>
> ---
> tools/testing/selftests/hid/Makefile | 2 +-
> tools/testing/selftests/hid/hid_bpf.c | 11 +++++++++++
> tools/testing/selftests/hid/progs/hid.c | 18 ++++++++++++++++++
> 3 files changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/hid/Makefile
> b/tools/testing/selftests/hid/Makefile
> index 50ec9e0406aba..357c6eb5ff5ee 100644
> --- a/tools/testing/selftests/hid/Makefile
> +++ b/tools/testing/selftests/hid/Makefile
> @@ -24,7 +24,7 @@ CXX ?= $(CROSS_COMPILE)g++
>
> HOSTPKG_CONFIG := pkg-config
>
> -CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT)
> +CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT) $(KHDR_INCLUDES)
> CFLAGS += -I$(OUTPUT)/tools/include
>
> LDLIBS += -lelf -lz -lrt -lpthread
> diff --git a/tools/testing/selftests/hid/hid_bpf.c
> b/tools/testing/selftests/hid/hid_bpf.c
> index 1e979fb3542ba..f0a210900e63d 100644
> --- a/tools/testing/selftests/hid/hid_bpf.c
> +++ b/tools/testing/selftests/hid/hid_bpf.c
> @@ -887,6 +887,17 @@ TEST_F(hid_bpf, test_rdesc_fixup)
> ASSERT_EQ(rpt_desc.value[4], 0x42);
> }
>
> +TEST_F(hid_bpf, test_rdesc_fixup_get_data_overflow)
> +{
> + const struct test_program progs[] = {
> + { .name = "hid_rdesc_fixup_get_data_overflow" },
> + };
> +
> + LOAD_PROGRAMS(progs);
> +
> + ASSERT_EQ(self->skel->bss->get_data_overflow_check, 1);
Can you just use the return value of the method? Why the separate
variable?
> +}
> +
> static int libbpf_print_fn(enum libbpf_print_level level,
> const char *format, va_list args)
> {
> diff --git a/tools/testing/selftests/hid/progs/hid.c
> b/tools/testing/selftests/hid/progs/hid.c
> index 5ecc845ef7921..c6ae2cd045b0e 100644
> --- a/tools/testing/selftests/hid/progs/hid.c
> +++ b/tools/testing/selftests/hid/progs/hid.c
> @@ -13,6 +13,7 @@ struct attach_prog_args {
>
> __u64 callback_check = 52;
> __u64 callback2_check = 52;
> +__u64 get_data_overflow_check;
>
> SEC("?struct_ops/hid_device_event")
> int BPF_PROG(hid_first_event, struct hid_bpf_ctx *hid_ctx, enum
> hid_report_type type)
> @@ -240,6 +241,23 @@ struct hid_bpf_ops rdesc_fixup = {
> .hid_rdesc_fixup = (void *)hid_rdesc_fixup,
> };
>
> +SEC("?struct_ops.s/hid_rdesc_fixup")
> +int BPF_PROG(hid_rdesc_fixup_get_data_overflow, struct hid_bpf_ctx *hid_ctx)
> +{
> + __u8 *data;
> +
> + data = hid_bpf_get_data(hid_ctx, 2 /* offset */, ~0ULL /* size */);
> + if (!data)
> + get_data_overflow_check = 1;
> +
> + return 0;
> +}
> +
> +SEC(".struct_ops.link")
> +struct hid_bpf_ops rdesc_fixup_get_data_overflow = {
> + .hid_rdesc_fixup = (void *)hid_rdesc_fixup_get_data_overflow,
> +};
> +
> SEC("?struct_ops/hid_device_event")
> int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum
> hid_report_type type)
> {
