On Tue, 23 Jun 2026 06:23:12 +0000, Yiyang Chen wrote: > hid_bpf_get_data() exposes a pointer into the HID-BPF context data when > the caller-provided offset and size fit inside ctx->allocated_size. > The helper currently checks that range with: > > rdwr_buf_size + offset > ctx->allocated_size > > Since both operands are unsigned, a very large size can wrap the sum and > make an out-of-range request look valid. > > [...]
Applied to https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git (for-7.2/upstream-fixes), thanks! [1/3] HID: bpf: Fix hid_bpf_get_data() range check https://git.kernel.org/hid/hid/c/2d044049421d [2/3] selftests/hid: Load only requested struct_ops maps https://git.kernel.org/hid/hid/c/5aad55011a37 [3/3] selftests/hid: Cover hid_bpf_get_data() size overflow https://git.kernel.org/hid/hid/c/eebbef7c468a Cheers, -- Benjamin Tissoires <[email protected]>

