2022-11-03 16:57:44 +01:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* HID-BPF support for Linux
|
|
|
|
|
*
|
2024-06-08 11:01:20 +02:00
|
|
|
* Copyright (c) 2022-2024 Benjamin Tissoires
|
2022-11-03 16:57:44 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
#include <linux/bitops.h>
|
|
|
|
|
#include <linux/btf.h>
|
|
|
|
|
#include <linux/btf_ids.h>
|
|
|
|
|
#include <linux/filter.h>
|
|
|
|
|
#include <linux/hid.h>
|
|
|
|
|
#include <linux/hid_bpf.h>
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/kfifo.h>
|
2022-11-03 16:57:51 +01:00
|
|
|
#include <linux/minmax.h>
|
2022-11-03 16:57:44 +01:00
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include "hid_bpf_dispatch.h"
|
|
|
|
|
|
2024-11-27 17:41:56 +01:00
|
|
|
const struct hid_ops *hid_ops;
|
2024-06-08 11:01:13 +02:00
|
|
|
EXPORT_SYMBOL(hid_ops);
|
2022-11-03 16:57:44 +01:00
|
|
|
|
2022-11-03 16:57:47 +01:00
|
|
|
u8 *
|
2022-11-03 16:57:44 +01:00
|
|
|
dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type, u8 *data,
|
2024-06-26 15:46:32 +02:00
|
|
|
u32 *size, int interrupt, u64 source, bool from_bpf)
|
2022-11-03 16:57:44 +01:00
|
|
|
{
|
|
|
|
|
struct hid_bpf_ctx_kern ctx_kern = {
|
|
|
|
|
.ctx = {
|
|
|
|
|
.hid = hdev,
|
2022-11-03 16:57:47 +01:00
|
|
|
.allocated_size = hdev->bpf.allocated_data,
|
|
|
|
|
.size = *size,
|
2022-11-03 16:57:44 +01:00
|
|
|
},
|
2022-11-03 16:57:47 +01:00
|
|
|
.data = hdev->bpf.device_data,
|
2024-06-26 15:46:32 +02:00
|
|
|
.from_bpf = from_bpf,
|
2022-11-03 16:57:44 +01:00
|
|
|
};
|
2024-06-08 11:01:15 +02:00
|
|
|
struct hid_bpf_ops *e;
|
2022-11-03 16:57:47 +01:00
|
|
|
int ret;
|
2022-11-03 16:57:44 +01:00
|
|
|
|
HID: bpf: abort dispatch if device destroyed
The current HID bpf implementation assumes no output report/request will
go through it after hid_bpf_destroy_device() has been called. This leads
to a bug that unplugging certain types of HID devices causes a cleaned-
up SRCU to be accessed. The bug was previously a hidden failure until a
recent x86 percpu change [1] made it access not-present pages.
The bug will be triggered if the conditions below are met:
A) a device under the driver has some LEDs on
B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver)
If condition A is met, hidinput_led_worker() is always scheduled *after*
hid_bpf_destroy_device().
hid_destroy_device
` hid_bpf_destroy_device
` cleanup_srcu_struct(&hdev->bpf.srcu)
` hid_remove_device
` ...
` led_classdev_unregister
` led_trigger_set(led_cdev, NULL)
` led_set_brightness(led_cdev, LED_OFF)
` ...
` input_inject_event
` input_event_dispose
` hidinput_input_event
` schedule_work(&hid->led_work) [hidinput_led_worker]
This is fine when condition B is not met, where hidinput_led_worker()
calls hid_ll_driver->request(). This is the case for most HID drivers,
which implement it or use the generic one from usbhid. The driver itself
or an underlying driver will then abort processing the request.
Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads
to the bug.
hidinput_led_worker
` hid_hw_output_report
` dispatch_hid_bpf_output_report
` srcu_read_lock(&hdev->bpf.srcu)
` srcu_read_unlock(&hdev->bpf.srcu, idx)
The bug has existed since the introduction [2] of
dispatch_hid_bpf_output_report(). However, the same bug also exists in
dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect
because of the lack of [1], but confirmed bpf.destroyed == 1) the bug
against the commit (i.e., the Fixes:) introducing the function. This is
because hidinput_led_worker() falls back to hid_hw_raw_request() when
hid_ll_driver->output_report() is uninplemented (e.g., logitech-
djreceiver).
hidinput_led_worker
` hid_hw_output_report: -ENOSYS
` hid_hw_raw_request
` dispatch_hid_bpf_raw_requests
` srcu_read_lock(&hdev->bpf.srcu)
` srcu_read_unlock(&hdev->bpf.srcu, idx)
Fix the issue by returning early in the two mentioned functions if
hid_bpf has been marked as destroyed. Though
dispatch_hid_bpf_device_event() handles input events, and there is no
evidence that it may be called after the destruction, the same check, as
a safety net, is also added to it to maintain the consistency among all
dispatch functions.
The impact of the bug on other architectures is unclear. Even if it acts
as a hidden failure, this is still dangerous because it corrupts
whatever is on the address calculated by SRCU. Thus, CC'ing the stable
list.
[1]: commit 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets")
[2]: commit 9286675a2aed ("HID: bpf: add HID-BPF hooks for
hid_hw_output_report")
Closes: https://lore.kernel.org/all/20250506145548.GGaBoi9Jzp3aeJizTR@fat_crate.local/
Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests")
Cc: stable@vger.kernel.org
Signed-off-by: Rong Zhang <i@rong.moe>
Tested-by: Petr Tesarik <petr@tesarici.cz>
Link: https://patch.msgid.link/20250512152420.87441-1-i@rong.moe
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2025-05-12 23:24:19 +08:00
|
|
|
if (unlikely(hdev->bpf.destroyed))
|
|
|
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
|
|
2022-11-03 16:57:44 +01:00
|
|
|
if (type >= HID_REPORT_TYPES)
|
2022-11-03 16:57:47 +01:00
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
|
|
/* no program has been attached yet */
|
|
|
|
|
if (!hdev->bpf.device_data)
|
|
|
|
|
return data;
|
|
|
|
|
|
|
|
|
|
memset(ctx_kern.data, 0, hdev->bpf.allocated_data);
|
|
|
|
|
memcpy(ctx_kern.data, data, *size);
|
|
|
|
|
|
2024-06-08 11:01:15 +02:00
|
|
|
rcu_read_lock();
|
|
|
|
|
list_for_each_entry_rcu(e, &hdev->bpf.prog_list, list) {
|
|
|
|
|
if (e->hid_device_event) {
|
2024-06-26 15:46:23 +02:00
|
|
|
ret = e->hid_device_event(&ctx_kern.ctx, type, source);
|
2024-06-08 11:01:15 +02:00
|
|
|
if (ret < 0) {
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return ERR_PTR(ret);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret)
|
2024-06-26 15:46:22 +02:00
|
|
|
ctx_kern.ctx.size = ret;
|
2024-06-08 11:01:15 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
2024-06-26 15:46:22 +02:00
|
|
|
ret = ctx_kern.ctx.size;
|
2022-11-03 16:57:47 +01:00
|
|
|
if (ret) {
|
|
|
|
|
if (ret > ctx_kern.ctx.allocated_size)
|
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
|
|
*size = ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ctx_kern.data;
|
2022-11-03 16:57:44 +01:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(dispatch_hid_bpf_device_event);
|
|
|
|
|
|
2024-06-26 15:46:25 +02:00
|
|
|
int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
|
|
|
|
|
unsigned char reportnum, u8 *buf,
|
|
|
|
|
u32 size, enum hid_report_type rtype,
|
|
|
|
|
enum hid_class_request reqtype,
|
2024-06-26 15:46:26 +02:00
|
|
|
u64 source, bool from_bpf)
|
2024-06-26 15:46:25 +02:00
|
|
|
{
|
|
|
|
|
struct hid_bpf_ctx_kern ctx_kern = {
|
|
|
|
|
.ctx = {
|
|
|
|
|
.hid = hdev,
|
|
|
|
|
.allocated_size = size,
|
|
|
|
|
.size = size,
|
|
|
|
|
},
|
|
|
|
|
.data = buf,
|
2024-06-26 15:46:26 +02:00
|
|
|
.from_bpf = from_bpf,
|
2024-06-26 15:46:25 +02:00
|
|
|
};
|
|
|
|
|
struct hid_bpf_ops *e;
|
|
|
|
|
int ret, idx;
|
|
|
|
|
|
HID: bpf: abort dispatch if device destroyed
The current HID bpf implementation assumes no output report/request will
go through it after hid_bpf_destroy_device() has been called. This leads
to a bug that unplugging certain types of HID devices causes a cleaned-
up SRCU to be accessed. The bug was previously a hidden failure until a
recent x86 percpu change [1] made it access not-present pages.
The bug will be triggered if the conditions below are met:
A) a device under the driver has some LEDs on
B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver)
If condition A is met, hidinput_led_worker() is always scheduled *after*
hid_bpf_destroy_device().
hid_destroy_device
` hid_bpf_destroy_device
` cleanup_srcu_struct(&hdev->bpf.srcu)
` hid_remove_device
` ...
` led_classdev_unregister
` led_trigger_set(led_cdev, NULL)
` led_set_brightness(led_cdev, LED_OFF)
` ...
` input_inject_event
` input_event_dispose
` hidinput_input_event
` schedule_work(&hid->led_work) [hidinput_led_worker]
This is fine when condition B is not met, where hidinput_led_worker()
calls hid_ll_driver->request(). This is the case for most HID drivers,
which implement it or use the generic one from usbhid. The driver itself
or an underlying driver will then abort processing the request.
Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads
to the bug.
hidinput_led_worker
` hid_hw_output_report
` dispatch_hid_bpf_output_report
` srcu_read_lock(&hdev->bpf.srcu)
` srcu_read_unlock(&hdev->bpf.srcu, idx)
The bug has existed since the introduction [2] of
dispatch_hid_bpf_output_report(). However, the same bug also exists in
dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect
because of the lack of [1], but confirmed bpf.destroyed == 1) the bug
against the commit (i.e., the Fixes:) introducing the function. This is
because hidinput_led_worker() falls back to hid_hw_raw_request() when
hid_ll_driver->output_report() is uninplemented (e.g., logitech-
djreceiver).
hidinput_led_worker
` hid_hw_output_report: -ENOSYS
` hid_hw_raw_request
` dispatch_hid_bpf_raw_requests
` srcu_read_lock(&hdev->bpf.srcu)
` srcu_read_unlock(&hdev->bpf.srcu, idx)
Fix the issue by returning early in the two mentioned functions if
hid_bpf has been marked as destroyed. Though
dispatch_hid_bpf_device_event() handles input events, and there is no
evidence that it may be called after the destruction, the same check, as
a safety net, is also added to it to maintain the consistency among all
dispatch functions.
The impact of the bug on other architectures is unclear. Even if it acts
as a hidden failure, this is still dangerous because it corrupts
whatever is on the address calculated by SRCU. Thus, CC'ing the stable
list.
[1]: commit 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets")
[2]: commit 9286675a2aed ("HID: bpf: add HID-BPF hooks for
hid_hw_output_report")
Closes: https://lore.kernel.org/all/20250506145548.GGaBoi9Jzp3aeJizTR@fat_crate.local/
Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests")
Cc: stable@vger.kernel.org
Signed-off-by: Rong Zhang <i@rong.moe>
Tested-by: Petr Tesarik <petr@tesarici.cz>
Link: https://patch.msgid.link/20250512152420.87441-1-i@rong.moe
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2025-05-12 23:24:19 +08:00
|
|
|
if (unlikely(hdev->bpf.destroyed))
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
|
2024-06-26 15:46:25 +02:00
|
|
|
if (rtype >= HID_REPORT_TYPES)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
idx = srcu_read_lock(&hdev->bpf.srcu);
|
|
|
|
|
list_for_each_entry_srcu(e, &hdev->bpf.prog_list, list,
|
|
|
|
|
srcu_read_lock_held(&hdev->bpf.srcu)) {
|
|
|
|
|
if (!e->hid_hw_request)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
ret = e->hid_hw_request(&ctx_kern.ctx, reportnum, rtype, reqtype, source);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
srcu_read_unlock(&hdev->bpf.srcu, idx);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(dispatch_hid_bpf_raw_requests);
|
|
|
|
|
|
2024-06-26 15:46:28 +02:00
|
|
|
int dispatch_hid_bpf_output_report(struct hid_device *hdev,
|
2024-07-01 14:39:52 +02:00
|
|
|
__u8 *buf, u32 size, u64 source,
|
2024-06-26 15:46:28 +02:00
|
|
|
bool from_bpf)
|
|
|
|
|
{
|
|
|
|
|
struct hid_bpf_ctx_kern ctx_kern = {
|
|
|
|
|
.ctx = {
|
|
|
|
|
.hid = hdev,
|
|
|
|
|
.allocated_size = size,
|
|
|
|
|
.size = size,
|
|
|
|
|
},
|
|
|
|
|
.data = buf,
|
|
|
|
|
.from_bpf = from_bpf,
|
|
|
|
|
};
|
|
|
|
|
struct hid_bpf_ops *e;
|
|
|
|
|
int ret, idx;
|
|
|
|
|
|
HID: bpf: abort dispatch if device destroyed
The current HID bpf implementation assumes no output report/request will
go through it after hid_bpf_destroy_device() has been called. This leads
to a bug that unplugging certain types of HID devices causes a cleaned-
up SRCU to be accessed. The bug was previously a hidden failure until a
recent x86 percpu change [1] made it access not-present pages.
The bug will be triggered if the conditions below are met:
A) a device under the driver has some LEDs on
B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver)
If condition A is met, hidinput_led_worker() is always scheduled *after*
hid_bpf_destroy_device().
hid_destroy_device
` hid_bpf_destroy_device
` cleanup_srcu_struct(&hdev->bpf.srcu)
` hid_remove_device
` ...
` led_classdev_unregister
` led_trigger_set(led_cdev, NULL)
` led_set_brightness(led_cdev, LED_OFF)
` ...
` input_inject_event
` input_event_dispose
` hidinput_input_event
` schedule_work(&hid->led_work) [hidinput_led_worker]
This is fine when condition B is not met, where hidinput_led_worker()
calls hid_ll_driver->request(). This is the case for most HID drivers,
which implement it or use the generic one from usbhid. The driver itself
or an underlying driver will then abort processing the request.
Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads
to the bug.
hidinput_led_worker
` hid_hw_output_report
` dispatch_hid_bpf_output_report
` srcu_read_lock(&hdev->bpf.srcu)
` srcu_read_unlock(&hdev->bpf.srcu, idx)
The bug has existed since the introduction [2] of
dispatch_hid_bpf_output_report(). However, the same bug also exists in
dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect
because of the lack of [1], but confirmed bpf.destroyed == 1) the bug
against the commit (i.e., the Fixes:) introducing the function. This is
because hidinput_led_worker() falls back to hid_hw_raw_request() when
hid_ll_driver->output_report() is uninplemented (e.g., logitech-
djreceiver).
hidinput_led_worker
` hid_hw_output_report: -ENOSYS
` hid_hw_raw_request
` dispatch_hid_bpf_raw_requests
` srcu_read_lock(&hdev->bpf.srcu)
` srcu_read_unlock(&hdev->bpf.srcu, idx)
Fix the issue by returning early in the two mentioned functions if
hid_bpf has been marked as destroyed. Though
dispatch_hid_bpf_device_event() handles input events, and there is no
evidence that it may be called after the destruction, the same check, as
a safety net, is also added to it to maintain the consistency among all
dispatch functions.
The impact of the bug on other architectures is unclear. Even if it acts
as a hidden failure, this is still dangerous because it corrupts
whatever is on the address calculated by SRCU. Thus, CC'ing the stable
list.
[1]: commit 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets")
[2]: commit 9286675a2aed ("HID: bpf: add HID-BPF hooks for
hid_hw_output_report")
Closes: https://lore.kernel.org/all/20250506145548.GGaBoi9Jzp3aeJizTR@fat_crate.local/
Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests")
Cc: stable@vger.kernel.org
Signed-off-by: Rong Zhang <i@rong.moe>
Tested-by: Petr Tesarik <petr@tesarici.cz>
Link: https://patch.msgid.link/20250512152420.87441-1-i@rong.moe
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2025-05-12 23:24:19 +08:00
|
|
|
if (unlikely(hdev->bpf.destroyed))
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
|
2024-06-26 15:46:28 +02:00
|
|
|
idx = srcu_read_lock(&hdev->bpf.srcu);
|
|
|
|
|
list_for_each_entry_srcu(e, &hdev->bpf.prog_list, list,
|
|
|
|
|
srcu_read_lock_held(&hdev->bpf.srcu)) {
|
|
|
|
|
if (!e->hid_hw_output_report)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
ret = e->hid_hw_output_report(&ctx_kern.ctx, source);
|
|
|
|
|
if (ret)
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
srcu_read_unlock(&hdev->bpf.srcu, idx);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(dispatch_hid_bpf_output_report);
|
|
|
|
|
|
HID: bpf: move HID-BPF report descriptor fixup earlier
Currently, hid_bpf_rdesc_fixup() is called once the match between the
HID device and the driver is done. This can be problematic in case
the driver selected by the kernel would change the report descriptor
after the fact.
To give a chance for hid_bpf_rdesc_fixup() to provide hints on to how
to select a dedicated driver or not, move the call to that BPF hook
earlier in the .probe() process, when we get the first match.
However, this means that we might get called more than once (typically
once for hid-generic, and once for hid-vendor-specific). So we store the
result of HID-BPF fixup in struct hid_device. Basically, this means that
->bpf_rdesc can replace ->dev_rdesc when it was used in the code.
In order to not grow struct hid_device, some fields are re-ordered. This
was the output of pahole for the first 128 bytes:
struct hid_device {
__u8 * dev_rdesc; /* 0 8 */
unsigned int dev_rsize; /* 8 4 */
/* XXX 4 bytes hole, try to pack */
__u8 * rdesc; /* 16 8 */
unsigned int rsize; /* 24 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_collection * collection; /* 32 8 */
unsigned int collection_size; /* 40 4 */
unsigned int maxcollection; /* 44 4 */
unsigned int maxapplication; /* 48 4 */
__u16 bus; /* 52 2 */
__u16 group; /* 54 2 */
__u32 vendor; /* 56 4 */
__u32 product; /* 60 4 */
/* --- cacheline 1 boundary (64 bytes) --- */
__u32 version; /* 64 4 */
enum hid_type type; /* 68 4 */
unsigned int country; /* 72 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_report_enum report_enum[3]; /* 80 6216 */
Basically, we got three holes of 4 bytes. We can reorder things a little
and makes those 3 holes a continuous 12 bytes hole, which can be replaced
by the new pointer and the new unsigned int we need.
In terms of code allocation, when not using HID-BPF, we are back to kernel
v6.2 in hid_open_report(). These multiple kmemdup() calls will be fixed
in a later commit.
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-1-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2024-10-01 16:30:05 +02:00
|
|
|
const u8 *call_hid_bpf_rdesc_fixup(struct hid_device *hdev, const u8 *rdesc, unsigned int *size)
|
2022-11-03 16:57:51 +01:00
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
struct hid_bpf_ctx_kern ctx_kern = {
|
|
|
|
|
.ctx = {
|
|
|
|
|
.hid = hdev,
|
|
|
|
|
.size = *size,
|
|
|
|
|
.allocated_size = HID_MAX_DESCRIPTOR_SIZE,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
2024-06-08 11:01:20 +02:00
|
|
|
if (!hdev->bpf.rdesc_ops)
|
|
|
|
|
goto ignore_bpf;
|
|
|
|
|
|
2022-11-03 16:57:51 +01:00
|
|
|
ctx_kern.data = kzalloc(ctx_kern.ctx.allocated_size, GFP_KERNEL);
|
|
|
|
|
if (!ctx_kern.data)
|
|
|
|
|
goto ignore_bpf;
|
|
|
|
|
|
|
|
|
|
memcpy(ctx_kern.data, rdesc, min_t(unsigned int, *size, HID_MAX_DESCRIPTOR_SIZE));
|
|
|
|
|
|
2024-06-08 11:01:20 +02:00
|
|
|
ret = hdev->bpf.rdesc_ops->hid_rdesc_fixup(&ctx_kern.ctx);
|
2022-11-03 16:57:51 +01:00
|
|
|
if (ret < 0)
|
|
|
|
|
goto ignore_bpf;
|
|
|
|
|
|
|
|
|
|
if (ret) {
|
|
|
|
|
if (ret > ctx_kern.ctx.allocated_size)
|
|
|
|
|
goto ignore_bpf;
|
|
|
|
|
|
|
|
|
|
*size = ret;
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-03 14:34:17 +02:00
|
|
|
return krealloc(ctx_kern.data, *size, GFP_KERNEL);
|
2022-11-03 16:57:51 +01:00
|
|
|
|
|
|
|
|
ignore_bpf:
|
|
|
|
|
kfree(ctx_kern.data);
|
HID: bpf: move HID-BPF report descriptor fixup earlier
Currently, hid_bpf_rdesc_fixup() is called once the match between the
HID device and the driver is done. This can be problematic in case
the driver selected by the kernel would change the report descriptor
after the fact.
To give a chance for hid_bpf_rdesc_fixup() to provide hints on to how
to select a dedicated driver or not, move the call to that BPF hook
earlier in the .probe() process, when we get the first match.
However, this means that we might get called more than once (typically
once for hid-generic, and once for hid-vendor-specific). So we store the
result of HID-BPF fixup in struct hid_device. Basically, this means that
->bpf_rdesc can replace ->dev_rdesc when it was used in the code.
In order to not grow struct hid_device, some fields are re-ordered. This
was the output of pahole for the first 128 bytes:
struct hid_device {
__u8 * dev_rdesc; /* 0 8 */
unsigned int dev_rsize; /* 8 4 */
/* XXX 4 bytes hole, try to pack */
__u8 * rdesc; /* 16 8 */
unsigned int rsize; /* 24 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_collection * collection; /* 32 8 */
unsigned int collection_size; /* 40 4 */
unsigned int maxcollection; /* 44 4 */
unsigned int maxapplication; /* 48 4 */
__u16 bus; /* 52 2 */
__u16 group; /* 54 2 */
__u32 vendor; /* 56 4 */
__u32 product; /* 60 4 */
/* --- cacheline 1 boundary (64 bytes) --- */
__u32 version; /* 64 4 */
enum hid_type type; /* 68 4 */
unsigned int country; /* 72 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_report_enum report_enum[3]; /* 80 6216 */
Basically, we got three holes of 4 bytes. We can reorder things a little
and makes those 3 holes a continuous 12 bytes hole, which can be replaced
by the new pointer and the new unsigned int we need.
In terms of code allocation, when not using HID-BPF, we are back to kernel
v6.2 in hid_open_report(). These multiple kmemdup() calls will be fixed
in a later commit.
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-1-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2024-10-01 16:30:05 +02:00
|
|
|
return rdesc;
|
2022-11-03 16:57:51 +01:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(call_hid_bpf_rdesc_fixup);
|
|
|
|
|
|
2022-11-03 16:57:44 +01:00
|
|
|
static int device_match_id(struct device *dev, const void *id)
|
|
|
|
|
{
|
|
|
|
|
struct hid_device *hdev = to_hid_device(dev);
|
|
|
|
|
|
|
|
|
|
return hdev->id == *(int *)id;
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-08 11:01:15 +02:00
|
|
|
struct hid_device *hid_get_device(unsigned int hid_id)
|
2024-06-08 11:01:14 +02:00
|
|
|
{
|
|
|
|
|
struct device *dev;
|
|
|
|
|
|
|
|
|
|
if (!hid_ops)
|
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
|
|
dev = bus_find_device(hid_ops->bus_type, NULL, &hid_id, device_match_id);
|
|
|
|
|
if (!dev)
|
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
|
|
return to_hid_device(dev);
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-08 11:01:15 +02:00
|
|
|
void hid_put_device(struct hid_device *hid)
|
2024-06-08 11:01:14 +02:00
|
|
|
{
|
|
|
|
|
put_device(&hid->dev);
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-03 16:57:47 +01:00
|
|
|
static int __hid_bpf_allocate_data(struct hid_device *hdev, u8 **data, u32 *size)
|
|
|
|
|
{
|
|
|
|
|
u8 *alloc_data;
|
|
|
|
|
unsigned int i, j, max_report_len = 0;
|
|
|
|
|
size_t alloc_size = 0;
|
|
|
|
|
|
|
|
|
|
/* compute the maximum report length for this device */
|
|
|
|
|
for (i = 0; i < HID_REPORT_TYPES; i++) {
|
|
|
|
|
struct hid_report_enum *report_enum = hdev->report_enum + i;
|
|
|
|
|
|
|
|
|
|
for (j = 0; j < HID_MAX_IDS; j++) {
|
|
|
|
|
struct hid_report *report = report_enum->report_id_hash[j];
|
|
|
|
|
|
|
|
|
|
if (report)
|
|
|
|
|
max_report_len = max(max_report_len, hid_report_len(report));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Give us a little bit of extra space and some predictability in the
|
|
|
|
|
* buffer length we create. This way, we can tell users that they can
|
|
|
|
|
* work on chunks of 64 bytes of memory without having the bpf verifier
|
|
|
|
|
* scream at them.
|
|
|
|
|
*/
|
|
|
|
|
alloc_size = DIV_ROUND_UP(max_report_len, 64) * 64;
|
|
|
|
|
|
|
|
|
|
alloc_data = kzalloc(alloc_size, GFP_KERNEL);
|
|
|
|
|
if (!alloc_data)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
*data = alloc_data;
|
|
|
|
|
*size = alloc_size;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-08 11:01:15 +02:00
|
|
|
int hid_bpf_allocate_event_data(struct hid_device *hdev)
|
2022-11-03 16:57:47 +01:00
|
|
|
{
|
|
|
|
|
/* hdev->bpf.device_data is already allocated, abort */
|
|
|
|
|
if (hdev->bpf.device_data)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return __hid_bpf_allocate_data(hdev, &hdev->bpf.device_data, &hdev->bpf.allocated_data);
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-03 16:57:51 +01:00
|
|
|
int hid_bpf_reconnect(struct hid_device *hdev)
|
|
|
|
|
{
|
HID: bpf: move HID-BPF report descriptor fixup earlier
Currently, hid_bpf_rdesc_fixup() is called once the match between the
HID device and the driver is done. This can be problematic in case
the driver selected by the kernel would change the report descriptor
after the fact.
To give a chance for hid_bpf_rdesc_fixup() to provide hints on to how
to select a dedicated driver or not, move the call to that BPF hook
earlier in the .probe() process, when we get the first match.
However, this means that we might get called more than once (typically
once for hid-generic, and once for hid-vendor-specific). So we store the
result of HID-BPF fixup in struct hid_device. Basically, this means that
->bpf_rdesc can replace ->dev_rdesc when it was used in the code.
In order to not grow struct hid_device, some fields are re-ordered. This
was the output of pahole for the first 128 bytes:
struct hid_device {
__u8 * dev_rdesc; /* 0 8 */
unsigned int dev_rsize; /* 8 4 */
/* XXX 4 bytes hole, try to pack */
__u8 * rdesc; /* 16 8 */
unsigned int rsize; /* 24 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_collection * collection; /* 32 8 */
unsigned int collection_size; /* 40 4 */
unsigned int maxcollection; /* 44 4 */
unsigned int maxapplication; /* 48 4 */
__u16 bus; /* 52 2 */
__u16 group; /* 54 2 */
__u32 vendor; /* 56 4 */
__u32 product; /* 60 4 */
/* --- cacheline 1 boundary (64 bytes) --- */
__u32 version; /* 64 4 */
enum hid_type type; /* 68 4 */
unsigned int country; /* 72 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_report_enum report_enum[3]; /* 80 6216 */
Basically, we got three holes of 4 bytes. We can reorder things a little
and makes those 3 holes a continuous 12 bytes hole, which can be replaced
by the new pointer and the new unsigned int we need.
In terms of code allocation, when not using HID-BPF, we are back to kernel
v6.2 in hid_open_report(). These multiple kmemdup() calls will be fixed
in a later commit.
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-1-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2024-10-01 16:30:05 +02:00
|
|
|
if (!test_and_set_bit(ffs(HID_STAT_REPROBED), &hdev->status)) {
|
|
|
|
|
/* trigger call to call_hid_bpf_rdesc_fixup() during the next probe */
|
|
|
|
|
hdev->bpf_rsize = 0;
|
2022-11-03 16:57:51 +01:00
|
|
|
return device_reprobe(&hdev->dev);
|
HID: bpf: move HID-BPF report descriptor fixup earlier
Currently, hid_bpf_rdesc_fixup() is called once the match between the
HID device and the driver is done. This can be problematic in case
the driver selected by the kernel would change the report descriptor
after the fact.
To give a chance for hid_bpf_rdesc_fixup() to provide hints on to how
to select a dedicated driver or not, move the call to that BPF hook
earlier in the .probe() process, when we get the first match.
However, this means that we might get called more than once (typically
once for hid-generic, and once for hid-vendor-specific). So we store the
result of HID-BPF fixup in struct hid_device. Basically, this means that
->bpf_rdesc can replace ->dev_rdesc when it was used in the code.
In order to not grow struct hid_device, some fields are re-ordered. This
was the output of pahole for the first 128 bytes:
struct hid_device {
__u8 * dev_rdesc; /* 0 8 */
unsigned int dev_rsize; /* 8 4 */
/* XXX 4 bytes hole, try to pack */
__u8 * rdesc; /* 16 8 */
unsigned int rsize; /* 24 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_collection * collection; /* 32 8 */
unsigned int collection_size; /* 40 4 */
unsigned int maxcollection; /* 44 4 */
unsigned int maxapplication; /* 48 4 */
__u16 bus; /* 52 2 */
__u16 group; /* 54 2 */
__u32 vendor; /* 56 4 */
__u32 product; /* 60 4 */
/* --- cacheline 1 boundary (64 bytes) --- */
__u32 version; /* 64 4 */
enum hid_type type; /* 68 4 */
unsigned int country; /* 72 4 */
/* XXX 4 bytes hole, try to pack */
struct hid_report_enum report_enum[3]; /* 80 6216 */
Basically, we got three holes of 4 bytes. We can reorder things a little
and makes those 3 holes a continuous 12 bytes hole, which can be replaced
by the new pointer and the new unsigned int we need.
In terms of code allocation, when not using HID-BPF, we are back to kernel
v6.2 in hid_open_report(). These multiple kmemdup() calls will be fixed
in a later commit.
Link: https://patch.msgid.link/20241001-hid-bpf-hid-generic-v3-1-2ef1019468df@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
2024-10-01 16:30:05 +02:00
|
|
|
}
|
2022-11-03 16:57:51 +01:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-24 12:26:59 +01:00
|
|
|
/* Disables missing prototype warnings */
|
|
|
|
|
__bpf_kfunc_start_defs();
|
|
|
|
|
|
2024-03-15 15:44:38 +01:00
|
|
|
/**
|
|
|
|
|
* hid_bpf_get_data - Get the kernel memory pointer associated with the context @ctx
|
|
|
|
|
*
|
|
|
|
|
* @ctx: The HID-BPF context
|
|
|
|
|
* @offset: The offset within the memory
|
|
|
|
|
* @rdwr_buf_size: the const size of the buffer
|
|
|
|
|
*
|
|
|
|
|
* @returns %NULL on error, an %__u8 memory pointer on success
|
|
|
|
|
*/
|
|
|
|
|
__bpf_kfunc __u8 *
|
|
|
|
|
hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr_buf_size)
|
|
|
|
|
{
|
|
|
|
|
struct hid_bpf_ctx_kern *ctx_kern;
|
|
|
|
|
|
|
|
|
|
if (!ctx)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
|
|
|
|
|
|
|
|
|
|
if (rdwr_buf_size + offset > ctx->allocated_size)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
return ctx_kern->data + offset;
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-03 16:57:49 +01:00
|
|
|
/**
|
|
|
|
|
* hid_bpf_allocate_context - Allocate a context to the given HID device
|
|
|
|
|
*
|
|
|
|
|
* @hid_id: the system unique identifier of the HID device
|
|
|
|
|
*
|
|
|
|
|
* @returns A pointer to &struct hid_bpf_ctx on success, %NULL on error.
|
|
|
|
|
*/
|
2024-01-24 12:26:59 +01:00
|
|
|
__bpf_kfunc struct hid_bpf_ctx *
|
2022-11-03 16:57:49 +01:00
|
|
|
hid_bpf_allocate_context(unsigned int hid_id)
|
|
|
|
|
{
|
|
|
|
|
struct hid_device *hdev;
|
|
|
|
|
struct hid_bpf_ctx_kern *ctx_kern = NULL;
|
|
|
|
|
|
2024-06-08 11:01:14 +02:00
|
|
|
hdev = hid_get_device(hid_id);
|
|
|
|
|
if (IS_ERR(hdev))
|
2022-11-03 16:57:49 +01:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
ctx_kern = kzalloc(sizeof(*ctx_kern), GFP_KERNEL);
|
2024-01-24 12:26:58 +01:00
|
|
|
if (!ctx_kern) {
|
2024-06-08 11:01:14 +02:00
|
|
|
hid_put_device(hdev);
|
2022-11-03 16:57:49 +01:00
|
|
|
return NULL;
|
2024-01-24 12:26:58 +01:00
|
|
|
}
|
2022-11-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
ctx_kern->ctx.hid = hdev;
|
|
|
|
|
|
|
|
|
|
return &ctx_kern->ctx;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* hid_bpf_release_context - Release the previously allocated context @ctx
|
|
|
|
|
*
|
|
|
|
|
* @ctx: the HID-BPF context to release
|
|
|
|
|
*
|
|
|
|
|
*/
|
2024-01-24 12:26:59 +01:00
|
|
|
__bpf_kfunc void
|
2022-11-03 16:57:49 +01:00
|
|
|
hid_bpf_release_context(struct hid_bpf_ctx *ctx)
|
|
|
|
|
{
|
|
|
|
|
struct hid_bpf_ctx_kern *ctx_kern;
|
2024-01-24 12:26:58 +01:00
|
|
|
struct hid_device *hid;
|
2022-11-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
|
2024-01-24 12:26:58 +01:00
|
|
|
hid = (struct hid_device *)ctx_kern->ctx.hid; /* ignore const */
|
2022-11-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
kfree(ctx_kern);
|
2024-01-24 12:26:58 +01:00
|
|
|
|
|
|
|
|
/* get_device() is called by bus_find_device() */
|
2024-06-08 11:01:14 +02:00
|
|
|
hid_put_device(hid);
|
2022-11-03 16:57:49 +01:00
|
|
|
}
|
|
|
|
|
|
2024-03-15 15:44:39 +01:00
|
|
|
static int
|
|
|
|
|
__hid_bpf_hw_check_params(struct hid_bpf_ctx *ctx, __u8 *buf, size_t *buf__sz,
|
|
|
|
|
enum hid_report_type rtype)
|
|
|
|
|
{
|
|
|
|
|
struct hid_report_enum *report_enum;
|
|
|
|
|
struct hid_report *report;
|
|
|
|
|
u32 report_len;
|
|
|
|
|
|
|
|
|
|
/* check arguments */
|
2024-06-08 11:01:13 +02:00
|
|
|
if (!ctx || !hid_ops || !buf)
|
2024-03-15 15:44:39 +01:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
switch (rtype) {
|
|
|
|
|
case HID_INPUT_REPORT:
|
|
|
|
|
case HID_OUTPUT_REPORT:
|
|
|
|
|
case HID_FEATURE_REPORT:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (*buf__sz < 1)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2024-11-27 17:42:47 +01:00
|
|
|
report_enum = ctx->hid->report_enum + rtype;
|
2024-06-08 11:01:13 +02:00
|
|
|
report = hid_ops->hid_get_report(report_enum, buf);
|
2024-03-15 15:44:39 +01:00
|
|
|
if (!report)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
report_len = hid_report_len(report);
|
|
|
|
|
|
|
|
|
|
if (*buf__sz > report_len)
|
|
|
|
|
*buf__sz = report_len;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-03 16:57:49 +01:00
|
|
|
/**
|
|
|
|
|
* hid_bpf_hw_request - Communicate with a HID device
|
|
|
|
|
*
|
|
|
|
|
* @ctx: the HID-BPF context previously allocated in hid_bpf_allocate_context()
|
|
|
|
|
* @buf: a %PTR_TO_MEM buffer
|
|
|
|
|
* @buf__sz: the size of the data to transfer
|
|
|
|
|
* @rtype: the type of the report (%HID_INPUT_REPORT, %HID_FEATURE_REPORT, %HID_OUTPUT_REPORT)
|
|
|
|
|
* @reqtype: the type of the request (%HID_REQ_GET_REPORT, %HID_REQ_SET_REPORT, ...)
|
|
|
|
|
*
|
|
|
|
|
* @returns %0 on success, a negative error code otherwise.
|
|
|
|
|
*/
|
2024-01-24 12:26:59 +01:00
|
|
|
__bpf_kfunc int
|
2022-11-03 16:57:49 +01:00
|
|
|
hid_bpf_hw_request(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz,
|
|
|
|
|
enum hid_report_type rtype, enum hid_class_request reqtype)
|
|
|
|
|
{
|
2024-06-26 15:46:26 +02:00
|
|
|
struct hid_bpf_ctx_kern *ctx_kern;
|
2024-03-15 15:44:39 +01:00
|
|
|
size_t size = buf__sz;
|
2022-11-03 16:57:49 +01:00
|
|
|
u8 *dma_data;
|
|
|
|
|
int ret;
|
|
|
|
|
|
2024-06-26 15:46:26 +02:00
|
|
|
ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
|
|
|
|
|
|
|
|
|
|
if (ctx_kern->from_bpf)
|
|
|
|
|
return -EDEADLOCK;
|
|
|
|
|
|
2022-11-03 16:57:49 +01:00
|
|
|
/* check arguments */
|
2024-03-15 15:44:39 +01:00
|
|
|
ret = __hid_bpf_hw_check_params(ctx, buf, &size, rtype);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
2022-11-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
switch (reqtype) {
|
|
|
|
|
case HID_REQ_GET_REPORT:
|
|
|
|
|
case HID_REQ_GET_IDLE:
|
|
|
|
|
case HID_REQ_GET_PROTOCOL:
|
|
|
|
|
case HID_REQ_SET_REPORT:
|
|
|
|
|
case HID_REQ_SET_IDLE:
|
|
|
|
|
case HID_REQ_SET_PROTOCOL:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-15 15:44:39 +01:00
|
|
|
dma_data = kmemdup(buf, size, GFP_KERNEL);
|
2022-11-03 16:57:49 +01:00
|
|
|
if (!dma_data)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
2024-11-27 17:42:47 +01:00
|
|
|
ret = hid_ops->hid_hw_raw_request(ctx->hid,
|
2022-11-03 16:57:49 +01:00
|
|
|
dma_data[0],
|
|
|
|
|
dma_data,
|
2024-03-15 15:44:39 +01:00
|
|
|
size,
|
2022-11-03 16:57:49 +01:00
|
|
|
rtype,
|
2024-06-26 15:46:23 +02:00
|
|
|
reqtype,
|
2024-07-01 14:39:50 +02:00
|
|
|
(u64)(long)ctx,
|
2024-06-26 15:46:26 +02:00
|
|
|
true); /* prevent infinite recursions */
|
2022-11-03 16:57:49 +01:00
|
|
|
|
|
|
|
|
if (ret > 0)
|
|
|
|
|
memcpy(buf, dma_data, ret);
|
|
|
|
|
|
|
|
|
|
kfree(dma_data);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2024-03-15 15:44:39 +01:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* hid_bpf_hw_output_report - Send an output report to a HID device
|
|
|
|
|
*
|
|
|
|
|
* @ctx: the HID-BPF context previously allocated in hid_bpf_allocate_context()
|
|
|
|
|
* @buf: a %PTR_TO_MEM buffer
|
|
|
|
|
* @buf__sz: the size of the data to transfer
|
|
|
|
|
*
|
|
|
|
|
* Returns the number of bytes transferred on success, a negative error code otherwise.
|
|
|
|
|
*/
|
|
|
|
|
__bpf_kfunc int
|
|
|
|
|
hid_bpf_hw_output_report(struct hid_bpf_ctx *ctx, __u8 *buf, size_t buf__sz)
|
|
|
|
|
{
|
2024-06-26 15:46:29 +02:00
|
|
|
struct hid_bpf_ctx_kern *ctx_kern;
|
2024-03-15 15:44:39 +01:00
|
|
|
size_t size = buf__sz;
|
|
|
|
|
u8 *dma_data;
|
|
|
|
|
int ret;
|
|
|
|
|
|
2024-06-26 15:46:29 +02:00
|
|
|
ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
|
|
|
|
|
if (ctx_kern->from_bpf)
|
|
|
|
|
return -EDEADLOCK;
|
|
|
|
|
|
2024-03-15 15:44:39 +01:00
|
|
|
/* check arguments */
|
|
|
|
|
ret = __hid_bpf_hw_check_params(ctx, buf, &size, HID_OUTPUT_REPORT);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
dma_data = kmemdup(buf, size, GFP_KERNEL);
|
|
|
|
|
if (!dma_data)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
2024-11-27 17:42:47 +01:00
|
|
|
ret = hid_ops->hid_hw_output_report(ctx->hid, dma_data, size, (u64)(long)ctx, true);
|
2024-03-15 15:44:39 +01:00
|
|
|
|
|
|
|
|
kfree(dma_data);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2024-03-15 15:44:42 +01:00
|
|
|
|
2024-06-26 15:46:32 +02:00
|
|
|
static int
|
|
|
|
|
__hid_bpf_input_report(struct hid_bpf_ctx *ctx, enum hid_report_type type, u8 *buf,
|
|
|
|
|
size_t size, bool lock_already_taken)
|
|
|
|
|
{
|
|
|
|
|
struct hid_bpf_ctx_kern *ctx_kern;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
|
|
|
|
|
if (ctx_kern->from_bpf)
|
|
|
|
|
return -EDEADLOCK;
|
|
|
|
|
|
|
|
|
|
/* check arguments */
|
|
|
|
|
ret = __hid_bpf_hw_check_params(ctx, buf, &size, type);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
2024-07-01 14:39:50 +02:00
|
|
|
return hid_ops->hid_input_report(ctx->hid, type, buf, size, 0, (u64)(long)ctx, true,
|
2024-06-26 15:46:32 +02:00
|
|
|
lock_already_taken);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* hid_bpf_try_input_report - Inject a HID report in the kernel from a HID device
|
|
|
|
|
*
|
|
|
|
|
* @ctx: the HID-BPF context previously allocated in hid_bpf_allocate_context()
|
|
|
|
|
* @type: the type of the report (%HID_INPUT_REPORT, %HID_FEATURE_REPORT, %HID_OUTPUT_REPORT)
|
|
|
|
|
* @buf: a %PTR_TO_MEM buffer
|
|
|
|
|
* @buf__sz: the size of the data to transfer
|
|
|
|
|
*
|
|
|
|
|
* Returns %0 on success, a negative error code otherwise. This function will immediately
|
|
|
|
|
* fail if the device is not available, thus can be safely used in IRQ context.
|
|
|
|
|
*/
|
|
|
|
|
__bpf_kfunc int
|
|
|
|
|
hid_bpf_try_input_report(struct hid_bpf_ctx *ctx, enum hid_report_type type, u8 *buf,
|
|
|
|
|
const size_t buf__sz)
|
|
|
|
|
{
|
|
|
|
|
struct hid_bpf_ctx_kern *ctx_kern;
|
|
|
|
|
bool from_hid_event_hook;
|
|
|
|
|
|
|
|
|
|
ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
|
|
|
|
|
from_hid_event_hook = ctx_kern->data && ctx_kern->data == ctx->hid->bpf.device_data;
|
|
|
|
|
|
|
|
|
|
return __hid_bpf_input_report(ctx, type, buf, buf__sz, from_hid_event_hook);
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-15 15:44:42 +01:00
|
|
|
/**
|
|
|
|
|
* hid_bpf_input_report - Inject a HID report in the kernel from a HID device
|
|
|
|
|
*
|
|
|
|
|
* @ctx: the HID-BPF context previously allocated in hid_bpf_allocate_context()
|
|
|
|
|
* @type: the type of the report (%HID_INPUT_REPORT, %HID_FEATURE_REPORT, %HID_OUTPUT_REPORT)
|
|
|
|
|
* @buf: a %PTR_TO_MEM buffer
|
|
|
|
|
* @buf__sz: the size of the data to transfer
|
|
|
|
|
*
|
2024-06-26 15:46:30 +02:00
|
|
|
* Returns %0 on success, a negative error code otherwise. This function will wait for the
|
|
|
|
|
* device to be available before injecting the event, thus needs to be called in sleepable
|
|
|
|
|
* context.
|
2024-03-15 15:44:42 +01:00
|
|
|
*/
|
|
|
|
|
__bpf_kfunc int
|
|
|
|
|
hid_bpf_input_report(struct hid_bpf_ctx *ctx, enum hid_report_type type, u8 *buf,
|
|
|
|
|
const size_t buf__sz)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
|
2024-06-26 15:46:30 +02:00
|
|
|
ret = down_interruptible(&ctx->hid->driver_input_lock);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
2024-03-15 15:44:42 +01:00
|
|
|
/* check arguments */
|
2024-06-26 15:46:32 +02:00
|
|
|
ret = __hid_bpf_input_report(ctx, type, buf, buf__sz, true /* lock_already_taken */);
|
2024-06-26 15:46:30 +02:00
|
|
|
|
|
|
|
|
up(&ctx->hid->driver_input_lock);
|
2024-03-15 15:44:42 +01:00
|
|
|
|
2024-06-26 15:46:30 +02:00
|
|
|
return ret;
|
2024-03-15 15:44:42 +01:00
|
|
|
}
|
2024-01-24 12:26:59 +01:00
|
|
|
__bpf_kfunc_end_defs();
|
2022-11-03 16:57:49 +01:00
|
|
|
|
2024-03-15 15:44:38 +01:00
|
|
|
/*
|
|
|
|
|
* The following set contains all functions we agree BPF programs
|
|
|
|
|
* can use.
|
|
|
|
|
*/
|
|
|
|
|
BTF_KFUNCS_START(hid_bpf_kfunc_ids)
|
|
|
|
|
BTF_ID_FLAGS(func, hid_bpf_get_data, KF_RET_NULL)
|
2024-03-15 15:44:44 +01:00
|
|
|
BTF_ID_FLAGS(func, hid_bpf_allocate_context, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)
|
|
|
|
|
BTF_ID_FLAGS(func, hid_bpf_release_context, KF_RELEASE | KF_SLEEPABLE)
|
|
|
|
|
BTF_ID_FLAGS(func, hid_bpf_hw_request, KF_SLEEPABLE)
|
|
|
|
|
BTF_ID_FLAGS(func, hid_bpf_hw_output_report, KF_SLEEPABLE)
|
|
|
|
|
BTF_ID_FLAGS(func, hid_bpf_input_report, KF_SLEEPABLE)
|
2024-06-26 15:46:32 +02:00
|
|
|
BTF_ID_FLAGS(func, hid_bpf_try_input_report)
|
2024-03-15 15:44:38 +01:00
|
|
|
BTF_KFUNCS_END(hid_bpf_kfunc_ids)
|
|
|
|
|
|
|
|
|
|
static const struct btf_kfunc_id_set hid_bpf_kfunc_set = {
|
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
|
.set = &hid_bpf_kfunc_ids,
|
|
|
|
|
};
|
|
|
|
|
|
2022-11-03 16:57:44 +01:00
|
|
|
/* for syscall HID-BPF */
|
2024-01-28 18:24:08 -07:00
|
|
|
BTF_KFUNCS_START(hid_bpf_syscall_kfunc_ids)
|
2022-11-03 16:57:49 +01:00
|
|
|
BTF_ID_FLAGS(func, hid_bpf_allocate_context, KF_ACQUIRE | KF_RET_NULL)
|
|
|
|
|
BTF_ID_FLAGS(func, hid_bpf_release_context, KF_RELEASE)
|
|
|
|
|
BTF_ID_FLAGS(func, hid_bpf_hw_request)
|
2024-03-15 15:44:39 +01:00
|
|
|
BTF_ID_FLAGS(func, hid_bpf_hw_output_report)
|
2024-03-15 15:44:42 +01:00
|
|
|
BTF_ID_FLAGS(func, hid_bpf_input_report)
|
2024-01-28 18:24:08 -07:00
|
|
|
BTF_KFUNCS_END(hid_bpf_syscall_kfunc_ids)
|
2022-11-03 16:57:44 +01:00
|
|
|
|
|
|
|
|
static const struct btf_kfunc_id_set hid_bpf_syscall_kfunc_set = {
|
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
|
.set = &hid_bpf_syscall_kfunc_ids,
|
|
|
|
|
};
|
|
|
|
|
|
2022-11-03 16:57:47 +01:00
|
|
|
int hid_bpf_connect_device(struct hid_device *hdev)
|
|
|
|
|
{
|
2024-06-08 11:01:15 +02:00
|
|
|
bool need_to_allocate = false;
|
|
|
|
|
struct hid_bpf_ops *e;
|
2022-11-03 16:57:47 +01:00
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2024-06-08 11:01:15 +02:00
|
|
|
list_for_each_entry_rcu(e, &hdev->bpf.prog_list, list) {
|
|
|
|
|
if (e->hid_device_event) {
|
|
|
|
|
need_to_allocate = true;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-11-03 16:57:47 +01:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
|
|
/* only allocate BPF data if there are programs attached */
|
2024-06-08 11:01:15 +02:00
|
|
|
if (!need_to_allocate)
|
2022-11-03 16:57:47 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return hid_bpf_allocate_event_data(hdev);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(hid_bpf_connect_device);
|
|
|
|
|
|
|
|
|
|
void hid_bpf_disconnect_device(struct hid_device *hdev)
|
|
|
|
|
{
|
|
|
|
|
kfree(hdev->bpf.device_data);
|
|
|
|
|
hdev->bpf.device_data = NULL;
|
|
|
|
|
hdev->bpf.allocated_data = 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(hid_bpf_disconnect_device);
|
|
|
|
|
|
2022-11-03 16:57:44 +01:00
|
|
|
void hid_bpf_destroy_device(struct hid_device *hdev)
|
|
|
|
|
{
|
|
|
|
|
if (!hdev)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* mark the device as destroyed in bpf so we don't reattach it */
|
|
|
|
|
hdev->bpf.destroyed = true;
|
|
|
|
|
|
2024-06-08 11:01:15 +02:00
|
|
|
__hid_bpf_ops_destroy_device(hdev);
|
2024-06-26 15:46:24 +02:00
|
|
|
|
|
|
|
|
synchronize_srcu(&hdev->bpf.srcu);
|
|
|
|
|
cleanup_srcu_struct(&hdev->bpf.srcu);
|
2022-11-03 16:57:44 +01:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(hid_bpf_destroy_device);
|
|
|
|
|
|
2024-06-26 15:46:24 +02:00
|
|
|
int hid_bpf_device_init(struct hid_device *hdev)
|
2022-11-03 16:57:44 +01:00
|
|
|
{
|
2024-06-08 11:01:15 +02:00
|
|
|
INIT_LIST_HEAD(&hdev->bpf.prog_list);
|
|
|
|
|
mutex_init(&hdev->bpf.prog_list_lock);
|
2024-06-26 15:46:24 +02:00
|
|
|
return init_srcu_struct(&hdev->bpf.srcu);
|
2022-11-03 16:57:44 +01:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(hid_bpf_device_init);
|
|
|
|
|
|
|
|
|
|
static int __init hid_bpf_init(void)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
/* Note: if we exit with an error any time here, we would entirely break HID, which
|
|
|
|
|
* is probably not something we want. So we log an error and return success.
|
|
|
|
|
*
|
2024-06-08 11:01:20 +02:00
|
|
|
* This is not a big deal: nobody will be able to use the functionality.
|
2022-11-03 16:57:44 +01:00
|
|
|
*/
|
|
|
|
|
|
2024-06-08 11:01:15 +02:00
|
|
|
err = register_btf_kfunc_id_set(BPF_PROG_TYPE_STRUCT_OPS, &hid_bpf_kfunc_set);
|
|
|
|
|
if (err) {
|
|
|
|
|
pr_warn("error while setting HID BPF tracing kfuncs: %d", err);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-03 16:57:44 +01:00
|
|
|
err = register_btf_kfunc_id_set(BPF_PROG_TYPE_SYSCALL, &hid_bpf_syscall_kfunc_set);
|
|
|
|
|
if (err) {
|
|
|
|
|
pr_warn("error while setting HID BPF syscall kfuncs: %d", err);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
late_initcall(hid_bpf_init);
|
|
|
|
|
MODULE_AUTHOR("Benjamin Tissoires");
|
|
|
|
|
MODULE_LICENSE("GPL");
|