lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240124-b4-hid-bpf-fixes-v2-0-052520b1e5e6@kernel.org>
Date: Wed, 24 Jan 2024 12:26:56 +0100
From: Benjamin Tissoires <bentiss@...nel.org>
To: Jiri Kosina <jikos@...nel.org>, 
 Benjamin Tissoires <benjamin.tissoires@...hat.com>, 
 Dan Carpenter <dan.carpenter@...aro.org>, 
 Daniel Borkmann <daniel@...earbox.net>, 
 Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc: linux-input@...r.kernel.org, linux-kernel@...r.kernel.org, 
 bpf@...r.kernel.org, Benjamin Tissoires <bentiss@...nel.org>, 
 stable@...r.kernel.org
Subject: [PATCH v2 0/3] HID: bpf: couple of upstream fixes

Hi,

This is the v2 of this series of HID-BPF fixes.
I have forgotten to include a Fixes tag in the first patch
and got a review from Andrii on patch 2.

And this first patch made me realize that something was fishy
in the refcount of the hid devices. I was not crashing the system
even if I accessed the struct hid_device after hid_destroy_device()
was called, which was suspicious to say the least. So after some
debugging I found the culprit and realized that I had a pretty
nice memleak as soon as one HID-BPF program was attached to a HID
device.

The good thing though is that this ref count prevents a crash in
case a HID-BPF program attempts to access a removed HID device when
hid_bpf_allocate_context() has been called but not yet released.

Anyway, for reference, the cover letter of v1:

---

Hi,

these are a couple of fixes for hid-bpf. The first one should
probably go in ASAP, after the reviews, and the second one is nice
to have and doesn't hurt much.

Thanks Dan for finding out the issue with bpf_prog_get()

Cheers,
Benjamin

To: Jiri Kosina <jikos@...nel.org>
To: Benjamin Tissoires <benjamin.tissoires@...hat.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
To: Daniel Borkmann <daniel@...earbox.net>
To: Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc:  <linux-input@...r.kernel.org>
Cc:  <linux-kernel@...r.kernel.org>
Cc:  <bpf@...r.kernel.org>
Signed-off-by: Benjamin Tissoires <bentiss@...nel.org>

---
Changes in v2:
- add Fixes tags
- handled Andrii review (use of __bpf_kfunc_start/end_defs())
- new patch to fetch ref counting of struct hid_device
- Link to v1: https://lore.kernel.org/r/20240123-b4-hid-bpf-fixes-v1-0-aa1fac734377@kernel.org

---
Benjamin Tissoires (3):
      HID: bpf: remove double fdget()
      HID: bpf: actually free hdev memory after attaching a HID-BPF program
      HID: bpf: use __bpf_kfunc instead of noinline

 drivers/hid/bpf/hid_bpf_dispatch.c  | 101 ++++++++++++++++++++++++++----------
 drivers/hid/bpf/hid_bpf_dispatch.h  |   4 +-
 drivers/hid/bpf/hid_bpf_jmp_table.c |  39 +++++++-------
 include/linux/hid_bpf.h             |  11 ----
 4 files changed, 95 insertions(+), 60 deletions(-)
---
base-commit: fef018d8199661962b5fc0f0d1501caa54b2b533
change-id: 20240123-b4-hid-bpf-fixes-662908fe2234

Best regards,
-- 
Benjamin Tissoires <bentiss@...nel.org>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ