git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Benjamin Tissoires <bentiss@kernel.org>
	Wed, 24 Jan 2024 11:26:57 +0000 (12:26 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 23 Feb 2024 08:51:30 +0000 (09:51 +0100)
commit	1211da213a10bcbab3f232885f799d346ef19fb7
tree	322f842e1bd041aa5c0238862b74a879d89eb650	tree \| snapshot
parent	fe8e47a9ae94a164fbafd49c84998a5c185f5732	commit \| diff

HID: bpf: remove double fdget()

commit 7cdd2108903a4e369eb37579830afc12a6877ec2 upstream.

When the kfunc hid_bpf_attach_prog() is called, we called twice fdget():
one for fetching the type of the bpf program, and one for actually
attaching the program to the device.

The problem is that between those two calls, we have no guarantees that
the prog_fd is still the same file descriptor for the given program.

Solve this by calling bpf_prog_get() earlier, and use this to fetch the
program type.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/bpf/CAO-hwJJ8vh8JD3-P43L-_CLNmPx0hWj44aom0O838vfP4=_1CA@mail.gmail.com/T/#t
Cc: <stable@vger.kernel.org>
Fixes: f5c27da4e3c8 ("HID: initial BPF implementation")
Link: https://lore.kernel.org/r/20240124-b4-hid-bpf-fixes-v2-1-052520b1e5e6@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/hid/bpf/hid_bpf_dispatch.c		diff \| blob \| blame \| history
drivers/hid/bpf/hid_bpf_dispatch.h		diff \| blob \| blame \| history
drivers/hid/bpf/hid_bpf_jmp_table.c		diff \| blob \| blame \| history