git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Benjamin Tissoires <bentiss@kernel.org>
	Wed, 24 Jan 2024 11:26:57 +0000 (12:26 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 23 Feb 2024 08:24:55 +0000 (09:24 +0100)
commit	d83a7e591d26a04bd9c7ffa2f6a875a8cc0f4d2f
tree	db02a6bee9764306a64b46a90a612ef60eeb78b8	tree \| snapshot
parent	c34c01fba0f0f8810a43ade15d783610eee461bb	commit \| diff

HID: bpf: remove double fdget()

commit 7cdd2108903a4e369eb37579830afc12a6877ec2 upstream.

When the kfunc hid_bpf_attach_prog() is called, we called twice fdget():
one for fetching the type of the bpf program, and one for actually
attaching the program to the device.

The problem is that between those two calls, we have no guarantees that
the prog_fd is still the same file descriptor for the given program.

Solve this by calling bpf_prog_get() earlier, and use this to fetch the
program type.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/bpf/CAO-hwJJ8vh8JD3-P43L-_CLNmPx0hWj44aom0O838vfP4=_1CA@mail.gmail.com/T/#t
Cc: <stable@vger.kernel.org>
Fixes: f5c27da4e3c8 ("HID: initial BPF implementation")
Link: https://lore.kernel.org/r/20240124-b4-hid-bpf-fixes-v2-1-052520b1e5e6@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/hid/bpf/hid_bpf_dispatch.c		diff \| blob \| blame \| history
drivers/hid/bpf/hid_bpf_dispatch.h		diff \| blob \| blame \| history
drivers/hid/bpf/hid_bpf_jmp_table.c		diff \| blob \| blame \| history