| // SPDX-License-Identifier: GPL-2.0 |
| /* Copyright (c) 2022 Red hat */ |
| #include "hid_bpf_helpers.h" |
| |
| char _license[] SEC("license") = "GPL"; |
| |
| struct attach_prog_args { |
| int prog_fd; |
| unsigned int hid; |
| int retval; |
| int insert_head; |
| }; |
| |
| __u64 callback_check = 52; |
| __u64 callback2_check = 52; |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */); |
| |
| if (!rw_data) |
| return 0; /* EPERM check */ |
| |
| callback_check = rw_data[1]; |
| |
| rw_data[2] = rw_data[1] + 5; |
| |
| return hid_ctx->size; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops first_event = { |
| .hid_device_event = (void *)hid_first_event, |
| .hid_id = 2, |
| }; |
| |
| int __hid_subprog_first_event(struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */); |
| |
| if (!rw_data) |
| return 0; /* EPERM check */ |
| |
| rw_data[2] = rw_data[1] + 5; |
| |
| return hid_ctx->size; |
| } |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_subprog_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| return __hid_subprog_first_event(hid_ctx, type); |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops subprog_first_event = { |
| .hid_device_event = (void *)hid_subprog_first_event, |
| .hid_id = 2, |
| }; |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_second_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */); |
| |
| if (!rw_data) |
| return 0; /* EPERM check */ |
| |
| rw_data[3] = rw_data[2] + 5; |
| |
| return hid_ctx->size; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops second_event = { |
| .hid_device_event = (void *)hid_second_event, |
| }; |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_change_report_id, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */); |
| |
| if (!rw_data) |
| return 0; /* EPERM check */ |
| |
| rw_data[0] = 2; |
| |
| return 9; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops change_report_id = { |
| .hid_device_event = (void *)hid_change_report_id, |
| }; |
| |
| struct hid_hw_request_syscall_args { |
| /* data needs to come at offset 0 so we can use it in calls */ |
| __u8 data[10]; |
| unsigned int hid; |
| int retval; |
| size_t size; |
| enum hid_report_type type; |
| __u8 request_type; |
| }; |
| |
| SEC("syscall") |
| int hid_user_raw_request(struct hid_hw_request_syscall_args *args) |
| { |
| struct hid_bpf_ctx *ctx; |
| const size_t size = args->size; |
| int i, ret = 0; |
| |
| if (size > sizeof(args->data)) |
| return -7; /* -E2BIG */ |
| |
| ctx = hid_bpf_allocate_context(args->hid); |
| if (!ctx) |
| return -1; /* EPERM check */ |
| |
| ret = hid_bpf_hw_request(ctx, |
| args->data, |
| size, |
| args->type, |
| args->request_type); |
| args->retval = ret; |
| |
| hid_bpf_release_context(ctx); |
| |
| return 0; |
| } |
| |
| SEC("syscall") |
| int hid_user_output_report(struct hid_hw_request_syscall_args *args) |
| { |
| struct hid_bpf_ctx *ctx; |
| const size_t size = args->size; |
| int i, ret = 0; |
| |
| if (size > sizeof(args->data)) |
| return -7; /* -E2BIG */ |
| |
| ctx = hid_bpf_allocate_context(args->hid); |
| if (!ctx) |
| return -1; /* EPERM check */ |
| |
| ret = hid_bpf_hw_output_report(ctx, |
| args->data, |
| size); |
| args->retval = ret; |
| |
| hid_bpf_release_context(ctx); |
| |
| return 0; |
| } |
| |
| SEC("syscall") |
| int hid_user_input_report(struct hid_hw_request_syscall_args *args) |
| { |
| struct hid_bpf_ctx *ctx; |
| const size_t size = args->size; |
| int i, ret = 0; |
| |
| if (size > sizeof(args->data)) |
| return -7; /* -E2BIG */ |
| |
| ctx = hid_bpf_allocate_context(args->hid); |
| if (!ctx) |
| return -1; /* EPERM check */ |
| |
| ret = hid_bpf_input_report(ctx, HID_INPUT_REPORT, args->data, size); |
| args->retval = ret; |
| |
| hid_bpf_release_context(ctx); |
| |
| return 0; |
| } |
| |
| static const __u8 rdesc[] = { |
| 0x05, 0x01, /* USAGE_PAGE (Generic Desktop) */ |
| 0x09, 0x32, /* USAGE (Z) */ |
| 0x95, 0x01, /* REPORT_COUNT (1) */ |
| 0x81, 0x06, /* INPUT (Data,Var,Rel) */ |
| |
| 0x06, 0x00, 0xff, /* Usage Page (Vendor Defined Page 1) */ |
| 0x19, 0x01, /* USAGE_MINIMUM (1) */ |
| 0x29, 0x03, /* USAGE_MAXIMUM (3) */ |
| 0x15, 0x00, /* LOGICAL_MINIMUM (0) */ |
| 0x25, 0x01, /* LOGICAL_MAXIMUM (1) */ |
| 0x95, 0x03, /* REPORT_COUNT (3) */ |
| 0x75, 0x01, /* REPORT_SIZE (1) */ |
| 0x91, 0x02, /* Output (Data,Var,Abs) */ |
| 0x95, 0x01, /* REPORT_COUNT (1) */ |
| 0x75, 0x05, /* REPORT_SIZE (5) */ |
| 0x91, 0x01, /* Output (Cnst,Var,Abs) */ |
| |
| 0x06, 0x00, 0xff, /* Usage Page (Vendor Defined Page 1) */ |
| 0x19, 0x06, /* USAGE_MINIMUM (6) */ |
| 0x29, 0x08, /* USAGE_MAXIMUM (8) */ |
| 0x15, 0x00, /* LOGICAL_MINIMUM (0) */ |
| 0x25, 0x01, /* LOGICAL_MAXIMUM (1) */ |
| 0x95, 0x03, /* REPORT_COUNT (3) */ |
| 0x75, 0x01, /* REPORT_SIZE (1) */ |
| 0xb1, 0x02, /* Feature (Data,Var,Abs) */ |
| 0x95, 0x01, /* REPORT_COUNT (1) */ |
| 0x75, 0x05, /* REPORT_SIZE (5) */ |
| 0x91, 0x01, /* Output (Cnst,Var,Abs) */ |
| |
| 0xc0, /* END_COLLECTION */ |
| 0xc0, /* END_COLLECTION */ |
| }; |
| |
| /* |
| * the following program is marked as sleepable (struct_ops.s). |
| * This is not strictly mandatory but is a nice test for |
| * sleepable struct_ops |
| */ |
| SEC("?struct_ops.s/hid_rdesc_fixup") |
| int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx *hid_ctx) |
| { |
| __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4096 /* size */); |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| callback2_check = data[4]; |
| |
| /* insert rdesc at offset 73 */ |
| __builtin_memcpy(&data[73], rdesc, sizeof(rdesc)); |
| |
| /* Change Usage Vendor globally */ |
| data[4] = 0x42; |
| |
| return sizeof(rdesc) + 73; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops rdesc_fixup = { |
| .hid_rdesc_fixup = (void *)hid_rdesc_fixup, |
| }; |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */); |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| /* we need to be run first */ |
| if (data[2] || data[3]) |
| return -1; |
| |
| data[1] = 1; |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_insert1 = { |
| .hid_device_event = (void *)hid_test_insert1, |
| .flags = BPF_F_BEFORE, |
| }; |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_test_insert2, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */); |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| /* after insert0 and before insert2 */ |
| if (!data[1] || data[3]) |
| return -1; |
| |
| data[2] = 2; |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_insert2 = { |
| .hid_device_event = (void *)hid_test_insert2, |
| }; |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_test_insert3, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */); |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| /* at the end */ |
| if (!data[1] || !data[2]) |
| return -1; |
| |
| data[3] = 3; |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_insert3 = { |
| .hid_device_event = (void *)hid_test_insert3, |
| }; |
| |
| SEC("?struct_ops/hid_hw_request") |
| int BPF_PROG(hid_test_filter_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum, |
| enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source) |
| { |
| return -20; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_filter_raw_request = { |
| .hid_hw_request = (void *)hid_test_filter_raw_request, |
| }; |
| |
| static struct file *current_file; |
| |
| SEC("fentry/hidraw_open") |
| int BPF_PROG(hidraw_open, struct inode *inode, struct file *file) |
| { |
| current_file = file; |
| return 0; |
| } |
| |
| SEC("?struct_ops.s/hid_hw_request") |
| int BPF_PROG(hid_test_hidraw_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum, |
| enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source) |
| { |
| __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */); |
| int ret; |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| /* check if the incoming request comes from our hidraw operation */ |
| if (source == (__u64)current_file) { |
| data[0] = reportnum; |
| |
| ret = hid_bpf_hw_request(hctx, data, 2, rtype, reqtype); |
| if (ret != 2) |
| return -1; |
| data[0] = reportnum + 1; |
| data[1] = reportnum + 2; |
| data[2] = reportnum + 3; |
| return 3; |
| } |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_hidraw_raw_request = { |
| .hid_hw_request = (void *)hid_test_hidraw_raw_request, |
| }; |
| |
| SEC("?struct_ops.s/hid_hw_request") |
| int BPF_PROG(hid_test_infinite_loop_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum, |
| enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source) |
| { |
| __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */); |
| int ret; |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| /* always forward the request as-is to the device, hid-bpf should prevent |
| * infinite loops. |
| */ |
| data[0] = reportnum; |
| |
| ret = hid_bpf_hw_request(hctx, data, 2, rtype, reqtype); |
| if (ret == 2) |
| return 3; |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_infinite_loop_raw_request = { |
| .hid_hw_request = (void *)hid_test_infinite_loop_raw_request, |
| }; |
| |
| SEC("?struct_ops/hid_hw_output_report") |
| int BPF_PROG(hid_test_filter_output_report, struct hid_bpf_ctx *hctx, unsigned char reportnum, |
| enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source) |
| { |
| return -25; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_filter_output_report = { |
| .hid_hw_output_report = (void *)hid_test_filter_output_report, |
| }; |
| |
| SEC("?struct_ops.s/hid_hw_output_report") |
| int BPF_PROG(hid_test_hidraw_output_report, struct hid_bpf_ctx *hctx, __u64 source) |
| { |
| __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */); |
| int ret; |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| /* check if the incoming request comes from our hidraw operation */ |
| if (source == (__u64)current_file) |
| return hid_bpf_hw_output_report(hctx, data, 2); |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_hidraw_output_report = { |
| .hid_hw_output_report = (void *)hid_test_hidraw_output_report, |
| }; |
| |
| SEC("?struct_ops.s/hid_hw_output_report") |
| int BPF_PROG(hid_test_infinite_loop_output_report, struct hid_bpf_ctx *hctx, __u64 source) |
| { |
| __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */); |
| int ret; |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| /* always forward the request as-is to the device, hid-bpf should prevent |
| * infinite loops. |
| */ |
| |
| ret = hid_bpf_hw_output_report(hctx, data, 2); |
| if (ret == 2) |
| return 2; |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_infinite_loop_output_report = { |
| .hid_hw_output_report = (void *)hid_test_infinite_loop_output_report, |
| }; |
| |
| struct elem { |
| struct bpf_wq work; |
| }; |
| |
| struct { |
| __uint(type, BPF_MAP_TYPE_HASH); |
| __uint(max_entries, 1); |
| __type(key, int); |
| __type(value, struct elem); |
| } hmap SEC(".maps"); |
| |
| static int wq_cb_sleepable(void *map, int *key, struct bpf_wq *work) |
| { |
| __u8 buf[9] = {2, 3, 4, 5, 6, 7, 8, 9, 10}; |
| struct hid_bpf_ctx *hid_ctx; |
| |
| hid_ctx = hid_bpf_allocate_context(*key); |
| if (!hid_ctx) |
| return 0; /* EPERM check */ |
| |
| hid_bpf_input_report(hid_ctx, HID_INPUT_REPORT, buf, sizeof(buf)); |
| |
| hid_bpf_release_context(hid_ctx); |
| |
| return 0; |
| } |
| |
| static int test_inject_input_report_callback(int *key) |
| { |
| struct elem init = {}, *val; |
| struct bpf_wq *wq; |
| |
| if (bpf_map_update_elem(&hmap, key, &init, 0)) |
| return -1; |
| |
| val = bpf_map_lookup_elem(&hmap, key); |
| if (!val) |
| return -2; |
| |
| wq = &val->work; |
| if (bpf_wq_init(wq, &hmap, 0) != 0) |
| return -3; |
| |
| if (bpf_wq_set_callback(wq, wq_cb_sleepable, 0)) |
| return -4; |
| |
| if (bpf_wq_start(wq, 0)) |
| return -5; |
| |
| return 0; |
| } |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_test_multiply_events_wq, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 9 /* size */); |
| int hid = hid_ctx->hid->id; |
| int ret; |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| if (data[0] != 1) |
| return 0; |
| |
| ret = test_inject_input_report_callback(&hid); |
| if (ret) |
| return ret; |
| |
| data[1] += 5; |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_multiply_events_wq = { |
| .hid_device_event = (void *)hid_test_multiply_events_wq, |
| }; |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_test_multiply_events, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) |
| { |
| __u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 9 /* size */); |
| __u8 buf[9]; |
| int ret; |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| if (data[0] != 1) |
| return 0; |
| |
| /* |
| * we have to use an intermediate buffer as hid_bpf_input_report |
| * will memset data to \0 |
| */ |
| __builtin_memcpy(buf, data, sizeof(buf)); |
| |
| buf[0] = 2; |
| buf[1] += 5; |
| ret = hid_bpf_try_input_report(hid_ctx, HID_INPUT_REPORT, buf, sizeof(buf)); |
| if (ret < 0) |
| return ret; |
| |
| /* |
| * In real world we should reset the original buffer as data might be garbage now, |
| * but it actually now has the content of 'buf' |
| */ |
| data[1] += 5; |
| |
| return 9; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_multiply_events = { |
| .hid_device_event = (void *)hid_test_multiply_events, |
| }; |
| |
| SEC("?struct_ops/hid_device_event") |
| int BPF_PROG(hid_test_infinite_loop_input_report, struct hid_bpf_ctx *hctx, |
| enum hid_report_type report_type, __u64 source) |
| { |
| __u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 6 /* size */); |
| __u8 buf[6]; |
| |
| if (!data) |
| return 0; /* EPERM check */ |
| |
| /* |
| * we have to use an intermediate buffer as hid_bpf_input_report |
| * will memset data to \0 |
| */ |
| __builtin_memcpy(buf, data, sizeof(buf)); |
| |
| /* always forward the request as-is to the device, hid-bpf should prevent |
| * infinite loops. |
| * the return value is ignored so the event is passing to userspace. |
| */ |
| |
| hid_bpf_try_input_report(hctx, report_type, buf, sizeof(buf)); |
| |
| /* each time we process the event, we increment by one data[1]: |
| * after each successful call to hid_bpf_try_input_report, buf |
| * has been memcopied into data by the kernel. |
| */ |
| data[1] += 1; |
| |
| return 0; |
| } |
| |
| SEC(".struct_ops.link") |
| struct hid_bpf_ops test_infinite_loop_input_report = { |
| .hid_device_event = (void *)hid_test_infinite_loop_input_report, |
| }; |