Contributors: 1
Author Tokens Token Proportion Commits Commit Proportion
Benjamin Tissoires 2457 100.00% 16 100.00%
Total 2457 16


// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2022 Red hat */
#include "hid_bpf_helpers.h"

char _license[] SEC("license") = "GPL";

struct attach_prog_args {
	int prog_fd;
	unsigned int hid;
	int retval;
	int insert_head;
};

__u64 callback_check = 52;
__u64 callback2_check = 52;

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */);

	if (!rw_data)
		return 0; /* EPERM check */

	callback_check = rw_data[1];

	rw_data[2] = rw_data[1] + 5;

	return hid_ctx->size;
}

SEC(".struct_ops.link")
struct hid_bpf_ops first_event = {
	.hid_device_event = (void *)hid_first_event,
	.hid_id = 2,
};

int __hid_subprog_first_event(struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */);

	if (!rw_data)
		return 0; /* EPERM check */

	rw_data[2] = rw_data[1] + 5;

	return hid_ctx->size;
}

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_subprog_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	return __hid_subprog_first_event(hid_ctx, type);
}

SEC(".struct_ops.link")
struct hid_bpf_ops subprog_first_event = {
	.hid_device_event = (void *)hid_subprog_first_event,
	.hid_id = 2,
};

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_second_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */);

	if (!rw_data)
		return 0; /* EPERM check */

	rw_data[3] = rw_data[2] + 5;

	return hid_ctx->size;
}

SEC(".struct_ops.link")
struct hid_bpf_ops second_event = {
	.hid_device_event = (void *)hid_second_event,
};

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_change_report_id, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */);

	if (!rw_data)
		return 0; /* EPERM check */

	rw_data[0] = 2;

	return 9;
}

SEC(".struct_ops.link")
struct hid_bpf_ops change_report_id = {
	.hid_device_event = (void *)hid_change_report_id,
};

struct hid_hw_request_syscall_args {
	/* data needs to come at offset 0 so we can use it in calls */
	__u8 data[10];
	unsigned int hid;
	int retval;
	size_t size;
	enum hid_report_type type;
	__u8 request_type;
};

SEC("syscall")
int hid_user_raw_request(struct hid_hw_request_syscall_args *args)
{
	struct hid_bpf_ctx *ctx;
	const size_t size = args->size;
	int i, ret = 0;

	if (size > sizeof(args->data))
		return -7; /* -E2BIG */

	ctx = hid_bpf_allocate_context(args->hid);
	if (!ctx)
		return -1; /* EPERM check */

	ret = hid_bpf_hw_request(ctx,
				 args->data,
				 size,
				 args->type,
				 args->request_type);
	args->retval = ret;

	hid_bpf_release_context(ctx);

	return 0;
}

SEC("syscall")
int hid_user_output_report(struct hid_hw_request_syscall_args *args)
{
	struct hid_bpf_ctx *ctx;
	const size_t size = args->size;
	int i, ret = 0;

	if (size > sizeof(args->data))
		return -7; /* -E2BIG */

	ctx = hid_bpf_allocate_context(args->hid);
	if (!ctx)
		return -1; /* EPERM check */

	ret = hid_bpf_hw_output_report(ctx,
				       args->data,
				       size);
	args->retval = ret;

	hid_bpf_release_context(ctx);

	return 0;
}

SEC("syscall")
int hid_user_input_report(struct hid_hw_request_syscall_args *args)
{
	struct hid_bpf_ctx *ctx;
	const size_t size = args->size;
	int i, ret = 0;

	if (size > sizeof(args->data))
		return -7; /* -E2BIG */

	ctx = hid_bpf_allocate_context(args->hid);
	if (!ctx)
		return -1; /* EPERM check */

	ret = hid_bpf_input_report(ctx, HID_INPUT_REPORT, args->data, size);
	args->retval = ret;

	hid_bpf_release_context(ctx);

	return 0;
}

static const __u8 rdesc[] = {
	0x05, 0x01,				/* USAGE_PAGE (Generic Desktop) */
	0x09, 0x32,				/* USAGE (Z) */
	0x95, 0x01,				/* REPORT_COUNT (1) */
	0x81, 0x06,				/* INPUT (Data,Var,Rel) */

	0x06, 0x00, 0xff,			/* Usage Page (Vendor Defined Page 1) */
	0x19, 0x01,				/* USAGE_MINIMUM (1) */
	0x29, 0x03,				/* USAGE_MAXIMUM (3) */
	0x15, 0x00,				/* LOGICAL_MINIMUM (0) */
	0x25, 0x01,				/* LOGICAL_MAXIMUM (1) */
	0x95, 0x03,				/* REPORT_COUNT (3) */
	0x75, 0x01,				/* REPORT_SIZE (1) */
	0x91, 0x02,				/* Output (Data,Var,Abs) */
	0x95, 0x01,				/* REPORT_COUNT (1) */
	0x75, 0x05,				/* REPORT_SIZE (5) */
	0x91, 0x01,				/* Output (Cnst,Var,Abs) */

	0x06, 0x00, 0xff,			/* Usage Page (Vendor Defined Page 1) */
	0x19, 0x06,				/* USAGE_MINIMUM (6) */
	0x29, 0x08,				/* USAGE_MAXIMUM (8) */
	0x15, 0x00,				/* LOGICAL_MINIMUM (0) */
	0x25, 0x01,				/* LOGICAL_MAXIMUM (1) */
	0x95, 0x03,				/* REPORT_COUNT (3) */
	0x75, 0x01,				/* REPORT_SIZE (1) */
	0xb1, 0x02,				/* Feature (Data,Var,Abs) */
	0x95, 0x01,				/* REPORT_COUNT (1) */
	0x75, 0x05,				/* REPORT_SIZE (5) */
	0x91, 0x01,				/* Output (Cnst,Var,Abs) */

	0xc0,				/* END_COLLECTION */
	0xc0,			/* END_COLLECTION */
};

/*
 * the following program is marked as sleepable (struct_ops.s).
 * This is not strictly mandatory but is a nice test for
 * sleepable struct_ops
 */
SEC("?struct_ops.s/hid_rdesc_fixup")
int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx *hid_ctx)
{
	__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4096 /* size */);

	if (!data)
		return 0; /* EPERM check */

	callback2_check = data[4];

	/* insert rdesc at offset 73 */
	__builtin_memcpy(&data[73], rdesc, sizeof(rdesc));

	/* Change Usage Vendor globally */
	data[4] = 0x42;

	return sizeof(rdesc) + 73;
}

SEC(".struct_ops.link")
struct hid_bpf_ops rdesc_fixup = {
	.hid_rdesc_fixup = (void *)hid_rdesc_fixup,
};

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */);

	if (!data)
		return 0; /* EPERM check */

	/* we need to be run first */
	if (data[2] || data[3])
		return -1;

	data[1] = 1;

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_insert1 = {
	.hid_device_event = (void *)hid_test_insert1,
	.flags = BPF_F_BEFORE,
};

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_test_insert2, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */);

	if (!data)
		return 0; /* EPERM check */

	/* after insert0 and before insert2 */
	if (!data[1] || data[3])
		return -1;

	data[2] = 2;

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_insert2 = {
	.hid_device_event = (void *)hid_test_insert2,
};

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_test_insert3, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */);

	if (!data)
		return 0; /* EPERM check */

	/* at the end */
	if (!data[1] || !data[2])
		return -1;

	data[3] = 3;

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_insert3 = {
	.hid_device_event = (void *)hid_test_insert3,
};

SEC("?struct_ops/hid_hw_request")
int BPF_PROG(hid_test_filter_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum,
	     enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source)
{
	return -20;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_filter_raw_request = {
	.hid_hw_request = (void *)hid_test_filter_raw_request,
};

static struct file *current_file;

SEC("fentry/hidraw_open")
int BPF_PROG(hidraw_open, struct inode *inode, struct file *file)
{
	current_file = file;
	return 0;
}

SEC("?struct_ops.s/hid_hw_request")
int BPF_PROG(hid_test_hidraw_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum,
	     enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source)
{
	__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */);
	int ret;

	if (!data)
		return 0; /* EPERM check */

	/* check if the incoming request comes from our hidraw operation */
	if (source == (__u64)current_file) {
		data[0] = reportnum;

		ret = hid_bpf_hw_request(hctx, data, 2, rtype, reqtype);
		if (ret != 2)
			return -1;
		data[0] = reportnum + 1;
		data[1] = reportnum + 2;
		data[2] = reportnum + 3;
		return 3;
	}

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_hidraw_raw_request = {
	.hid_hw_request = (void *)hid_test_hidraw_raw_request,
};

SEC("?struct_ops.s/hid_hw_request")
int BPF_PROG(hid_test_infinite_loop_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum,
	     enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source)
{
	__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */);
	int ret;

	if (!data)
		return 0; /* EPERM check */

	/* always forward the request as-is to the device, hid-bpf should prevent
	 * infinite loops.
	 */
	data[0] = reportnum;

	ret = hid_bpf_hw_request(hctx, data, 2, rtype, reqtype);
	if (ret == 2)
		return 3;

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_infinite_loop_raw_request = {
	.hid_hw_request = (void *)hid_test_infinite_loop_raw_request,
};

SEC("?struct_ops/hid_hw_output_report")
int BPF_PROG(hid_test_filter_output_report, struct hid_bpf_ctx *hctx, unsigned char reportnum,
	     enum hid_report_type rtype, enum hid_class_request reqtype, __u64 source)
{
	return -25;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_filter_output_report = {
	.hid_hw_output_report = (void *)hid_test_filter_output_report,
};

SEC("?struct_ops.s/hid_hw_output_report")
int BPF_PROG(hid_test_hidraw_output_report, struct hid_bpf_ctx *hctx, __u64 source)
{
	__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */);
	int ret;

	if (!data)
		return 0; /* EPERM check */

	/* check if the incoming request comes from our hidraw operation */
	if (source == (__u64)current_file)
		return hid_bpf_hw_output_report(hctx, data, 2);

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_hidraw_output_report = {
	.hid_hw_output_report = (void *)hid_test_hidraw_output_report,
};

SEC("?struct_ops.s/hid_hw_output_report")
int BPF_PROG(hid_test_infinite_loop_output_report, struct hid_bpf_ctx *hctx, __u64 source)
{
	__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */);
	int ret;

	if (!data)
		return 0; /* EPERM check */

	/* always forward the request as-is to the device, hid-bpf should prevent
	 * infinite loops.
	 */

	ret = hid_bpf_hw_output_report(hctx, data, 2);
	if (ret == 2)
		return 2;

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_infinite_loop_output_report = {
	.hid_hw_output_report = (void *)hid_test_infinite_loop_output_report,
};

struct elem {
	struct bpf_wq work;
};

struct {
	__uint(type, BPF_MAP_TYPE_HASH);
	__uint(max_entries, 1);
	__type(key, int);
	__type(value, struct elem);
} hmap SEC(".maps");

static int wq_cb_sleepable(void *map, int *key, void *work)
{
	__u8 buf[9] = {2, 3, 4, 5, 6, 7, 8, 9, 10};
	struct hid_bpf_ctx *hid_ctx;

	hid_ctx = hid_bpf_allocate_context(*key);
	if (!hid_ctx)
		return 0; /* EPERM check */

	hid_bpf_input_report(hid_ctx, HID_INPUT_REPORT, buf, sizeof(buf));

	hid_bpf_release_context(hid_ctx);

	return 0;
}

static int test_inject_input_report_callback(int *key)
{
	struct elem init = {}, *val;
	struct bpf_wq *wq;

	if (bpf_map_update_elem(&hmap, key, &init, 0))
		return -1;

	val = bpf_map_lookup_elem(&hmap, key);
	if (!val)
		return -2;

	wq = &val->work;
	if (bpf_wq_init(wq, &hmap, 0) != 0)
		return -3;

	if (bpf_wq_set_callback(wq, wq_cb_sleepable, 0))
		return -4;

	if (bpf_wq_start(wq, 0))
		return -5;

	return 0;
}

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_test_multiply_events_wq, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 9 /* size */);
	int hid = hid_ctx->hid->id;
	int ret;

	if (!data)
		return 0; /* EPERM check */

	if (data[0] != 1)
		return 0;

	ret = test_inject_input_report_callback(&hid);
	if (ret)
		return ret;

	data[1] += 5;

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_multiply_events_wq = {
	.hid_device_event = (void *)hid_test_multiply_events_wq,
};

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_test_multiply_events, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
{
	__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 9 /* size */);
	__u8 buf[9];
	int ret;

	if (!data)
		return 0; /* EPERM check */

	if (data[0] != 1)
		return 0;

	/*
	 * we have to use an intermediate buffer as hid_bpf_input_report
	 * will memset data to \0
	 */
	__builtin_memcpy(buf, data, sizeof(buf));

	buf[0] = 2;
	buf[1] += 5;
	ret = hid_bpf_try_input_report(hid_ctx, HID_INPUT_REPORT, buf, sizeof(buf));
	if (ret < 0)
		return ret;

	/*
	 * In real world we should reset the original buffer as data might be garbage now,
	 * but it actually now has the content of 'buf'
	 */
	data[1] += 5;

	return 9;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_multiply_events = {
	.hid_device_event = (void *)hid_test_multiply_events,
};

SEC("?struct_ops/hid_device_event")
int BPF_PROG(hid_test_infinite_loop_input_report, struct hid_bpf_ctx *hctx,
	     enum hid_report_type report_type, __u64 source)
{
	__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 6 /* size */);
	__u8 buf[6];

	if (!data)
		return 0; /* EPERM check */

	/*
	 * we have to use an intermediate buffer as hid_bpf_input_report
	 * will memset data to \0
	 */
	__builtin_memcpy(buf, data, sizeof(buf));

	/* always forward the request as-is to the device, hid-bpf should prevent
	 * infinite loops.
	 * the return value is ignored so the event is passing to userspace.
	 */

	hid_bpf_try_input_report(hctx, report_type, buf, sizeof(buf));

	/* each time we process the event, we increment by one data[1]:
	 * after each successful call to hid_bpf_try_input_report, buf
	 * has been memcopied into data by the kernel.
	 */
	data[1] += 1;

	return 0;
}

SEC(".struct_ops.link")
struct hid_bpf_ops test_infinite_loop_input_report = {
	.hid_device_event = (void *)hid_test_infinite_loop_input_report,
};