AI Trajectory

Trajectory: (Expand/Collapse All)
Seq	Timestamp	Type	Name	Duration
0/0	2026/06/22 07:53	flow	patch-triage	0m Args: null Results: { "EnableConfigs": [ "HID_BPF" ], "FocusSymbols": [ "hid_bpf_get_data" ], "Reasoning": "The patch fixes an integer overflow vulnerability in `hid_bpf_get_data` which is a BPF kfunc used by HID-BPF programs to access device data buffers. This is a functional security fix that is reachable from userspace via BPF programs attached to HID devices.", "WorthFuzzing": true }
1/1	2026/06/22 07:53	action	read-patch-diff	0m Args: null Results: { "PatchDiff": "commit 41fa9a3e56400d254f8726a626c5f50d6853331b\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Mon Jun 22 07:53:02 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c\nindex d0130658091b02..09b45c40d84f0b 100644\n--- a/drivers/hid/bpf/hid_bpf_dispatch.c\n+++ b/drivers/hid/bpf/hid_bpf_dispatch.c\n@@ -299,7 +299,8 @@ hid_bpf_get_data(struct hid_bpf_ctx ctx, unsigned int offset, const size_t rdwr\n \n \tctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);\n \n-\tif (rdwr_buf_size + offset \u003e ctx-\u003eallocated_size)\n+\tif (offset \u003e ctx-\u003eallocated_size \|\|\n+\t rdwr_buf_size \u003e ctx-\u003eallocated_size - offset)\n \t\treturn NULL;\n \n \treturn ctx_kern-\u003edata + offset;\ndiff --git a/tools/testing/selftests/hid/Makefile b/tools/testing/selftests/hid/Makefile\nindex 50ec9e0406abaf..357c6eb5ff5ee3 100644\n--- a/tools/testing/selftests/hid/Makefile\n+++ b/tools/testing/selftests/hid/Makefile\n@@ -24,7 +24,7 @@ CXX ?= $(CROSS_COMPILE)g++\n \n HOSTPKG_CONFIG := pkg-config\n \n-CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT)\n+CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT) $(KHDR_INCLUDES)\n CFLAGS += -I$(OUTPUT)/tools/include\n \n LDLIBS += -lelf -lz -lrt -lpthread\ndiff --git a/tools/testing/selftests/hid/hid_bpf.c b/tools/testing/selftests/hid/hid_bpf.c\nindex 1e979fb3542bab..b851339308c214 100644\n--- a/tools/testing/selftests/hid/hid_bpf.c\n+++ b/tools/testing/selftests/hid/hid_bpf.c\n@@ -86,6 +86,20 @@ static void load_programs(const struct test_program programs[],\n \tself-\u003eskel = hid__open();\n \tASSERT_OK_PTR(self-\u003eskel) TEARDOWN_LOG(\"Error while calling hid__open\");\n \n+\t/\n+\t * Disable all struct_ops maps by default so libbpf does not autoload\n+\t * programs referenced by maps that are unrelated to the current test.\n+\t /\n+\tbpf_object__for_each_map(iter_map, self-\u003eskel-\u003eskeleton-\u003eobj) {\n+\t\tif (bpf_map__type(iter_map) == BPF_MAP_TYPE_STRUCT_OPS) {\n+\t\t\terr = bpf_map__set_autocreate(iter_map, false);\n+\t\t\tASSERT_OK(err) TH_LOG(\"can not disable struct_ops map '%s'\",\n+\t\t\t\t\t bpf_map__name(iter_map));\n+\t\t}\n+\n+\t\tbpf_map__set_autoattach(iter_map, false);\n+\t}\n+\n \tfor (int i = 0; i \u003c progs_count; i++) {\n \t\tstruct bpf_program prog;\n \t\tstruct bpf_map map;\n@@ -102,6 +116,10 @@ static void load_programs(const struct test_program programs[],\n \t\tASSERT_OK_PTR(map) TH_LOG(\"can not find struct_ops by name '%s'\",\n \t\t\t\t\t programs[i].name + 4);\n \n+\t\terr = bpf_map__set_autocreate(map, true);\n+\t\tASSERT_OK(err) TH_LOG(\"can not enable struct_ops map '%s'\",\n+\t\t\t\t programs[i].name + 4);\n+\n \t\t/* hid_id is the first field of struct hid_bpf_ops /\n \t\tops_hid_id = bpf_map__initial_value(map, NULL);\n \t\tASSERT_OK_PTR(ops_hid_id) TH_LOG(\"unable to retrieve struct_ops data\");\n@@ -109,13 +127,6 @@ static void load_programs(const struct test_program programs[],\n \t\tops_hid_id = self-\u003ehid.hid_id;\n \t}\n \n-\t/* we disable the auto-attach feature of all maps because we\n-\t * only want the tested one to be manually attached in the next\n-\t * call to bpf_map__attach_struct_ops()\n-\t /\n-\tbpf_object__for_each_map(iter_map, self-\u003eskel-\u003eskeleton-\u003eobj)\n-\t\tbpf_map__set_autoattach(iter_map, false);\n-\n \terr = hid__load(self-\u003eskel);\n \tASSERT_OK(err) TH_LOG(\"hid_skel_load failed: %d\", err);\n \n@@ -887,6 +898,17 @@ TEST_F(hid_bpf, test_rdesc_fixup)\n \tASSERT_EQ(rpt_desc.value[4], 0x42);\n }\n \n+TEST_F(hid_bpf, test_rdesc_fixup_get_data_overflow)\n+{\n+\tconst struct test_program progs[] = {\n+\t\t{ .name = \"hid_rdesc_fixup_get_data_overflow\" },\n+\t};\n+\n+\tLOAD_PROGRAMS(progs);\n+\n+\tASSERT_EQ(self-\u003eskel-\u003ebss-\u003eget_data_overflow_check, 1);\n+}\n+\n static int libbpf_print_fn(enum libbpf_print_level level,\n \t\t\t const char format, va_list args)\n {\ndiff --git a/tools/testing/selftests/hid/progs/hid.c b/tools/testing/selftests/hid/progs/hid.c\nindex 5ecc845ef79216..b21fbb13c926f8 100644\n--- a/tools/testing/selftests/hid/progs/hid.c\n+++ b/tools/testing/selftests/hid/progs/hid.c\n@@ -13,6 +13,7 @@ struct attach_prog_args {\n \n __u64 callback_check = 52;\n __u64 callback2_check = 52;\n+__u64 get_data_overflow_check;\n \n SEC(\"?struct_ops/hid_device_event\")\n int BPF_PROG(hid_first_event, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\n@@ -240,6 +241,20 @@ struct hid_bpf_ops rdesc_fixup = {\n \t.hid_rdesc_fixup = (void )hid_rdesc_fixup,\n };\n \n+SEC(\"?struct_ops.s/hid_rdesc_fixup\")\n+int BPF_PROG(hid_rdesc_fixup_get_data_overflow, struct hid_bpf_ctx hid_ctx)\n+{\n+\tif (!hid_bpf_get_data(hid_ctx, 2 /* offset /, ~0ULL / size /))\n+\t\tget_data_overflow_check = 1;\n+\n+\treturn 0;\n+}\n+\n+SEC(\".struct_ops.link\")\n+struct hid_bpf_ops rdesc_fixup_get_data_overflow = {\n+\t.hid_rdesc_fixup = (void )hid_rdesc_fixup_get_data_overflow,\n+};\n+\n SEC(\"?struct_ops/hid_device_event\")\n int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\n {\n" }
2/1	2026/06/22 07:53	agent	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: { "EnableConfigs": [ "HID_BPF" ], "FocusSymbols": [ "hid_bpf_get_data" ], "Reasoning": "The patch fixes an integer overflow vulnerability in `hid_bpf_get_data` which is a BPF kfunc used by HID-BPF programs to access device data buffers. This is a functional security fix that is reachable from userspace via BPF programs attached to HID devices.", "WorthFuzzing": true } Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes: commit 41fa9a3e56400d254f8726a626c5f50d6853331b Author: syz-cluster <triage@syzkaller.com> Date: Mon Jun 22 07:53:02 2026 +0000 syz-cluster: applied patch under review diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c index d0130658091b02..09b45c40d84f0b 100644 --- a/drivers/hid/bpf/hid_bpf_dispatch.c +++ b/drivers/hid/bpf/hid_bpf_dispatch.c @@ -299,7 +299,8 @@ hid_bpf_get_data(struct hid_bpf_ctx ctx, unsigned int offset, const size_t rdwr ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx); - if (rdwr_buf_size + offset > ctx->allocated_size) + if (offset > ctx->allocated_size \|\| + rdwr_buf_size > ctx->allocated_size - offset) return NULL; return ctx_kern->data + offset; diff --git a/tools/testing/selftests/hid/Makefile b/tools/testing/selftests/hid/Makefile index 50ec9e0406abaf..357c6eb5ff5ee3 100644 --- a/tools/testing/selftests/hid/Makefile +++ b/tools/testing/selftests/hid/Makefile @@ -24,7 +24,7 @@ CXX ?= $(CROSS_COMPILE)g++ HOSTPKG_CONFIG := pkg-config -CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT) +CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT) $(KHDR_INCLUDES) CFLAGS += -I$(OUTPUT)/tools/include LDLIBS += -lelf -lz -lrt -lpthread diff --git a/tools/testing/selftests/hid/hid_bpf.c b/tools/testing/selftests/hid/hid_bpf.c index 1e979fb3542bab..b851339308c214 100644 --- a/tools/testing/selftests/hid/hid_bpf.c +++ b/tools/testing/selftests/hid/hid_bpf.c @@ -86,6 +86,20 @@ static void load_programs(const struct test_program programs[], self->skel = hid__open(); ASSERT_OK_PTR(self->skel) TEARDOWN_LOG("Error while calling hid__open"); + / + * Disable all struct_ops maps by default so libbpf does not autoload + * programs referenced by maps that are unrelated to the current test. + / + bpf_object__for_each_map(iter_map, self->skel->skeleton->obj) { + if (bpf_map__type(iter_map) == BPF_MAP_TYPE_STRUCT_OPS) { + err = bpf_map__set_autocreate(iter_map, false); + ASSERT_OK(err) TH_LOG("can not disable struct_ops map '%s'", + bpf_map__name(iter_map)); + } + + bpf_map__set_autoattach(iter_map, false); + } + for (int i = 0; i < progs_count; i++) { struct bpf_program prog; struct bpf_map map; @@ -102,6 +116,10 @@ static void load_programs(const struct test_program programs[], ASSERT_OK_PTR(map) TH_LOG("can not find struct_ops by name '%s'", programs[i].name + 4); + err = bpf_map__set_autocreate(map, true); + ASSERT_OK(err) TH_LOG("can not enable struct_ops map '%s'", + programs[i].name + 4); + /* hid_id is the first field of struct hid_bpf_ops / ops_hid_id = bpf_map__initial_value(map, NULL); ASSERT_OK_PTR(ops_hid_id) TH_LOG("unable to retrieve struct_ops data"); @@ -109,13 +127,6 @@ static void load_programs(const struct test_program programs[], ops_hid_id = self->hid.hid_id; } - /* we disable the auto-attach feature of all maps because we - * only want the tested one to be manually attached in the next - * call to bpf_map__attach_struct_ops() - / - bpf_object__for_each_map(iter_map, self->skel->skeleton->obj) - bpf_map__set_autoattach(iter_map, false); - err = hid__load(self->skel); ASSERT_OK(err) TH_LOG("hid_skel_load failed: %d", err); @@ -887,6 +898,17 @@ TEST_F(hid_bpf, test_rdesc_fixup) ASSERT_EQ(rpt_desc.value[4], 0x42); } +TEST_F(hid_bpf, test_rdesc_fixup_get_data_overflow) +{ + const struct test_program progs[] = { + { .name = "hid_rdesc_fixup_get_data_overflow" }, + }; + + LOAD_PROGRAMS(progs); + + ASSERT_EQ(self->skel->bss->get_data_overflow_check, 1); +} + static int libbpf_print_fn(enum libbpf_print_level level, const char format, va_list args) { diff --git a/tools/testing/selftests/hid/progs/hid.c b/tools/testing/selftests/hid/progs/hid.c index 5ecc845ef79216..b21fbb13c926f8 100644 --- a/tools/testing/selftests/hid/progs/hid.c +++ b/tools/testing/selftests/hid/progs/hid.c @@ -13,6 +13,7 @@ struct attach_prog_args { __u64 callback_check = 52; __u64 callback2_check = 52; +__u64 get_data_overflow_check; SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_first_event, struct hid_bpf_ctx hid_ctx, enum hid_report_type type) @@ -240,6 +241,20 @@ struct hid_bpf_ops rdesc_fixup = { .hid_rdesc_fixup = (void )hid_rdesc_fixup, }; +SEC("?struct_ops.s/hid_rdesc_fixup") +int BPF_PROG(hid_rdesc_fixup_get_data_overflow, struct hid_bpf_ctx hid_ctx) +{ + if (!hid_bpf_get_data(hid_ctx, 2 /* offset /, ~0ULL / size /)) + get_data_overflow_check = 1; + + return 0; +} + +SEC(".struct_ops.link") +struct hid_bpf_ops rdesc_fixup_get_data_overflow = { + .hid_rdesc_fixup = (void )hid_rdesc_fixup_get_data_overflow, +}; + SEC("?struct_ops/hid_device_event") int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type) {
3/2	2026/06/22 07:53	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 3632 output: 22 thoughts: 197 Thoughts: Analyzing a Recent HID BPF Patch Okay, so I've got this patch here that touches both `drivers/hid/bpf/hid_bpf_dispatch.c` and adds a test to `tools/testing/selftests/hid/hid_bpf.c`. The core of the change is this potentially crucial fix in `hid_bpf_dispatch.c`. The original code had a vulnerability: an integer overflow could occur when calculating `rdwr_buf_size + offset`. The sum could wrap around, resulting in an incorrect comparison with `ctx->allocated_size`, potentially leading to out-of-bounds reads or writes, right? The patch addresses this by changing the check to two separate checks. One ensures that `offset` itself isn't greater than `ctx->allocated_size`, and the other makes sure `rdwr_buf_size` isn't greater than the remaining available size. This is a solid approach to prevent that integer overflow. Now, the important question is: is this reachable? Is it functional? Where is this code actually used? The vulnerable logic resides in `hid_bpf_get_data`. So, let's fire up a grep search for `hid_bpf_get_data` to understand its call sites and data flow. Knowing where this is invoked is critical for assessing the impact and how easy it is to trigger. That should give me the context I need to really analyze the patch's efficacy.
4/2	2026/06/22 07:53	tool	grepper	0m Args: { "Expression": "hid_bpf_get_data" } Results: { "Output": "Documentation/hid/hid-bpf.rst=195=Available API that can be used in all HID-BPF struct_ops programs:\n--\nDocumentation/hid/hid-bpf.rst-198-.. kernel-doc:: drivers/hid/bpf/hid_bpf_dispatch.c\nDocumentation/hid/hid-bpf.rst:199: :identifiers: hid_bpf_get_data\nDocumentation/hid/hid-bpf.rst-200-\n--\nDocumentation/hid/hid-bpf.rst=213=The ``struct hid_bpf_ctx`` doesn't export the ``data`` fields directly and to access\nDocumentation/hid/hid-bpf.rst:214:it, a bpf program needs to first call :c:func:`hid_bpf_get_data`.\nDocumentation/hid/hid-bpf.rst-215-\n--\nDocumentation/hid/hid-bpf.rst=219=This allows the following:\n--\nDocumentation/hid/hid-bpf.rst-226-\nDocumentation/hid/hid-bpf.rst:227: __u8 data = hid_bpf_get_data(ctx, 0 / offset /, 256 / size /);\nDocumentation/hid/hid-bpf.rst-228-\n--\nDocumentation/hid/hid-bpf.rst-237-\nDocumentation/hid/hid-bpf.rst:238: __u16 x = hid_bpf_get_data(ctx, offset, sizeof(x));\nDocumentation/hid/hid-bpf.rst-239-\n--\nDocumentation/hid/hid-bpf.rst=287=Once the context is retrieved, one can also request a pointer to kernel memory with\nDocumentation/hid/hid-bpf.rst:288:hid_bpf_get_data(). This memory is big enough to support all input/output/feature\nDocumentation/hid/hid-bpf.rst-289-reports of the given device.\n--\nDocumentation/hid/hid-bpf.rst=370=For that, we can create a basic skeleton for our BPF program::\n--\nDocumentation/hid/hid-bpf.rst-379- / HID-BPF kfunc API definitions /\nDocumentation/hid/hid-bpf.rst:380: extern __u8 hid_bpf_get_data(struct hid_bpf_ctx ctx,\nDocumentation/hid/hid-bpf.rst-381-\t\t\t unsigned int offset,\n--\nDocumentation/hid/hid-bpf.rst-393- {\nDocumentation/hid/hid-bpf.rst:394:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 /* offset /, 192 / size /);\nDocumentation/hid/hid-bpf.rst-395-\t__u8 buf;\n--\ndrivers/hid/bpf/hid_bpf_dispatch.c=284=__bpf_kfunc_start_defs();\n--\ndrivers/hid/bpf/hid_bpf_dispatch.c-286-/*\ndrivers/hid/bpf/hid_bpf_dispatch.c:287: hid_bpf_get_data - Get the kernel memory pointer associated with the context @ctx\ndrivers/hid/bpf/hid_bpf_dispatch.c-288- \n--\ndrivers/hid/bpf/hid_bpf_dispatch.c=295=__bpf_kfunc __u8 \ndrivers/hid/bpf/hid_bpf_dispatch.c:296:hid_bpf_get_data(struct hid_bpf_ctx ctx, unsigned int offset, const size_t rdwr_buf_size)\ndrivers/hid/bpf/hid_bpf_dispatch.c-297-{\n--\ndrivers/hid/bpf/hid_bpf_dispatch.c=574=BTF_KFUNCS_START(hid_bpf_kfunc_ids)\ndrivers/hid/bpf/hid_bpf_dispatch.c:575:BTF_ID_FLAGS(func, hid_bpf_get_data, KF_RET_NULL)\ndrivers/hid/bpf/hid_bpf_dispatch.c-576-BTF_ID_FLAGS(func, hid_bpf_allocate_context, KF_ACQUIRE \| KF_RET_NULL \| KF_SLEEPABLE)\n--\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c=137=int BPF_PROG(hid_fix_rdesc_raptor_mach_2, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c-138-{\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c:139:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c-140-\n--\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c=156=int BPF_PROG(raptor_mach_2_fix_hat_switch, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c-157-{\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c:158:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 64 / size /);\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c-159-\n--\ndrivers/hid/bpf/progs/HP__Elite-Presenter.bpf.c=34=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/HP__Elite-Presenter.bpf.c-35-{\ndrivers/hid/bpf/progs/HP__Elite-Presenter.bpf.c:36:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\ndrivers/hid/bpf/progs/HP__Elite-Presenter.bpf.c-37-\n--\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c=442=int BPF_PROG(dial_2_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c-443-{\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c:444:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c-445-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c=488=int BPF_PROG(dial_2_fix_events, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c-489-{\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c:490:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 16 / size /);\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c-491-\tstatic __u8 button;\n--\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c=382=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c-383-{\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c:384:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c-385-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c=427=int BPF_PROG(inspiroy_2_fix_events, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c-428-{\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c:429:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 10 / size /);\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c-430-\n--\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c=382=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c-383-{\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c:384:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c-385-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c=428=int BPF_PROG(inspiroy_2_fix_events, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c-429-{\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c:430:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 10 / size /);\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c-431-\n--\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c=258=int BPF_PROG(hid_fix_rdesc_huion_kamvas_pro_19, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c-259-{\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c:260:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c-261-\n--\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c=287=int BPF_PROG(kamvas_pro_19_fix_3rd_button, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c-288-{\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c:289:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 10 / size /);\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c-290-\n--\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c=1240=int BPF_PROG(hid_fix_rdesc_huion_kamvas13_gen3, struct hid_bpf_ctx hid_ctx)\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c-1241-{\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c:1242:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c-1243-\t__s32 rdesc_size = hid_ctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c=1284=int BPF_PROG(hid_fix_event_huion_kamvas13_gen3, struct hid_bpf_ctx hid_ctx)\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c-1285-{\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c:1286:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, VENDOR_REPORT_LENGTH / size /);\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c-1287-\n--\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c=555=int BPF_PROG(hid_fix_rdesc_huion_kamvas16_gen3, struct hid_bpf_ctx hid_ctx)\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c-556-{\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c:557:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c-558-\t__s32 rdesc_size = hid_ctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c=599=int BPF_PROG(hid_fix_event_huion_kamvas16_gen3, struct hid_bpf_ctx hid_ctx)\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c-600-{\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c:601:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, VENDOR_REPORT_LENGTH / size /);\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c-602-\n--\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c=338=int BPF_PROG(k20_bt_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c-339-{\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c:340:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c-341-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c=360=int BPF_PROG(k20_bt_fix_events, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c-361-{\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c:362:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 12 / size /);\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c-363-\tstruct pad_report {\n--\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c=345=int BPF_PROG(k20_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c-346-{\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c:347:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c-348-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c=389=int BPF_PROG(k20_fix_events, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c-390-{\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c:391:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 10 / size /);\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c-392-\n--\ndrivers/hid/bpf/progs/IOGEAR__Kaliber-MMOmentum.bpf.c=25=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx hctx)\n--\ndrivers/hid/bpf/progs/IOGEAR__Kaliber-MMOmentum.bpf.c-27-\tconst u8 offsets[] = {84, 112, 140};\ndrivers/hid/bpf/progs/IOGEAR__Kaliber-MMOmentum.bpf.c:28:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\ndrivers/hid/bpf/progs/IOGEAR__Kaliber-MMOmentum.bpf.c-29-\n--\ndrivers/hid/bpf/progs/Logitech__SpaceNavigator.bpf.c=29=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Logitech__SpaceNavigator.bpf.c-30-{\ndrivers/hid/bpf/progs/Logitech__SpaceNavigator.bpf.c:31:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\ndrivers/hid/bpf/progs/Logitech__SpaceNavigator.bpf.c-32-\n--\ndrivers/hid/bpf/progs/Microsoft__Xbox-Elite-2.bpf.c=96=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Microsoft__Xbox-Elite-2.bpf.c-97-{\ndrivers/hid/bpf/progs/Microsoft__Xbox-Elite-2.bpf.c:98:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\ndrivers/hid/bpf/progs/Microsoft__Xbox-Elite-2.bpf.c-99-\n--\ndrivers/hid/bpf/progs/Mistel__MD770.bpf.c=127=int BPF_PROG(hid_rdesc_fixup_mistel_md770, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Mistel__MD770.bpf.c-128-{\ndrivers/hid/bpf/progs/Mistel__MD770.bpf.c:129:\t__u8 data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);\ndrivers/hid/bpf/progs/Mistel__MD770.bpf.c-130-\n--\ndrivers/hid/bpf/progs/Rapoo__M50-Plus-Silent.bpf.c=121=int BPF_PROG(hid_rdesc_fixup_rapoo_m50, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Rapoo__M50-Plus-Silent.bpf.c-122-{\ndrivers/hid/bpf/progs/Rapoo__M50-Plus-Silent.bpf.c:123:\t__u8 data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);\ndrivers/hid/bpf/progs/Rapoo__M50-Plus-Silent.bpf.c-124-\n--\ndrivers/hid/bpf/progs/TUXEDO__Sirius-16-Gen1-and-Gen2.bpf.c=15=int BPF_PROG(ignore_key_fix_event, struct hid_bpf_ctx hid_ctx)\n--\ndrivers/hid/bpf/progs/TUXEDO__Sirius-16-Gen1-and-Gen2.bpf.c-24-\ndrivers/hid/bpf/progs/TUXEDO__Sirius-16-Gen1-and-Gen2.bpf.c:25:\tdata = hid_bpf_get_data(hid_ctx, 0, expected_length);\ndrivers/hid/bpf/progs/TUXEDO__Sirius-16-Gen1-and-Gen2.bpf.c-26-\tif (!data \|\| data[0] != expected_report_id)\n--\ndrivers/hid/bpf/progs/Thrustmaster__TCA-Yoke-Boeing.bpf.c=100=int BPF_PROG(hid_fix_rdesc_tca_yoke, struct hid_bpf_ctx hctx)\n--\ndrivers/hid/bpf/progs/Thrustmaster__TCA-Yoke-Boeing.bpf.c-106-\ndrivers/hid/bpf/progs/Thrustmaster__TCA-Yoke-Boeing.bpf.c:107:\t__u8 data = hid_bpf_get_data(hctx, 0 /* offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/Thrustmaster__TCA-Yoke-Boeing.bpf.c-108-\n--\ndrivers/hid/bpf/progs/Trust__Philips-SPK6327.bpf.c=19=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Trust__Philips-SPK6327.bpf.c-20-{\ndrivers/hid/bpf/progs/Trust__Philips-SPK6327.bpf.c:21:\t__u8 data = hid_bpf_get_data(hctx, 0, 4096);\ndrivers/hid/bpf/progs/Trust__Philips-SPK6327.bpf.c-22-\n--\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c=231=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c-232-{\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c:233:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c-234-\n--\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c=244=int BPF_PROG(waltop_fix_events, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c-245-{\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c:246:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 10 / size /);\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c-247-\n--\ndrivers/hid/bpf/progs/Wacom__ArtPen.bpf.c=105=int BPF_PROG(artpen_pressure_interpolate, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/Wacom__ArtPen.bpf.c-106-{\ndrivers/hid/bpf/progs/Wacom__ArtPen.bpf.c:107:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, PEN_REPORT_LEN / size /);\ndrivers/hid/bpf/progs/Wacom__ArtPen.bpf.c-108-\t__u16 pressure, tool_type;\n--\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c=218=int BPF_PROG(ack05_fix_rdesc, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c-219-{\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c:220:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c-221-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c=265=int BPF_PROG(ack05_fix_events, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c-266-{\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c:267:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, PAD_REPORT_LENGTH);\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c-268-\tint ret = 0;\n--\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c=93=int BPF_PROG(hid_fix_rdesc_xppen_artist24, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c-94-{\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c:95:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c-96-\n--\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c=154=int BPF_PROG(xppen_24_fix_eraser, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c-155-{\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c:156:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 10 / size /);\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c-157-\t__u8 current_state, changed_state;\n--\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c=88=int BPF_PROG(hid_fix_rdesc_xppen_artistpro16gen2, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-89-{\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c:90:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-91-\n--\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c=116=static int xppen_16_fix_eraser(struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-117-{\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c:118:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 10 / size /);\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-119-\n--\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c=238=static int xppen_16_fix_angle_offset(struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-239-{\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c:240:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 10 / size /);\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-241-\n--\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c=224=int BPF_PROG(xppen_deco01v3_rdesc_fixup, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c-225-{\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c:226:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, HID_MAX_DESCRIPTOR_SIZE / size /);\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c-227-\n--\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c=254=int BPF_PROG(xppen_deco01v3_device_event, struct hid_bpf_ctx hctx)\n--\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c-256-\tstatic const __u8 pad_buttons[] = { 0x05, 0x08, 0x00, 0x2c, 0x16, 0x1d, 0x57, 0x56 };\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c:257:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, PAD_REPORT_LENGTH / size /);\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c-258-\n--\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c=281=int BPF_PROG(xppen_deco02_rdesc_fixup, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c-282-{\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c:283:\t__u8 data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c-284-\n--\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c=297=int BPF_PROG(xppen_deco02_device_event, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c-298-{\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c:299:\t__u8 data = hid_bpf_get_data(hctx, 0, REPORT_SIZE_PAD);\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c-300-\n--\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c=153=int BPF_PROG(hid_rdesc_fixup_xppen_deco_mini_4, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c-154-{\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c:155:\t__u8 data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c-156-\n--\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c=172=int BPF_PROG(hid_device_event_xppen_deco_mini_4, struct hid_bpf_ctx hctx)\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c-173-{\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c:174:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 8 / size /);\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c-175-\t__u8 button_mask = 0;\n--\ndrivers/hid/bpf/progs/hid_bpf_helpers.h-22-\ndrivers/hid/bpf/progs/hid_bpf_helpers.h:23:extern __u8 hid_bpf_get_data(struct hid_bpf_ctx ctx,\ndrivers/hid/bpf/progs/hid_bpf_helpers.h-24-\t\t\t unsigned int offset,\n--\ninclude/linux/hid_bpf.h=11=struct hid_device;\n--\ninclude/linux/hid_bpf.h-23- ``data`` is not directly accessible from the context. We need to issue\ninclude/linux/hid_bpf.h:24: * a call to hid_bpf_get_data() in order to get a pointer to that field.\ninclude/linux/hid_bpf.h-25- \n--\nsamples/hid/hid_bpf_helpers.h-8-/ following are kfuncs exported by HID for HID-BPF /\nsamples/hid/hid_bpf_helpers.h:9:extern __u8 hid_bpf_get_data(struct hid_bpf_ctx ctx,\nsamples/hid/hid_bpf_helpers.h-10-\t\t\t unsigned int offset,\n--\nsamples/hid/hid_mouse.bpf.c=8=static int hid_y_event(struct hid_bpf_ctx hctx)\n--\nsamples/hid/hid_mouse.bpf.c-10-\ts16 y;\nsamples/hid/hid_mouse.bpf.c:11:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 9 / size /);\nsamples/hid/hid_mouse.bpf.c-12-\n--\nsamples/hid/hid_mouse.bpf.c=53=static int hid_x_event(struct hid_bpf_ctx hctx)\n--\nsamples/hid/hid_mouse.bpf.c-55-\ts16 x;\nsamples/hid/hid_mouse.bpf.c:56:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 9 / size /);\nsamples/hid/hid_mouse.bpf.c-57-\n--\nsamples/hid/hid_mouse.bpf.c=83=int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx hctx)\nsamples/hid/hid_mouse.bpf.c-84-{\nsamples/hid/hid_mouse.bpf.c:85:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\nsamples/hid/hid_mouse.bpf.c-86-\n--\nsamples/hid/hid_surface_dial.bpf.c=14=int BPF_PROG(hid_event, struct hid_bpf_ctx hctx)\nsamples/hid/hid_surface_dial.bpf.c-15-{\nsamples/hid/hid_surface_dial.bpf.c:16:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 9 / size /);\nsamples/hid/hid_surface_dial.bpf.c-17-\n--\nsamples/hid/hid_surface_dial.bpf.c=105=int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx hctx)\nsamples/hid/hid_surface_dial.bpf.c-106-{\nsamples/hid/hid_surface_dial.bpf.c:107:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 4096 / size /);\nsamples/hid/hid_surface_dial.bpf.c-108-\t__u16 res, phys;\n--\ntools/testing/selftests/hid/progs/hid.c=19=int BPF_PROG(hid_first_event, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-20-{\ntools/testing/selftests/hid/progs/hid.c:21:\t__u8 rw_data = hid_bpf_get_data(hid_ctx, 0 / offset /, 3 / size /);\ntools/testing/selftests/hid/progs/hid.c-22-\n--\ntools/testing/selftests/hid/progs/hid.c=39=int __hid_subprog_first_event(struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-40-{\ntools/testing/selftests/hid/progs/hid.c:41:\t__u8 rw_data = hid_bpf_get_data(hid_ctx, 0 / offset /, 3 / size /);\ntools/testing/selftests/hid/progs/hid.c-42-\n--\ntools/testing/selftests/hid/progs/hid.c=64=int BPF_PROG(hid_second_event, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-65-{\ntools/testing/selftests/hid/progs/hid.c:66:\t__u8 rw_data = hid_bpf_get_data(hid_ctx, 0 / offset /, 4 / size /);\ntools/testing/selftests/hid/progs/hid.c-67-\n--\ntools/testing/selftests/hid/progs/hid.c=82=int BPF_PROG(hid_change_report_id, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-83-{\ntools/testing/selftests/hid/progs/hid.c:84:\t__u8 rw_data = hid_bpf_get_data(hid_ctx, 0 / offset /, 3 / size /);\ntools/testing/selftests/hid/progs/hid.c-85-\n--\ntools/testing/selftests/hid/progs/hid.c=221=int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx hid_ctx)\ntools/testing/selftests/hid/progs/hid.c-222-{\ntools/testing/selftests/hid/progs/hid.c:223:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, 4096 / size /);\ntools/testing/selftests/hid/progs/hid.c-224-\n--\ntools/testing/selftests/hid/progs/hid.c=245=int BPF_PROG(hid_rdesc_fixup_get_data_overflow, struct hid_bpf_ctx hid_ctx)\ntools/testing/selftests/hid/progs/hid.c-246-{\ntools/testing/selftests/hid/progs/hid.c:247:\tif (!hid_bpf_get_data(hid_ctx, 2 /* offset /, ~0ULL / size /))\ntools/testing/selftests/hid/progs/hid.c-248-\t\tget_data_overflow_check = 1;\n--\ntools/testing/selftests/hid/progs/hid.c=259=int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-260-{\ntools/testing/selftests/hid/progs/hid.c:261:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, 4 / size /);\ntools/testing/selftests/hid/progs/hid.c-262-\n--\ntools/testing/selftests/hid/progs/hid.c=282=int BPF_PROG(hid_test_insert2, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-283-{\ntools/testing/selftests/hid/progs/hid.c:284:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, 4 / size /);\ntools/testing/selftests/hid/progs/hid.c-285-\n--\ntools/testing/selftests/hid/progs/hid.c=304=int BPF_PROG(hid_test_insert3, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-305-{\ntools/testing/selftests/hid/progs/hid.c:306:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, 4 / size /);\ntools/testing/selftests/hid/progs/hid.c-307-\n--\ntools/testing/selftests/hid/progs/hid.c=347=int BPF_PROG(hid_test_hidraw_raw_request, struct hid_bpf_ctx hctx, unsigned char reportnum,\n--\ntools/testing/selftests/hid/progs/hid.c-349-{\ntools/testing/selftests/hid/progs/hid.c:350:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 3 / size /);\ntools/testing/selftests/hid/progs/hid.c-351-\tint ret;\n--\ntools/testing/selftests/hid/progs/hid.c=378=int BPF_PROG(hid_test_infinite_loop_raw_request, struct hid_bpf_ctx hctx, unsigned char reportnum,\n--\ntools/testing/selftests/hid/progs/hid.c-380-{\ntools/testing/selftests/hid/progs/hid.c:381:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 3 / size /);\ntools/testing/selftests/hid/progs/hid.c-382-\tint ret;\n--\ntools/testing/selftests/hid/progs/hid.c=417=int BPF_PROG(hid_test_hidraw_output_report, struct hid_bpf_ctx hctx, __u64 source)\ntools/testing/selftests/hid/progs/hid.c-418-{\ntools/testing/selftests/hid/progs/hid.c:419:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 3 / size /);\ntools/testing/selftests/hid/progs/hid.c-420-\tint ret;\n--\ntools/testing/selftests/hid/progs/hid.c=438=int BPF_PROG(hid_test_infinite_loop_output_report, struct hid_bpf_ctx hctx, __u64 source)\ntools/testing/selftests/hid/progs/hid.c-439-{\ntools/testing/selftests/hid/progs/hid.c:440:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 3 / size /);\ntools/testing/selftests/hid/progs/hid.c-441-\tint ret;\n--\ntools/testing/selftests/hid/progs/hid.c=515=int BPF_PROG(hid_test_multiply_events_wq, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-516-{\ntools/testing/selftests/hid/progs/hid.c:517:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, 9 / size /);\ntools/testing/selftests/hid/progs/hid.c-518-\tint hid = hid_ctx-\u003ehid-\u003eid;\n--\ntools/testing/selftests/hid/progs/hid.c=542=int BPF_PROG(hid_test_multiply_events, struct hid_bpf_ctx hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-543-{\ntools/testing/selftests/hid/progs/hid.c:544:\t__u8 data = hid_bpf_get_data(hid_ctx, 0 / offset /, 9 / size /);\ntools/testing/selftests/hid/progs/hid.c-545-\t__u8 buf[9];\n--\ntools/testing/selftests/hid/progs/hid.c=581=int BPF_PROG(hid_test_infinite_loop_input_report, struct hid_bpf_ctx hctx,\n--\ntools/testing/selftests/hid/progs/hid.c-583-{\ntools/testing/selftests/hid/progs/hid.c:584:\t__u8 data = hid_bpf_get_data(hctx, 0 / offset /, 6 / size /);\ntools/testing/selftests/hid/progs/hid.c-585-\t__u8 buf[6];\n--\ntools/testing/selftests/hid/progs/hid_bpf_helpers.h=88=struct hid_bpf_ops {\n--\ntools/testing/selftests/hid/progs/hid_bpf_helpers.h-106-/ following are kfuncs exported by HID for HID-BPF /\ntools/testing/selftests/hid/progs/hid_bpf_helpers.h:107:extern __u8 hid_bpf_get_data(struct hid_bpf_ctx *ctx,\ntools/testing/selftests/hid/progs/hid_bpf_helpers.h-108-\t\t\t unsigned int offset,\n" }
5/2	2026/06/22 07:53	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 17099 output: 19 thoughts: 215 Thoughts: Analyzing the `hid_bpf_get_data` BPF Kfunc Vulnerability Okay, so I'm looking at this patch and the `hid_bpf_get_data` function. This is a BPF kfunc, which immediately grabs my attention. It lives in `drivers/hid/bpf/hid_bpf_dispatch.c` – a detail to note for later reference, of course. My first thought is about its purpose; it's used by BPF programs to read data from a HID device's buffer, so we are dealing with a critical interface. The core of the issue is an integer overflow. Essentially, `rdwr_buf_size + offset` potentially wraps around if `rdwr_buf_size` is close to the maximum value of an unsigned long long (i.e., `~0ULL`). This wrap-around could result in `rdwr_buf_size + offset` being smaller than `ctx->allocated_size`, which is a classic out-of-bounds access scenario. We've got a potential security hole here; I am already forming a mental checklist of exploits! This is a functional change and a security fix rolled into one, impacting how BPF programs interact with HID data. This is significant because it's directly reachable from BPF programs attached to HID devices. The attack surface is pretty clear now. This is definitely something that needs to be tested vigorously. My next step is to figure out the necessary configuration options. I'll need `CONFIG_HID_BPF` and `CONFIG_BPF_SYSCALL` enabled to reproduce this. Let me quickly check the relevant Kconfig files, probably `drivers/hid/bpf/Kconfig` or possibly `drivers/hid/Kconfig` to confirm these settings are present. I am already thinking about creating a fuzzing campaign to target this vulnerability as a top priority.
6/2	2026/06/22 07:53	tool	grepper	0m Args: { "Expression": "config HID_BPF" } Results: { "Output": "drivers/hid/bpf/Kconfig=2=menu \"HID-BPF support\"\ndrivers/hid/bpf/Kconfig-3-\ndrivers/hid/bpf/Kconfig:4:config HID_BPF\ndrivers/hid/bpf/Kconfig-5-\tbool \"HID-BPF support\"\n" }
7/2	2026/06/22 07:53	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 17828 output: 35 thoughts: 18 Thoughts: Okay, let's dive into this. Here's my thought process on this task: Analyzing Dependencies within the Kernel Configuration Alright, the objective is pretty clear. I need to figure out what's dependent on something, and the starting point is `drivers/hid/bpf/Kconfig`. My expertise in kernel configuration tells me this file likely defines configuration options related to the HID subsystem's BPF functionality. Therefore, I need to check this file for dependency declarations. This will indicate which other kernel components might require or rely upon the options defined within `Kconfig`. This is a classic dependency analysis scenario, the first step is always to check the Kconfig file. Let's get to it!
8/2	2026/06/22 07:53	tool	read-file	0m Args: { "File": "drivers/hid/bpf/Kconfig", "FirstLine": 1, "LineCount": 20 } Results: { "Contents": " 1:\t# SPDX-License-Identifier: GPL-2.0-only\n 2:\tmenu \"HID-BPF support\"\n 3:\t\n 4:\tconfig HID_BPF\n 5:\t\tbool \"HID-BPF support\"\n 6:\t\tdepends on BPF_JIT\n 7:\t\tdepends on BPF_SYSCALL\n 8:\t\tdepends on DYNAMIC_FTRACE_WITH_DIRECT_CALLS\n 9:\t\thelp\n 10:\t\tThis option allows to support eBPF programs on the HID subsystem.\n 11:\t\teBPF programs can fix HID devices in a lighter way than a full\n 12:\t\tkernel patch and allow a lot more flexibility.\n 13:\t\n 14:\t\tFor documentation, see Documentation/hid/hid-bpf.rst\n 15:\t\n 16:\tendmenu\n" }
9/2	2026/06/22 07:53	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 18249 output: 43 thoughts: 114 Thoughts: Analyzing the HID_BPF Configuration and Associated Changes Okay, so I'm looking at this `HID_BPF` configuration, that's the core of it. Right now, I need to understand this new configuration and how it functions. My focus right now is on that symbol, `hid_bpf_get_data`. Beyond the core config, I see the patch also touches the selftests. It's modifying `tools/testing/selftests/hid/hid_bpf.c` and `tools/testing/selftests/hid/progs/hid.c`. This suggests that the changes include updates to how the BPF functionality is tested, which is good. Important that they verify that functionality. Next, I need to dig into the implementation of `hid_bpf_get_data` and understand how it functions. That likely happens in `drivers/hid/bpf/hid_bpf_dispatch.c`, so that's where I will start.
10/2	2026/06/22 07:53	tool	read-file	0m Args: { "File": "drivers/hid/bpf/hid_bpf_dispatch.c", "FirstLine": 280, "LineCount": 30 } Results: { "Contents": " 280:\t\treturn 0;\n 281:\t}\n 282:\t\n 283:\t/* Disables missing prototype warnings /\n 284:\t__bpf_kfunc_start_defs();\n 285:\t\n 286:\t/\n 287:\t hid_bpf_get_data - Get the kernel memory pointer associated with the context @ctx\n 288:\t \n 289:\t @ctx: The HID-BPF context\n 290:\t * @offset: The offset within the memory\n 291:\t * @rdwr_buf_size: the const size of the buffer\n 292:\t \n 293:\t @returns %NULL on error, an %__u8 memory pointer on success\n 294:\t /\n 295:\t__bpf_kfunc __u8 \n 296:\thid_bpf_get_data(struct hid_bpf_ctx ctx, unsigned int offset, const size_t rdwr_buf_size)\n 297:\t{\n 298:\t\tstruct hid_bpf_ctx_kern ctx_kern;\n 299:\t\n 300:\t\tctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);\n 301:\t\n 302:\t\tif (offset \u003e ctx-\u003eallocated_size \|\|\n 303:\t\t rdwr_buf_size \u003e ctx-\u003eallocated_size - offset)\n 304:\t\t\treturn NULL;\n 305:\t\n 306:\t\treturn ctx_kern-\u003edata + offset;\n 307:\t}\n 308:\t\n 309:\t/**\n" }
11/2	2026/06/22 07:53	llm	patch-evaluator	0m Model: gemini-3.1-pro-preview Args: null Results: null Tokens: input: 19064 output: 106 thoughts: 122 Thoughts: Here's my assessment of the situation: Analysis of the HID BPF Patch Okay, so we have a patch that's fixing an integer overflow vulnerability within `hid_bpf_get_data`. This is a BPF kfunc, which immediately grabs my attention. Anytime we see a fix like this, especially within BPF, fuzzing becomes a top priority. The attack surface here is clearly the `hid_bpf_get_data` function itself. The fix should be rigorously tested. My focus has to be laser-sharp on that function. To ensure I'm not missing anything, I need to verify that this vulnerability fix is isolated to `hid_bpf_get_data`. Let me check the code modifications. Ah, yes, it appears that `hid_bpf_get_data` is the core of the change in `drivers/hid/bpf/hid_bpf_dispatch.c`. The remaining modifications seem to be confined to selftests, which is good. They should help, but the key is the main function. Now that I've confirmed the scope, I'll record these findings and move on to the next step.
12/2	2026/06/22 07:53	tool	set-results	0m Args: { "EnableConfigs": [ "HID_BPF" ], "FocusSymbols": [ "hid_bpf_get_data" ], "Reasoning": "The patch fixes an integer overflow vulnerability in `hid_bpf_get_data` which is a BPF kfunc used by HID-BPF programs to access device data buffers. This is a functional security fix that is reachable from userspace via BPF programs attached to HID devices.", "WorthFuzzing": true } Results: { "EnableConfigs": [ "HID_BPF" ], "FocusSymbols": [ "hid_bpf_get_data" ], "Reasoning": "The patch fixes an integer overflow vulnerability in `hid_bpf_get_data` which is a BPF kfunc used by HID-BPF programs to access device data buffers. This is a functional security fix that is reachable from userspace via BPF programs attached to HID devices.", "WorthFuzzing": true }

{
  "EnableConfigs": [
    "HID_BPF"
  ],
  "FocusSymbols": [
    "hid_bpf_get_data"
  ],
  "Reasoning": "The patch fixes an integer overflow vulnerability in `hid_bpf_get_data` which is a BPF kfunc used by HID-BPF programs to access device data buffers. This is a functional security fix that is reachable from userspace via BPF programs attached to HID devices.",
  "WorthFuzzing": true
}

{
  "PatchDiff": "commit 41fa9a3e56400d254f8726a626c5f50d6853331b\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate:   Mon Jun 22 07:53:02 2026 +0000\n\n    syz-cluster: applied patch under review\n\ndiff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c\nindex d0130658091b02..09b45c40d84f0b 100644\n--- a/drivers/hid/bpf/hid_bpf_dispatch.c\n+++ b/drivers/hid/bpf/hid_bpf_dispatch.c\n@@ -299,7 +299,8 @@ hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr\n \n \tctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);\n \n-\tif (rdwr_buf_size + offset \u003e ctx-\u003eallocated_size)\n+\tif (offset \u003e ctx-\u003eallocated_size ||\n+\t    rdwr_buf_size \u003e ctx-\u003eallocated_size - offset)\n \t\treturn NULL;\n \n \treturn ctx_kern-\u003edata + offset;\ndiff --git a/tools/testing/selftests/hid/Makefile b/tools/testing/selftests/hid/Makefile\nindex 50ec9e0406abaf..357c6eb5ff5ee3 100644\n--- a/tools/testing/selftests/hid/Makefile\n+++ b/tools/testing/selftests/hid/Makefile\n@@ -24,7 +24,7 @@ CXX ?= $(CROSS_COMPILE)g++\n \n HOSTPKG_CONFIG := pkg-config\n \n-CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT)\n+CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT) $(KHDR_INCLUDES)\n CFLAGS += -I$(OUTPUT)/tools/include\n \n LDLIBS += -lelf -lz -lrt -lpthread\ndiff --git a/tools/testing/selftests/hid/hid_bpf.c b/tools/testing/selftests/hid/hid_bpf.c\nindex 1e979fb3542bab..b851339308c214 100644\n--- a/tools/testing/selftests/hid/hid_bpf.c\n+++ b/tools/testing/selftests/hid/hid_bpf.c\n@@ -86,6 +86,20 @@ static void load_programs(const struct test_program programs[],\n \tself-\u003eskel = hid__open();\n \tASSERT_OK_PTR(self-\u003eskel) TEARDOWN_LOG(\"Error while calling hid__open\");\n \n+\t/*\n+\t * Disable all struct_ops maps by default so libbpf does not autoload\n+\t * programs referenced by maps that are unrelated to the current test.\n+\t */\n+\tbpf_object__for_each_map(iter_map, *self-\u003eskel-\u003eskeleton-\u003eobj) {\n+\t\tif (bpf_map__type(iter_map) == BPF_MAP_TYPE_STRUCT_OPS) {\n+\t\t\terr = bpf_map__set_autocreate(iter_map, false);\n+\t\t\tASSERT_OK(err) TH_LOG(\"can not disable struct_ops map '%s'\",\n+\t\t\t\t\t      bpf_map__name(iter_map));\n+\t\t}\n+\n+\t\tbpf_map__set_autoattach(iter_map, false);\n+\t}\n+\n \tfor (int i = 0; i \u003c progs_count; i++) {\n \t\tstruct bpf_program *prog;\n \t\tstruct bpf_map *map;\n@@ -102,6 +116,10 @@ static void load_programs(const struct test_program programs[],\n \t\tASSERT_OK_PTR(map) TH_LOG(\"can not find struct_ops by name '%s'\",\n \t\t\t\t\t  programs[i].name + 4);\n \n+\t\terr = bpf_map__set_autocreate(map, true);\n+\t\tASSERT_OK(err) TH_LOG(\"can not enable struct_ops map '%s'\",\n+\t\t\t\t      programs[i].name + 4);\n+\n \t\t/* hid_id is the first field of struct hid_bpf_ops */\n \t\tops_hid_id = bpf_map__initial_value(map, NULL);\n \t\tASSERT_OK_PTR(ops_hid_id) TH_LOG(\"unable to retrieve struct_ops data\");\n@@ -109,13 +127,6 @@ static void load_programs(const struct test_program programs[],\n \t\t*ops_hid_id = self-\u003ehid.hid_id;\n \t}\n \n-\t/* we disable the auto-attach feature of all maps because we\n-\t * only want the tested one to be manually attached in the next\n-\t * call to bpf_map__attach_struct_ops()\n-\t */\n-\tbpf_object__for_each_map(iter_map, *self-\u003eskel-\u003eskeleton-\u003eobj)\n-\t\tbpf_map__set_autoattach(iter_map, false);\n-\n \terr = hid__load(self-\u003eskel);\n \tASSERT_OK(err) TH_LOG(\"hid_skel_load failed: %d\", err);\n \n@@ -887,6 +898,17 @@ TEST_F(hid_bpf, test_rdesc_fixup)\n \tASSERT_EQ(rpt_desc.value[4], 0x42);\n }\n \n+TEST_F(hid_bpf, test_rdesc_fixup_get_data_overflow)\n+{\n+\tconst struct test_program progs[] = {\n+\t\t{ .name = \"hid_rdesc_fixup_get_data_overflow\" },\n+\t};\n+\n+\tLOAD_PROGRAMS(progs);\n+\n+\tASSERT_EQ(self-\u003eskel-\u003ebss-\u003eget_data_overflow_check, 1);\n+}\n+\n static int libbpf_print_fn(enum libbpf_print_level level,\n \t\t\t   const char *format, va_list args)\n {\ndiff --git a/tools/testing/selftests/hid/progs/hid.c b/tools/testing/selftests/hid/progs/hid.c\nindex 5ecc845ef79216..b21fbb13c926f8 100644\n--- a/tools/testing/selftests/hid/progs/hid.c\n+++ b/tools/testing/selftests/hid/progs/hid.c\n@@ -13,6 +13,7 @@ struct attach_prog_args {\n \n __u64 callback_check = 52;\n __u64 callback2_check = 52;\n+__u64 get_data_overflow_check;\n \n SEC(\"?struct_ops/hid_device_event\")\n int BPF_PROG(hid_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\n@@ -240,6 +241,20 @@ struct hid_bpf_ops rdesc_fixup = {\n \t.hid_rdesc_fixup = (void *)hid_rdesc_fixup,\n };\n \n+SEC(\"?struct_ops.s/hid_rdesc_fixup\")\n+int BPF_PROG(hid_rdesc_fixup_get_data_overflow, struct hid_bpf_ctx *hid_ctx)\n+{\n+\tif (!hid_bpf_get_data(hid_ctx, 2 /* offset */, ~0ULL /* size */))\n+\t\tget_data_overflow_check = 1;\n+\n+\treturn 0;\n+}\n+\n+SEC(\".struct_ops.link\")\n+struct hid_bpf_ops rdesc_fixup_get_data_overflow = {\n+\t.hid_rdesc_fixup = (void *)hid_rdesc_fixup_get_data_overflow,\n+};\n+\n SEC(\"?struct_ops/hid_device_event\")\n int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\n {\n"
}

gemini-3.1-pro-preview

{
  "EnableConfigs": [
    "HID_BPF"
  ],
  "FocusSymbols": [
    "hid_bpf_get_data"
  ],
  "Reasoning": "The patch fixes an integer overflow vulnerability in `hid_bpf_get_data` which is a BPF kfunc used by HID-BPF programs to access device data buffers. This is a functional security fix that is reachable from userspace via BPF programs attached to HID devices.",
  "WorthFuzzing": true
}

You are an expert Linux kernel maintainer.
Your job is to review a provided patch series and determine
if it makes functional changes to the kernel that should be fuzzed.

IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in
your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively
use your code access tools to examine the actual source code and confirm any assumptions.

Return WorthFuzzing=false if the patch only contains:
- Modifications to Documentation/, Kconfig files, or code comments.
- Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints.
- Changes to numeric constants or macros that do not functionally alter execution flow.
- Code paths that are impossible to reach in virtualized environments like GCE or QEMU,
even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim).

If it modifies reachable core kernel logic, drivers, or architectures, use your code search
tools to verify the code can be executed, then return WorthFuzzing=true.

When returning WorthFuzzing=true, you MUST ALSO:
1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols.
   Avoid listing generic hot-path functions to prevent skewed test distributions.
2. Identify any specific CONFIG_ options required to properly test this new/modified feature.
   Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions.
   Do not list too generic configs (we already have them enabled). Only list those that
   specifically cover the modified code. List them in the EnableConfigs output array,
   and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4").
Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

For your convenience, here is the diff of the changes:
commit 41fa9a3e56400d254f8726a626c5f50d6853331b
Author: syz-cluster <triage@syzkaller.com>
Date:   Mon Jun 22 07:53:02 2026 +0000

    syz-cluster: applied patch under review

diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index d0130658091b02..09b45c40d84f0b 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -299,7 +299,8 @@ hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr
 
 	ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
 
-	if (rdwr_buf_size + offset > ctx->allocated_size)
+	if (offset > ctx->allocated_size ||
+	    rdwr_buf_size > ctx->allocated_size - offset)
 		return NULL;
 
 	return ctx_kern->data + offset;
diff --git a/tools/testing/selftests/hid/Makefile b/tools/testing/selftests/hid/Makefile
index 50ec9e0406abaf..357c6eb5ff5ee3 100644
--- a/tools/testing/selftests/hid/Makefile
+++ b/tools/testing/selftests/hid/Makefile
@@ -24,7 +24,7 @@ CXX ?= $(CROSS_COMPILE)g++
 
 HOSTPKG_CONFIG := pkg-config
 
-CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT)
+CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT) $(KHDR_INCLUDES)
 CFLAGS += -I$(OUTPUT)/tools/include
 
 LDLIBS += -lelf -lz -lrt -lpthread
diff --git a/tools/testing/selftests/hid/hid_bpf.c b/tools/testing/selftests/hid/hid_bpf.c
index 1e979fb3542bab..b851339308c214 100644
--- a/tools/testing/selftests/hid/hid_bpf.c
+++ b/tools/testing/selftests/hid/hid_bpf.c
@@ -86,6 +86,20 @@ static void load_programs(const struct test_program programs[],
 	self->skel = hid__open();
 	ASSERT_OK_PTR(self->skel) TEARDOWN_LOG("Error while calling hid__open");
 
+	/*
+	 * Disable all struct_ops maps by default so libbpf does not autoload
+	 * programs referenced by maps that are unrelated to the current test.
+	 */
+	bpf_object__for_each_map(iter_map, *self->skel->skeleton->obj) {
+		if (bpf_map__type(iter_map) == BPF_MAP_TYPE_STRUCT_OPS) {
+			err = bpf_map__set_autocreate(iter_map, false);
+			ASSERT_OK(err) TH_LOG("can not disable struct_ops map '%s'",
+					      bpf_map__name(iter_map));
+		}
+
+		bpf_map__set_autoattach(iter_map, false);
+	}
+
 	for (int i = 0; i < progs_count; i++) {
 		struct bpf_program *prog;
 		struct bpf_map *map;
@@ -102,6 +116,10 @@ static void load_programs(const struct test_program programs[],
 		ASSERT_OK_PTR(map) TH_LOG("can not find struct_ops by name '%s'",
 					  programs[i].name + 4);
 
+		err = bpf_map__set_autocreate(map, true);
+		ASSERT_OK(err) TH_LOG("can not enable struct_ops map '%s'",
+				      programs[i].name + 4);
+
 		/* hid_id is the first field of struct hid_bpf_ops */
 		ops_hid_id = bpf_map__initial_value(map, NULL);
 		ASSERT_OK_PTR(ops_hid_id) TH_LOG("unable to retrieve struct_ops data");
@@ -109,13 +127,6 @@ static void load_programs(const struct test_program programs[],
 		*ops_hid_id = self->hid.hid_id;
 	}
 
-	/* we disable the auto-attach feature of all maps because we
-	 * only want the tested one to be manually attached in the next
-	 * call to bpf_map__attach_struct_ops()
-	 */
-	bpf_object__for_each_map(iter_map, *self->skel->skeleton->obj)
-		bpf_map__set_autoattach(iter_map, false);
-
 	err = hid__load(self->skel);
 	ASSERT_OK(err) TH_LOG("hid_skel_load failed: %d", err);
 
@@ -887,6 +898,17 @@ TEST_F(hid_bpf, test_rdesc_fixup)
 	ASSERT_EQ(rpt_desc.value[4], 0x42);
 }
 
+TEST_F(hid_bpf, test_rdesc_fixup_get_data_overflow)
+{
+	const struct test_program progs[] = {
+		{ .name = "hid_rdesc_fixup_get_data_overflow" },
+	};
+
+	LOAD_PROGRAMS(progs);
+
+	ASSERT_EQ(self->skel->bss->get_data_overflow_check, 1);
+}
+
 static int libbpf_print_fn(enum libbpf_print_level level,
 			   const char *format, va_list args)
 {
diff --git a/tools/testing/selftests/hid/progs/hid.c b/tools/testing/selftests/hid/progs/hid.c
index 5ecc845ef79216..b21fbb13c926f8 100644
--- a/tools/testing/selftests/hid/progs/hid.c
+++ b/tools/testing/selftests/hid/progs/hid.c
@@ -13,6 +13,7 @@ struct attach_prog_args {
 
 __u64 callback_check = 52;
 __u64 callback2_check = 52;
+__u64 get_data_overflow_check;
 
 SEC("?struct_ops/hid_device_event")
 int BPF_PROG(hid_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
@@ -240,6 +241,20 @@ struct hid_bpf_ops rdesc_fixup = {
 	.hid_rdesc_fixup = (void *)hid_rdesc_fixup,
 };
 
+SEC("?struct_ops.s/hid_rdesc_fixup")
+int BPF_PROG(hid_rdesc_fixup_get_data_overflow, struct hid_bpf_ctx *hid_ctx)
+{
+	if (!hid_bpf_get_data(hid_ctx, 2 /* offset */, ~0ULL /* size */))
+		get_data_overflow_check = 1;
+
+	return 0;
+}
+
+SEC(".struct_ops.link")
+struct hid_bpf_ops rdesc_fixup_get_data_overflow = {
+	.hid_rdesc_fixup = (void *)hid_rdesc_fixup_get_data_overflow,
+};
+
 SEC("?struct_ops/hid_device_event")
 int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
 {

gemini-3.1-pro-preview

							input: 3632
							output: 22
							thoughts: 197

**Analyzing a Recent HID BPF Patch**

Okay, so I've got this patch here that touches both `drivers/hid/bpf/hid_bpf_dispatch.c` and adds a test to `tools/testing/selftests/hid/hid_bpf.c`. The core of the change is this potentially crucial fix in `hid_bpf_dispatch.c`. The original code had a vulnerability: an integer overflow could occur when calculating `rdwr_buf_size + offset`. The sum could wrap around, resulting in an incorrect comparison with `ctx->allocated_size`, potentially leading to out-of-bounds reads or writes, right? The patch addresses this by changing the check to two separate checks. One ensures that `offset` itself isn't greater than `ctx->allocated_size`, and the other makes sure `rdwr_buf_size` isn't greater than the remaining available size. This is a solid approach to prevent that integer overflow.

Now, the important question is: is this reachable? Is it functional? Where is this code actually used? The vulnerable logic resides in `hid_bpf_get_data`. So, let's fire up a grep search for `hid_bpf_get_data` to understand its call sites and data flow. Knowing where this is invoked is critical for assessing the impact and how easy it is to trigger. That should give me the context I need to really analyze the patch's efficacy.

{
  "Expression": "hid_bpf_get_data"
}

{
  "Output": "Documentation/hid/hid-bpf.rst=195=Available API that can be used in all HID-BPF struct_ops programs:\n--\nDocumentation/hid/hid-bpf.rst-198-.. kernel-doc:: drivers/hid/bpf/hid_bpf_dispatch.c\nDocumentation/hid/hid-bpf.rst:199:   :identifiers: hid_bpf_get_data\nDocumentation/hid/hid-bpf.rst-200-\n--\nDocumentation/hid/hid-bpf.rst=213=The ``struct hid_bpf_ctx`` doesn't export the ``data`` fields directly and to access\nDocumentation/hid/hid-bpf.rst:214:it, a bpf program needs to first call :c:func:`hid_bpf_get_data`.\nDocumentation/hid/hid-bpf.rst-215-\n--\nDocumentation/hid/hid-bpf.rst=219=This allows the following:\n--\nDocumentation/hid/hid-bpf.rst-226-\nDocumentation/hid/hid-bpf.rst:227:     __u8 *data = hid_bpf_get_data(ctx, 0 /* offset */, 256 /* size */);\nDocumentation/hid/hid-bpf.rst-228-\n--\nDocumentation/hid/hid-bpf.rst-237-\nDocumentation/hid/hid-bpf.rst:238:      __u16 *x = hid_bpf_get_data(ctx, offset, sizeof(*x));\nDocumentation/hid/hid-bpf.rst-239-\n--\nDocumentation/hid/hid-bpf.rst=287=Once the context is retrieved, one can also request a pointer to kernel memory with\nDocumentation/hid/hid-bpf.rst:288:hid_bpf_get_data(). This memory is big enough to support all input/output/feature\nDocumentation/hid/hid-bpf.rst-289-reports of the given device.\n--\nDocumentation/hid/hid-bpf.rst=370=For that, we can create a basic skeleton for our BPF program::\n--\nDocumentation/hid/hid-bpf.rst-379-  /* HID-BPF kfunc API definitions */\nDocumentation/hid/hid-bpf.rst:380:  extern __u8 *hid_bpf_get_data(struct hid_bpf_ctx *ctx,\nDocumentation/hid/hid-bpf.rst-381-\t\t\t      unsigned int offset,\n--\nDocumentation/hid/hid-bpf.rst-393-  {\nDocumentation/hid/hid-bpf.rst:394:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 192 /* size */);\nDocumentation/hid/hid-bpf.rst-395-\t__u8 *buf;\n--\ndrivers/hid/bpf/hid_bpf_dispatch.c=284=__bpf_kfunc_start_defs();\n--\ndrivers/hid/bpf/hid_bpf_dispatch.c-286-/**\ndrivers/hid/bpf/hid_bpf_dispatch.c:287: * hid_bpf_get_data - Get the kernel memory pointer associated with the context @ctx\ndrivers/hid/bpf/hid_bpf_dispatch.c-288- *\n--\ndrivers/hid/bpf/hid_bpf_dispatch.c=295=__bpf_kfunc __u8 *\ndrivers/hid/bpf/hid_bpf_dispatch.c:296:hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr_buf_size)\ndrivers/hid/bpf/hid_bpf_dispatch.c-297-{\n--\ndrivers/hid/bpf/hid_bpf_dispatch.c=574=BTF_KFUNCS_START(hid_bpf_kfunc_ids)\ndrivers/hid/bpf/hid_bpf_dispatch.c:575:BTF_ID_FLAGS(func, hid_bpf_get_data, KF_RET_NULL)\ndrivers/hid/bpf/hid_bpf_dispatch.c-576-BTF_ID_FLAGS(func, hid_bpf_allocate_context, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)\n--\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c=137=int BPF_PROG(hid_fix_rdesc_raptor_mach_2, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c-138-{\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c:139:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c-140-\n--\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c=156=int BPF_PROG(raptor_mach_2_fix_hat_switch, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c-157-{\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c:158:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 64 /* size */);\ndrivers/hid/bpf/progs/FR-TEC__Raptor-Mach-2.bpf.c-159-\n--\ndrivers/hid/bpf/progs/HP__Elite-Presenter.bpf.c=34=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/HP__Elite-Presenter.bpf.c-35-{\ndrivers/hid/bpf/progs/HP__Elite-Presenter.bpf.c:36:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\ndrivers/hid/bpf/progs/HP__Elite-Presenter.bpf.c-37-\n--\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c=442=int BPF_PROG(dial_2_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c-443-{\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c:444:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c-445-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c=488=int BPF_PROG(dial_2_fix_events, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c-489-{\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c:490:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 16 /* size */);\ndrivers/hid/bpf/progs/Huion__Dial-2.bpf.c-491-\tstatic __u8 button;\n--\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c=382=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c-383-{\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c:384:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c-385-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c=427=int BPF_PROG(inspiroy_2_fix_events, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c-428-{\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c:429:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 10 /* size */);\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-M.bpf.c-430-\n--\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c=382=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c-383-{\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c:384:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c-385-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c=428=int BPF_PROG(inspiroy_2_fix_events, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c-429-{\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c:430:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 10 /* size */);\ndrivers/hid/bpf/progs/Huion__Inspiroy-2-S.bpf.c-431-\n--\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c=258=int BPF_PROG(hid_fix_rdesc_huion_kamvas_pro_19, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c-259-{\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c:260:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c-261-\n--\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c=287=int BPF_PROG(kamvas_pro_19_fix_3rd_button, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c-288-{\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c:289:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 10 /* size */);\ndrivers/hid/bpf/progs/Huion__Kamvas-Pro-19.bpf.c-290-\n--\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c=1240=int BPF_PROG(hid_fix_rdesc_huion_kamvas13_gen3, struct hid_bpf_ctx *hid_ctx)\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c-1241-{\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c:1242:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c-1243-\t__s32 rdesc_size = hid_ctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c=1284=int BPF_PROG(hid_fix_event_huion_kamvas13_gen3, struct hid_bpf_ctx *hid_ctx)\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c-1285-{\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c:1286:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, VENDOR_REPORT_LENGTH /* size */);\ndrivers/hid/bpf/progs/Huion__Kamvas13Gen3.bpf.c-1287-\n--\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c=555=int BPF_PROG(hid_fix_rdesc_huion_kamvas16_gen3, struct hid_bpf_ctx *hid_ctx)\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c-556-{\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c:557:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c-558-\t__s32 rdesc_size = hid_ctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c=599=int BPF_PROG(hid_fix_event_huion_kamvas16_gen3, struct hid_bpf_ctx *hid_ctx)\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c-600-{\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c:601:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, VENDOR_REPORT_LENGTH /* size */);\ndrivers/hid/bpf/progs/Huion__Kamvas16Gen3.bpf.c-602-\n--\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c=338=int BPF_PROG(k20_bt_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c-339-{\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c:340:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c-341-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c=360=int BPF_PROG(k20_bt_fix_events, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c-361-{\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c:362:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 12 /* size */);\ndrivers/hid/bpf/progs/Huion__KeydialK20-Bluetooth.bpf.c-363-\tstruct pad_report {\n--\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c=345=int BPF_PROG(k20_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c-346-{\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c:347:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c-348-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c=389=int BPF_PROG(k20_fix_events, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c-390-{\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c:391:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 10 /* size */);\ndrivers/hid/bpf/progs/Huion__KeydialK20.bpf.c-392-\n--\ndrivers/hid/bpf/progs/IOGEAR__Kaliber-MMOmentum.bpf.c=25=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx *hctx)\n--\ndrivers/hid/bpf/progs/IOGEAR__Kaliber-MMOmentum.bpf.c-27-\tconst u8 offsets[] = {84, 112, 140};\ndrivers/hid/bpf/progs/IOGEAR__Kaliber-MMOmentum.bpf.c:28:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\ndrivers/hid/bpf/progs/IOGEAR__Kaliber-MMOmentum.bpf.c-29-\n--\ndrivers/hid/bpf/progs/Logitech__SpaceNavigator.bpf.c=29=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Logitech__SpaceNavigator.bpf.c-30-{\ndrivers/hid/bpf/progs/Logitech__SpaceNavigator.bpf.c:31:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\ndrivers/hid/bpf/progs/Logitech__SpaceNavigator.bpf.c-32-\n--\ndrivers/hid/bpf/progs/Microsoft__Xbox-Elite-2.bpf.c=96=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Microsoft__Xbox-Elite-2.bpf.c-97-{\ndrivers/hid/bpf/progs/Microsoft__Xbox-Elite-2.bpf.c:98:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\ndrivers/hid/bpf/progs/Microsoft__Xbox-Elite-2.bpf.c-99-\n--\ndrivers/hid/bpf/progs/Mistel__MD770.bpf.c=127=int BPF_PROG(hid_rdesc_fixup_mistel_md770, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Mistel__MD770.bpf.c-128-{\ndrivers/hid/bpf/progs/Mistel__MD770.bpf.c:129:\t__u8 *data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);\ndrivers/hid/bpf/progs/Mistel__MD770.bpf.c-130-\n--\ndrivers/hid/bpf/progs/Rapoo__M50-Plus-Silent.bpf.c=121=int BPF_PROG(hid_rdesc_fixup_rapoo_m50, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Rapoo__M50-Plus-Silent.bpf.c-122-{\ndrivers/hid/bpf/progs/Rapoo__M50-Plus-Silent.bpf.c:123:\t__u8 *data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);\ndrivers/hid/bpf/progs/Rapoo__M50-Plus-Silent.bpf.c-124-\n--\ndrivers/hid/bpf/progs/TUXEDO__Sirius-16-Gen1-and-Gen2.bpf.c=15=int BPF_PROG(ignore_key_fix_event, struct hid_bpf_ctx *hid_ctx)\n--\ndrivers/hid/bpf/progs/TUXEDO__Sirius-16-Gen1-and-Gen2.bpf.c-24-\ndrivers/hid/bpf/progs/TUXEDO__Sirius-16-Gen1-and-Gen2.bpf.c:25:\tdata = hid_bpf_get_data(hid_ctx, 0, expected_length);\ndrivers/hid/bpf/progs/TUXEDO__Sirius-16-Gen1-and-Gen2.bpf.c-26-\tif (!data || data[0] != expected_report_id)\n--\ndrivers/hid/bpf/progs/Thrustmaster__TCA-Yoke-Boeing.bpf.c=100=int BPF_PROG(hid_fix_rdesc_tca_yoke, struct hid_bpf_ctx *hctx)\n--\ndrivers/hid/bpf/progs/Thrustmaster__TCA-Yoke-Boeing.bpf.c-106-\ndrivers/hid/bpf/progs/Thrustmaster__TCA-Yoke-Boeing.bpf.c:107:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/Thrustmaster__TCA-Yoke-Boeing.bpf.c-108-\n--\ndrivers/hid/bpf/progs/Trust__Philips-SPK6327.bpf.c=19=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Trust__Philips-SPK6327.bpf.c-20-{\ndrivers/hid/bpf/progs/Trust__Philips-SPK6327.bpf.c:21:\t__u8 *data = hid_bpf_get_data(hctx, 0, 4096);\ndrivers/hid/bpf/progs/Trust__Philips-SPK6327.bpf.c-22-\n--\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c=231=int BPF_PROG(hid_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c-232-{\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c:233:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c-234-\n--\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c=244=int BPF_PROG(waltop_fix_events, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c-245-{\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c:246:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 10 /* size */);\ndrivers/hid/bpf/progs/WALTOP__Batteryless-Tablet.bpf.c-247-\n--\ndrivers/hid/bpf/progs/Wacom__ArtPen.bpf.c=105=int BPF_PROG(artpen_pressure_interpolate, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/Wacom__ArtPen.bpf.c-106-{\ndrivers/hid/bpf/progs/Wacom__ArtPen.bpf.c:107:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, PEN_REPORT_LEN /* size */);\ndrivers/hid/bpf/progs/Wacom__ArtPen.bpf.c-108-\t__u16 *pressure, *tool_type;\n--\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c=218=int BPF_PROG(ack05_fix_rdesc, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c-219-{\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c:220:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c-221-\t__s32 rdesc_size = hctx-\u003esize;\n--\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c=265=int BPF_PROG(ack05_fix_events, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c-266-{\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c:267:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, PAD_REPORT_LENGTH);\ndrivers/hid/bpf/progs/XPPen__ACK05.bpf.c-268-\tint ret = 0;\n--\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c=93=int BPF_PROG(hid_fix_rdesc_xppen_artist24, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c-94-{\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c:95:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c-96-\n--\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c=154=int BPF_PROG(xppen_24_fix_eraser, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c-155-{\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c:156:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 10 /* size */);\ndrivers/hid/bpf/progs/XPPen__Artist24.bpf.c-157-\t__u8 current_state, changed_state;\n--\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c=88=int BPF_PROG(hid_fix_rdesc_xppen_artistpro16gen2, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-89-{\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c:90:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-91-\n--\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c=116=static int xppen_16_fix_eraser(struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-117-{\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c:118:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 10 /* size */);\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-119-\n--\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c=238=static int xppen_16_fix_angle_offset(struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-239-{\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c:240:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 10 /* size */);\ndrivers/hid/bpf/progs/XPPen__ArtistPro16Gen2.bpf.c-241-\n--\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c=224=int BPF_PROG(xppen_deco01v3_rdesc_fixup, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c-225-{\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c:226:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, HID_MAX_DESCRIPTOR_SIZE /* size */);\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c-227-\n--\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c=254=int BPF_PROG(xppen_deco01v3_device_event, struct hid_bpf_ctx *hctx)\n--\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c-256-\tstatic const __u8 pad_buttons[] = { 0x05, 0x08, 0x00, 0x2c, 0x16, 0x1d, 0x57, 0x56 };\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c:257:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, PAD_REPORT_LENGTH /* size */);\ndrivers/hid/bpf/progs/XPPen__Deco01V3.bpf.c-258-\n--\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c=281=int BPF_PROG(xppen_deco02_rdesc_fixup, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c-282-{\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c:283:\t__u8 *data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c-284-\n--\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c=297=int BPF_PROG(xppen_deco02_device_event, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c-298-{\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c:299:\t__u8 *data = hid_bpf_get_data(hctx, 0, REPORT_SIZE_PAD);\ndrivers/hid/bpf/progs/XPPen__Deco02.bpf.c-300-\n--\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c=153=int BPF_PROG(hid_rdesc_fixup_xppen_deco_mini_4, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c-154-{\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c:155:\t__u8 *data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c-156-\n--\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c=172=int BPF_PROG(hid_device_event_xppen_deco_mini_4, struct hid_bpf_ctx *hctx)\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c-173-{\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c:174:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 8 /* size */);\ndrivers/hid/bpf/progs/XPPen__DecoMini4.bpf.c-175-\t__u8 button_mask = 0;\n--\ndrivers/hid/bpf/progs/hid_bpf_helpers.h-22-\ndrivers/hid/bpf/progs/hid_bpf_helpers.h:23:extern __u8 *hid_bpf_get_data(struct hid_bpf_ctx *ctx,\ndrivers/hid/bpf/progs/hid_bpf_helpers.h-24-\t\t\t      unsigned int offset,\n--\ninclude/linux/hid_bpf.h=11=struct hid_device;\n--\ninclude/linux/hid_bpf.h-23- * ``data`` is not directly accessible from the context. We need to issue\ninclude/linux/hid_bpf.h:24: * a call to hid_bpf_get_data() in order to get a pointer to that field.\ninclude/linux/hid_bpf.h-25- *\n--\nsamples/hid/hid_bpf_helpers.h-8-/* following are kfuncs exported by HID for HID-BPF */\nsamples/hid/hid_bpf_helpers.h:9:extern __u8 *hid_bpf_get_data(struct hid_bpf_ctx *ctx,\nsamples/hid/hid_bpf_helpers.h-10-\t\t\t      unsigned int offset,\n--\nsamples/hid/hid_mouse.bpf.c=8=static int hid_y_event(struct hid_bpf_ctx *hctx)\n--\nsamples/hid/hid_mouse.bpf.c-10-\ts16 y;\nsamples/hid/hid_mouse.bpf.c:11:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 9 /* size */);\nsamples/hid/hid_mouse.bpf.c-12-\n--\nsamples/hid/hid_mouse.bpf.c=53=static int hid_x_event(struct hid_bpf_ctx *hctx)\n--\nsamples/hid/hid_mouse.bpf.c-55-\ts16 x;\nsamples/hid/hid_mouse.bpf.c:56:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 9 /* size */);\nsamples/hid/hid_mouse.bpf.c-57-\n--\nsamples/hid/hid_mouse.bpf.c=83=int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx *hctx)\nsamples/hid/hid_mouse.bpf.c-84-{\nsamples/hid/hid_mouse.bpf.c:85:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\nsamples/hid/hid_mouse.bpf.c-86-\n--\nsamples/hid/hid_surface_dial.bpf.c=14=int BPF_PROG(hid_event, struct hid_bpf_ctx *hctx)\nsamples/hid/hid_surface_dial.bpf.c-15-{\nsamples/hid/hid_surface_dial.bpf.c:16:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 9 /* size */);\nsamples/hid/hid_surface_dial.bpf.c-17-\n--\nsamples/hid/hid_surface_dial.bpf.c=105=int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx *hctx)\nsamples/hid/hid_surface_dial.bpf.c-106-{\nsamples/hid/hid_surface_dial.bpf.c:107:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 4096 /* size */);\nsamples/hid/hid_surface_dial.bpf.c-108-\t__u16 *res, *phys;\n--\ntools/testing/selftests/hid/progs/hid.c=19=int BPF_PROG(hid_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-20-{\ntools/testing/selftests/hid/progs/hid.c:21:\t__u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */);\ntools/testing/selftests/hid/progs/hid.c-22-\n--\ntools/testing/selftests/hid/progs/hid.c=39=int __hid_subprog_first_event(struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-40-{\ntools/testing/selftests/hid/progs/hid.c:41:\t__u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */);\ntools/testing/selftests/hid/progs/hid.c-42-\n--\ntools/testing/selftests/hid/progs/hid.c=64=int BPF_PROG(hid_second_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-65-{\ntools/testing/selftests/hid/progs/hid.c:66:\t__u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */);\ntools/testing/selftests/hid/progs/hid.c-67-\n--\ntools/testing/selftests/hid/progs/hid.c=82=int BPF_PROG(hid_change_report_id, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-83-{\ntools/testing/selftests/hid/progs/hid.c:84:\t__u8 *rw_data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 3 /* size */);\ntools/testing/selftests/hid/progs/hid.c-85-\n--\ntools/testing/selftests/hid/progs/hid.c=221=int BPF_PROG(hid_rdesc_fixup, struct hid_bpf_ctx *hid_ctx)\ntools/testing/selftests/hid/progs/hid.c-222-{\ntools/testing/selftests/hid/progs/hid.c:223:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4096 /* size */);\ntools/testing/selftests/hid/progs/hid.c-224-\n--\ntools/testing/selftests/hid/progs/hid.c=245=int BPF_PROG(hid_rdesc_fixup_get_data_overflow, struct hid_bpf_ctx *hid_ctx)\ntools/testing/selftests/hid/progs/hid.c-246-{\ntools/testing/selftests/hid/progs/hid.c:247:\tif (!hid_bpf_get_data(hid_ctx, 2 /* offset */, ~0ULL /* size */))\ntools/testing/selftests/hid/progs/hid.c-248-\t\tget_data_overflow_check = 1;\n--\ntools/testing/selftests/hid/progs/hid.c=259=int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-260-{\ntools/testing/selftests/hid/progs/hid.c:261:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */);\ntools/testing/selftests/hid/progs/hid.c-262-\n--\ntools/testing/selftests/hid/progs/hid.c=282=int BPF_PROG(hid_test_insert2, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-283-{\ntools/testing/selftests/hid/progs/hid.c:284:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */);\ntools/testing/selftests/hid/progs/hid.c-285-\n--\ntools/testing/selftests/hid/progs/hid.c=304=int BPF_PROG(hid_test_insert3, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-305-{\ntools/testing/selftests/hid/progs/hid.c:306:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 4 /* size */);\ntools/testing/selftests/hid/progs/hid.c-307-\n--\ntools/testing/selftests/hid/progs/hid.c=347=int BPF_PROG(hid_test_hidraw_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum,\n--\ntools/testing/selftests/hid/progs/hid.c-349-{\ntools/testing/selftests/hid/progs/hid.c:350:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */);\ntools/testing/selftests/hid/progs/hid.c-351-\tint ret;\n--\ntools/testing/selftests/hid/progs/hid.c=378=int BPF_PROG(hid_test_infinite_loop_raw_request, struct hid_bpf_ctx *hctx, unsigned char reportnum,\n--\ntools/testing/selftests/hid/progs/hid.c-380-{\ntools/testing/selftests/hid/progs/hid.c:381:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */);\ntools/testing/selftests/hid/progs/hid.c-382-\tint ret;\n--\ntools/testing/selftests/hid/progs/hid.c=417=int BPF_PROG(hid_test_hidraw_output_report, struct hid_bpf_ctx *hctx, __u64 source)\ntools/testing/selftests/hid/progs/hid.c-418-{\ntools/testing/selftests/hid/progs/hid.c:419:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */);\ntools/testing/selftests/hid/progs/hid.c-420-\tint ret;\n--\ntools/testing/selftests/hid/progs/hid.c=438=int BPF_PROG(hid_test_infinite_loop_output_report, struct hid_bpf_ctx *hctx, __u64 source)\ntools/testing/selftests/hid/progs/hid.c-439-{\ntools/testing/selftests/hid/progs/hid.c:440:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 3 /* size */);\ntools/testing/selftests/hid/progs/hid.c-441-\tint ret;\n--\ntools/testing/selftests/hid/progs/hid.c=515=int BPF_PROG(hid_test_multiply_events_wq, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-516-{\ntools/testing/selftests/hid/progs/hid.c:517:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 9 /* size */);\ntools/testing/selftests/hid/progs/hid.c-518-\tint hid = hid_ctx-\u003ehid-\u003eid;\n--\ntools/testing/selftests/hid/progs/hid.c=542=int BPF_PROG(hid_test_multiply_events, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)\ntools/testing/selftests/hid/progs/hid.c-543-{\ntools/testing/selftests/hid/progs/hid.c:544:\t__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 9 /* size */);\ntools/testing/selftests/hid/progs/hid.c-545-\t__u8 buf[9];\n--\ntools/testing/selftests/hid/progs/hid.c=581=int BPF_PROG(hid_test_infinite_loop_input_report, struct hid_bpf_ctx *hctx,\n--\ntools/testing/selftests/hid/progs/hid.c-583-{\ntools/testing/selftests/hid/progs/hid.c:584:\t__u8 *data = hid_bpf_get_data(hctx, 0 /* offset */, 6 /* size */);\ntools/testing/selftests/hid/progs/hid.c-585-\t__u8 buf[6];\n--\ntools/testing/selftests/hid/progs/hid_bpf_helpers.h=88=struct hid_bpf_ops {\n--\ntools/testing/selftests/hid/progs/hid_bpf_helpers.h-106-/* following are kfuncs exported by HID for HID-BPF */\ntools/testing/selftests/hid/progs/hid_bpf_helpers.h:107:extern __u8 *hid_bpf_get_data(struct hid_bpf_ctx *ctx,\ntools/testing/selftests/hid/progs/hid_bpf_helpers.h-108-\t\t\t      unsigned int offset,\n"
}

gemini-3.1-pro-preview

							input: 17099
							output: 19
							thoughts: 215

**Analyzing the `hid_bpf_get_data` BPF Kfunc Vulnerability**

Okay, so I'm looking at this patch and the `hid_bpf_get_data` function. This is a BPF kfunc, which immediately grabs my attention. It lives in `drivers/hid/bpf/hid_bpf_dispatch.c` – a detail to note for later reference, of course. My first thought is about its purpose; it's used by BPF programs to read data from a HID device's buffer, so we are dealing with a critical interface.

The core of the issue is an integer overflow. Essentially, `rdwr_buf_size + offset` potentially wraps around if `rdwr_buf_size` is close to the maximum value of an unsigned long long (i.e., `~0ULL`). This wrap-around could result in `rdwr_buf_size + offset` being *smaller* than `ctx->allocated_size`, which is a classic out-of-bounds access scenario. We've got a potential security hole here; I am already forming a mental checklist of exploits!

This is a **functional change** and a **security fix** rolled into one, impacting how BPF programs interact with HID data. This is significant because it's directly reachable from BPF programs attached to HID devices. The attack surface is pretty clear now. This is definitely something that needs to be tested vigorously.

My next step is to figure out the necessary configuration options. I'll need `CONFIG_HID_BPF` and `CONFIG_BPF_SYSCALL` enabled to reproduce this. Let me quickly check the relevant Kconfig files, probably `drivers/hid/bpf/Kconfig` or possibly `drivers/hid/Kconfig` to confirm these settings are present. I am already thinking about creating a fuzzing campaign to target this vulnerability as a top priority.

{
  "Expression": "config HID_BPF"
}

{
  "Output": "drivers/hid/bpf/Kconfig=2=menu \"HID-BPF support\"\ndrivers/hid/bpf/Kconfig-3-\ndrivers/hid/bpf/Kconfig:4:config HID_BPF\ndrivers/hid/bpf/Kconfig-5-\tbool \"HID-BPF support\"\n"
}

gemini-3.1-pro-preview

							input: 17828
							output: 35
							thoughts: 18

Okay, let's dive into this. Here's my thought process on this task:

**Analyzing Dependencies within the Kernel Configuration**

Alright, the objective is pretty clear. I need to figure out what's dependent on something, and the starting point is `drivers/hid/bpf/Kconfig`. My expertise in kernel configuration tells me this file likely defines configuration options related to the HID subsystem's BPF functionality. Therefore, I need to check this file for dependency declarations. This will indicate which other kernel components might require or rely upon the options defined within `Kconfig`. This is a classic dependency analysis scenario, the first step is always to check the Kconfig file. Let's get to it!

{
  "File": "drivers/hid/bpf/Kconfig",
  "FirstLine": 1,
  "LineCount": 20
}

{
  "Contents": "   1:\t# SPDX-License-Identifier: GPL-2.0-only\n   2:\tmenu \"HID-BPF support\"\n   3:\t\n   4:\tconfig HID_BPF\n   5:\t\tbool \"HID-BPF support\"\n   6:\t\tdepends on BPF_JIT\n   7:\t\tdepends on BPF_SYSCALL\n   8:\t\tdepends on DYNAMIC_FTRACE_WITH_DIRECT_CALLS\n   9:\t\thelp\n  10:\t\tThis option allows to support eBPF programs on the HID subsystem.\n  11:\t\teBPF programs can fix HID devices in a lighter way than a full\n  12:\t\tkernel patch and allow a lot more flexibility.\n  13:\t\n  14:\t\tFor documentation, see Documentation/hid/hid-bpf.rst\n  15:\t\n  16:\tendmenu\n"
}

gemini-3.1-pro-preview

							input: 18249
							output: 43
							thoughts: 114

**Analyzing the HID_BPF Configuration and Associated Changes**

Okay, so I'm looking at this `HID_BPF` configuration, that's the core of it. Right now, I need to understand this new configuration and how it functions. My focus right now is on that symbol, `hid_bpf_get_data`.

Beyond the core config, I see the patch also touches the selftests. It's modifying `tools/testing/selftests/hid/hid_bpf.c` and `tools/testing/selftests/hid/progs/hid.c`. This suggests that the changes include updates to how the BPF functionality is tested, which is good. Important that they verify that functionality.

Next, I need to dig into the implementation of `hid_bpf_get_data` and understand how it functions. That likely happens in `drivers/hid/bpf/hid_bpf_dispatch.c`, so that's where I will start.

{
  "File": "drivers/hid/bpf/hid_bpf_dispatch.c",
  "FirstLine": 280,
  "LineCount": 30
}

{
  "Contents": " 280:\t\treturn 0;\n 281:\t}\n 282:\t\n 283:\t/* Disables missing prototype warnings */\n 284:\t__bpf_kfunc_start_defs();\n 285:\t\n 286:\t/**\n 287:\t * hid_bpf_get_data - Get the kernel memory pointer associated with the context @ctx\n 288:\t *\n 289:\t * @ctx: The HID-BPF context\n 290:\t * @offset: The offset within the memory\n 291:\t * @rdwr_buf_size: the const size of the buffer\n 292:\t *\n 293:\t * @returns %NULL on error, an %__u8 memory pointer on success\n 294:\t */\n 295:\t__bpf_kfunc __u8 *\n 296:\thid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr_buf_size)\n 297:\t{\n 298:\t\tstruct hid_bpf_ctx_kern *ctx_kern;\n 299:\t\n 300:\t\tctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);\n 301:\t\n 302:\t\tif (offset \u003e ctx-\u003eallocated_size ||\n 303:\t\t    rdwr_buf_size \u003e ctx-\u003eallocated_size - offset)\n 304:\t\t\treturn NULL;\n 305:\t\n 306:\t\treturn ctx_kern-\u003edata + offset;\n 307:\t}\n 308:\t\n 309:\t/**\n"
}

gemini-3.1-pro-preview

							input: 19064
							output: 106
							thoughts: 122

Here's my assessment of the situation:

**Analysis of the HID BPF Patch**

Okay, so we have a patch that's fixing an integer overflow vulnerability within `hid_bpf_get_data`. This is a BPF kfunc, which immediately grabs my attention. Anytime we see a fix like this, especially within BPF, fuzzing becomes a top priority. The attack surface here is clearly the `hid_bpf_get_data` function itself. The fix should be rigorously tested.

My focus has to be laser-sharp on that function. To ensure I'm not missing anything, I need to verify that this vulnerability fix is isolated to `hid_bpf_get_data`. Let me check the code modifications. Ah, yes, it appears that `hid_bpf_get_data` is the core of the change in `drivers/hid/bpf/hid_bpf_dispatch.c`. The remaining modifications seem to be confined to selftests, which is good. They should help, but the key is the main function.

Now that I've confirmed the scope, I'll record these findings and move on to the next step.

{
  "EnableConfigs": [
    "HID_BPF"
  ],
  "FocusSymbols": [
    "hid_bpf_get_data"
  ],
  "Reasoning": "The patch fixes an integer overflow vulnerability in `hid_bpf_get_data` which is a BPF kfunc used by HID-BPF programs to access device data buffers. This is a functional security fix that is reachable from userspace via BPF programs attached to HID devices.",
  "WorthFuzzing": true
}

{
  "EnableConfigs": [
    "HID_BPF"
  ],
  "FocusSymbols": [
    "hid_bpf_get_data"
  ],
  "Reasoning": "The patch fixes an integer overflow vulnerability in `hid_bpf_get_data` which is a BPF kfunc used by HID-BPF programs to access device data buffers. This is a functional security fix that is reachable from userspace via BPF programs attached to HID devices.",
  "WorthFuzzing": true
}

LLM Calls Summary:
Total Calls	Total Tokens	Avg Tokens	Total Duration (Seconds)	Avg Duration (Seconds)

Tool Calls Summary:
Total Calls	Total Duration (Seconds)	Avg Duration (Seconds)