On Thu, Sep 17, 2015 at 07:29:48PM +0200, Elias Vanderstuyft wrote: > Currently the user can specify a non-zero value for ff_effects_max, > without setting the EV_FF bit. > Inversely, > the user can also set ff_effects_max to zero with the EV_FF bit set, > in this case the uninitialized method ff->upload can be dereferenced, > resulting in a kernel oops. > > Instead of adding a check in uinput_create_device() and > omitting setup of ff-core infrastructure silently in case the check fails, > perform the check early in uinput_setup_device(), > and print a helpful message and return -EINVAL in case the check fails. > > Signed-off-by: Elias Vanderstuyft <elias.vds@xxxxxxxxx> > --- > drivers/input/misc/uinput.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c > index 345df9b..3a90a16 100644 > --- a/drivers/input/misc/uinput.c > +++ b/drivers/input/misc/uinput.c > @@ -393,6 +393,21 @@ static int uinput_setup_device(struct uinput_device *udev, > if (IS_ERR(user_dev)) > return PTR_ERR(user_dev); > > + if (!!user_dev->ff_effects_max ^ test_bit(EV_FF, dev->evbit)) { > + if (user_dev->ff_effects_max) > + printk(KERN_DEBUG > + "%s: ff_effects_max (%u) should be zero " > + "when FF_BIT is not set\n", > + UINPUT_NAME, user_dev->ff_effects_max); > + else > + printk(KERN_DEBUG > + "%s: ff_effects_max should be non-zero " > + "when FF_BIT is set\n", > + UINPUT_NAME); I do not think this is the right place for this check: userspace is allowed to write device structure before calling any ioctls to set various bits. Also, userspace doe snot have to explicitly set EV_FF bit as input_ff_create() does it for us. I think the check should be in uinput_create_device() and we should only check case when udev->ff_effects_max is 0 but EV_FF is set. Thanks. -- Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html