From: Elias Vanderstuyft Date: Sat, 19 Dec 2015 01:32:19 +0000 (-0800) Subject: Input: uinput - sanity check on ff_effects_max and EV_FF X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=daf6cd0c1829c48cba197bd87d57fc8bf3f65faa;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git Input: uinput - sanity check on ff_effects_max and EV_FF Currently the user can set ff_effects_max to zero with the EV_FF bit (and the FF_GAIN and/or FF_AUTOCENTER bits) set, in this case the uninitialized methods ff->set_gain and/or ff->set_autocenter can be dereferenced, resulting in a kernel oops. Check in uinput_create_device() and print a helpful message and return -EINVAL in case the check fails. Signed-off-by: Elias Vanderstuyft Signed-off-by: Dmitry Torokhov --- diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 782df415e4d5..4eb9e4d94f46 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -272,6 +272,13 @@ static int uinput_create_device(struct uinput_device *udev) input_set_events_per_packet(dev, 60); } + if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) { + printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n", + UINPUT_NAME); + error = -EINVAL; + goto fail1; + } + if (udev->ff_effects_max) { error = input_ff_create(dev, udev->ff_effects_max); if (error)