diff options
| author | Dmitry Torokhov <dmitry.torokhov@gmail.com> | 2017-01-31 17:56:43 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-02-14 18:25:34 -0500 |
| commit | 2089e4563d50c44f187df1ed63a906e05708cf51 (patch) | |
| tree | 707648a503ff0a4363b4312aabd97f434fc8bd30 | |
| parent | 1a815c52d57ebf35bfb516eafada98eeda292d66 (diff) | |
Input: uinput - fix crash when mixing old and new init style
commit 601bbbe0517303c9f8eb3d75e11d64efed1293c9 upstream.
If user tries to initialize uinput device mixing old and new style
initialization (i.e. using old UI_SET_ABSBIT instead of UI_ABS_SETUP,
we forget to allocate input->absinfo and will crash when trying to send
absolute events:
ioctl(ui, UI_DEV_SETUP, &us);
ioctl(ui, UI_SET_PHYS, "Test");
ioctl(ui, UI_SET_EVBIT, EV_ABS);
ioctl(ui, UI_SET_ABSBIT, ABS_X);
ioctl(ui, UI_SET_ABSBIT, ABS_Y);
ioctl(ui, UI_DEV_CREATE, 0);
Reported-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=191811
Fixes: fbae10db0940 ("Input: uinput - rework ABS validation")
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/input/misc/uinput.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 92595b98e7ed..022be0e22eba 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c | |||
| @@ -263,13 +263,21 @@ static int uinput_create_device(struct uinput_device *udev) | |||
| 263 | return -EINVAL; | 263 | return -EINVAL; |
| 264 | } | 264 | } |
| 265 | 265 | ||
| 266 | if (test_bit(ABS_MT_SLOT, dev->absbit)) { | 266 | if (test_bit(EV_ABS, dev->evbit)) { |
| 267 | nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; | 267 | input_alloc_absinfo(dev); |
| 268 | error = input_mt_init_slots(dev, nslot, 0); | 268 | if (!dev->absinfo) { |
| 269 | if (error) | 269 | error = -EINVAL; |
| 270 | goto fail1; | 270 | goto fail1; |
| 271 | } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { | 271 | } |
| 272 | input_set_events_per_packet(dev, 60); | 272 | |
| 273 | if (test_bit(ABS_MT_SLOT, dev->absbit)) { | ||
| 274 | nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; | ||
| 275 | error = input_mt_init_slots(dev, nslot, 0); | ||
| 276 | if (error) | ||
| 277 | goto fail1; | ||
| 278 | } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { | ||
| 279 | input_set_events_per_packet(dev, 60); | ||
| 280 | } | ||
| 273 | } | 281 | } |
| 274 | 282 | ||
| 275 | if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) { | 283 | if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) { |