Input: uinput - sanity check on ff_effects_max and EV_FF

Currently the user can set ff_effects_max to zero with the EV_FF bit (and
the FF_GAIN and/or FF_AUTOCENTER bits) set, in this case the uninitialized
methods ff->set_gain and/or ff->set_autocenter can be dereferenced,
resulting in a kernel oops.

Check in uinput_create_device() and print a helpful message and return
-EINVAL in case the check fails.

Signed-off-by: Elias Vanderstuyft <elias.vds@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 782df415e4d5..4eb9e4d94f46 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -272,6 +272,13 @@ static int uinput_create_device(struct uinput_device *udev)
                 input_set_events_per_packet(dev, 60);
         }
 
+        if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
+                printk(KERN_DEBUG "%s: ff_effects_max should be non-zero when FF_BIT is set\n",
+                        UINPUT_NAME);
+                error = -EINVAL;
+                goto fail1;
+        }
+
         if (udev->ff_effects_max) {
                 error = input_ff_create(dev, udev->ff_effects_max);
                 if (error)