From patchwork Tue Jan 31 23:17:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Torokhov X-Patchwork-Id: 9548783 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 345CE60415 for ; Tue, 31 Jan 2017 23:17:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B77928394 for ; Tue, 31 Jan 2017 23:17:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1E546283EB; Tue, 31 Jan 2017 23:17:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AF7C828394 for ; Tue, 31 Jan 2017 23:17:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750991AbdAaXRc (ORCPT ); Tue, 31 Jan 2017 18:17:32 -0500 Received: from mail-pf0-f196.google.com ([209.85.192.196]:35265 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750863AbdAaXRb (ORCPT ); Tue, 31 Jan 2017 18:17:31 -0500 Received: by mail-pf0-f196.google.com with SMTP id f144so30208812pfa.2; Tue, 31 Jan 2017 15:17:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=obVh48Zb0T4EzVbM0k2URNCajL8Cd0bGgnOtdYcHWc0=; b=OZVlzJDktbltU8bBw9BvPjpH34fXYvvOSljPrb535Linnw7mU9+xPC6DszrkdvoDEw kfvMUEX3v7z88ajN3+cLrYUcVTJOtOzpjKLuiILEJEs3hPtqvGWjyYiClgKD/90zQnsi FVK9OR/GiY2H/zUKfCAaCrGF0Jb0Qz+bT9Kqnkbrbo4ZNe9Iwbbz0bi2xpujSUz3Bp5S B+fFuZhqEUzB/qwSq0mf1DaznBTanyaxEvkdmh55YZpUoNJpKbpiv5TBg4gtBXWplytu 7UmxPvAMjORY0GPDYo8gIko1jv+bkKNKqSav2YSv+74tAh1/CNJhpxuBjJWXx6kO/WIZ 6sEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=obVh48Zb0T4EzVbM0k2URNCajL8Cd0bGgnOtdYcHWc0=; b=iP8hStpF7JWk/kLoHHrLRwxC9ZbRdlFwLO7fJgvIpqxx/HaTeE2zdIrFLw3w33BcE+ vZLo+aItwi4J1mYPDMERtNMOiVxdA1Xpqu0R8ae3Sai2KSA1pMyEWlrwQd24Ii09fdlu 8hMKx52lSNqx5akkVQ/0x1uKRQu10RQgqiYrDSOzgat25fki1a2adX5S2Tq+4VjQLP/K Fx5j8BllvEiWERRyJqITUI7pMh7he2Vh0Bj2buz5psOLdeY4pvbYGD5VMHvvuk9EL/LQ O1FXNqZ9qnPnizkROLitevCKwMElIBppgsl03qPvgAKRs0fqhv8eaT1woy6NjuBcjDrx s0+Q== X-Gm-Message-State: AIkVDXLbefNWLah6L3D+jRFr5IRRhrAKbwVnl38I/5U21vzR6ePBcp1vuQOZjGUqQQvI2Q== X-Received: by 10.84.217.216 with SMTP id d24mr43430910plj.101.1485904651192; Tue, 31 Jan 2017 15:17:31 -0800 (PST) Received: from dtor-ws ([2620:0:1000:1311:c0b7:99da:f3c5:7745]) by smtp.gmail.com with ESMTPSA id r78sm43744090pfe.55.2017.01.31.15.17.30 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Tue, 31 Jan 2017 15:17:30 -0800 (PST) Date: Tue, 31 Jan 2017 15:17:28 -0800 From: Dmitry Torokhov To: linux-input@vger.kernel.org Cc: Benjamin Tissoires , David Herrmann , Rodrigo Rivas Costa , linux-kernel@vger.kernel.org Subject: [PATCH] Input: uinput - fix crash when mixing old and new init style Message-ID: <20170131231728.GA37933@dtor-ws> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If user tries to initialize uinput device mixing old and new style initialization (i.e. using old UI_SET_ABSBIT instead of UI_ABS_SETUP, we forget to allocate input->absinfo and will crash when trying to send absolute events: ioctl(ui, UI_DEV_SETUP, &us); ioctl(ui, UI_SET_EVBIT, EV_ABS); ioctl(ui, UI_SET_ABSBIT, ABS_X); ioctl(ui, UI_SET_ABSBIT, ABS_Y); ioctl(ui, UI_DEV_CREATE, 0); Reported-by: Rodrigo Rivas Costa Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=191811 Fixes: fbae10db0940 ("Input: uinput - rework ABS validation") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Reviewed-by: Benjamin Tissoires --- drivers/input/misc/uinput.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 92595b98e7ed..022be0e22eba 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -263,13 +263,21 @@ static int uinput_create_device(struct uinput_device *udev) return -EINVAL; } - if (test_bit(ABS_MT_SLOT, dev->absbit)) { - nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; - error = input_mt_init_slots(dev, nslot, 0); - if (error) + if (test_bit(EV_ABS, dev->evbit)) { + input_alloc_absinfo(dev); + if (!dev->absinfo) { + error = -EINVAL; goto fail1; - } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { - input_set_events_per_packet(dev, 60); + } + + if (test_bit(ABS_MT_SLOT, dev->absbit)) { + nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; + error = input_mt_init_slots(dev, nslot, 0); + if (error) + goto fail1; + } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { + input_set_events_per_packet(dev, 60); + } } if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {