From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754276AbbJOAwb (ORCPT ); Wed, 14 Oct 2015 20:52:31 -0400 Received: from mail-pa0-f50.google.com ([209.85.220.50]:33853 "EHLO mail-pa0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751098AbbJOAw3 (ORCPT ); Wed, 14 Oct 2015 20:52:29 -0400 Date: Wed, 14 Oct 2015 17:52:26 -0700 From: Dmitry Torokhov To: Elias Vanderstuyft Cc: linux-input@vger.kernel.org, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 2/2] Input: uinput: Sanity check on ff_effects_max and EV_FF Message-ID: <20151015005226.GD3673@dtor-ws> References: <1442510988-3164-1-git-send-email-elias.vds@gmail.com> <1442510988-3164-3-git-send-email-elias.vds@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1442510988-3164-3-git-send-email-elias.vds@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 17, 2015 at 07:29:48PM +0200, Elias Vanderstuyft wrote: > Currently the user can specify a non-zero value for ff_effects_max, > without setting the EV_FF bit. > Inversely, > the user can also set ff_effects_max to zero with the EV_FF bit set, > in this case the uninitialized method ff->upload can be dereferenced, > resulting in a kernel oops. > > Instead of adding a check in uinput_create_device() and > omitting setup of ff-core infrastructure silently in case the check fails, > perform the check early in uinput_setup_device(), > and print a helpful message and return -EINVAL in case the check fails. > > Signed-off-by: Elias Vanderstuyft > --- > drivers/input/misc/uinput.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c > index 345df9b..3a90a16 100644 > --- a/drivers/input/misc/uinput.c > +++ b/drivers/input/misc/uinput.c > @@ -393,6 +393,21 @@ static int uinput_setup_device(struct uinput_device *udev, > if (IS_ERR(user_dev)) > return PTR_ERR(user_dev); > > + if (!!user_dev->ff_effects_max ^ test_bit(EV_FF, dev->evbit)) { > + if (user_dev->ff_effects_max) > + printk(KERN_DEBUG > + "%s: ff_effects_max (%u) should be zero " > + "when FF_BIT is not set\n", > + UINPUT_NAME, user_dev->ff_effects_max); > + else > + printk(KERN_DEBUG > + "%s: ff_effects_max should be non-zero " > + "when FF_BIT is set\n", > + UINPUT_NAME); I do not think this is the right place for this check: userspace is allowed to write device structure before calling any ioctls to set various bits. Also, userspace doe snot have to explicitly set EV_FF bit as input_ff_create() does it for us. I think the check should be in uinput_create_device() and we should only check case when udev->ff_effects_max is 0 but EV_FF is set. Thanks. -- Dmitry