diff options
author | Dmitry Torokhov <dmitry.torokhov@gmail.com> | 2015-09-19 21:22:57 +0300 |
---|---|---|
committer | Dmitry Torokhov <dmitry.torokhov@gmail.com> | 2015-09-21 19:32:41 +0300 |
commit | 72d4736253af74147b1fa68145b2f4c61d1f37e1 (patch) | |
tree | ea44ab05eb9a061951c46bb6c1398900df1b9497 /drivers/input | |
parent | ed75a14eb554995c522a3b861d4c86a7eddb2ad7 (diff) | |
download | linux-72d4736253af74147b1fa68145b2f4c61d1f37e1.tar.xz |
Input: uinput - fix crash when using ABS events
Commit b6d30968d86c45a7bb599eaca13ff048d3fa576c (Input: uinput - switch to
using for_each_set_bit()) switched driver to use for_each_set_bit().
However during initial write of the uinput structure that contains min/max
data for all possible axes none of them are reflected in dev->absbit yet
and so we were skipping over all of them and were not allocating absinfo
memory which caused crash later when driver tried to sens EV_ABS events:
<1>[ 15.064330] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
<1>[ 15.064336] IP: [<ffffffff8163f142>] input_handle_event+0x232/0x4e0
<4>[ 15.064343] PGD 0
<4>[ 15.064345] Oops: 0000 [#1] SMP
Fixes: b6d30968d86c45a7bb599eaca13ff048d3fa576c
Cc: stable@vger.kernel.org
Reported-by: Stephen Chandler Paul <cpaul@redhat.com>
Tested-by: Stephen Chandler Paul <cpaul@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Diffstat (limited to 'drivers/input')
-rw-r--r-- | drivers/input/misc/uinput.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 345df9b03aed..5adbcedcb81c 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -414,7 +414,7 @@ static int uinput_setup_device(struct uinput_device *udev, dev->id.product = user_dev->id.product; dev->id.version = user_dev->id.version; - for_each_set_bit(i, dev->absbit, ABS_CNT) { + for (i = 0; i < ABS_CNT; i++) { input_abs_set_max(dev, i, user_dev->absmax[i]); input_abs_set_min(dev, i, user_dev->absmin[i]); input_abs_set_fuzz(dev, i, user_dev->absfuzz[i]); |