From: Jussi Kivilinna Date: Fri, 8 May 2009 00:14:21 +0000 (-0700) Subject: Input: ff-memless - fix signed to unsigned bit overflow X-Git-Tag: firefly_0821_release~14071^2~6 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=9e68177ef93b2f34eee5a1e1707bceef4b9ba69c;p=firefly-linux-kernel-4.4.55.git Input: ff-memless - fix signed to unsigned bit overflow When userspace sets effect->u.rumble.strong_magnitude to 0x8001 or larger, ml_combine_effects() would always return strong_magnitude 0xffff. Problem is that 'gain' is passed in as signed integer. Multiplying magnitude (__u16) with gain (int) causes magnitude read as signed and results negative value (with magnitude > 0x8000). This signed integer is then divided and value, still negative, converted to 32bit unsigned integer. Finally checking combine overflow min(new+old, 0xffff) gives out 0xffff. Fix is to simply change 'gain' to unsigned int. Signed-off-by: Jussi Kivilinna Acked-by: Anssi Hannula Signed-off-by: Dmitry Torokhov --- diff --git a/drivers/input/ff-memless.c b/drivers/input/ff-memless.c index bc4e40f3ede7..2d1415e16834 100644 --- a/drivers/input/ff-memless.c +++ b/drivers/input/ff-memless.c @@ -226,7 +226,7 @@ static int get_compatible_type(struct ff_device *ff, int effect_type) */ static void ml_combine_effects(struct ff_effect *effect, struct ml_effect_state *state, - int gain) + unsigned int gain) { struct ff_effect *new = state->effect; unsigned int strong, weak, i;