summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--drivers/input/ff-core.c11
-rw-r--r--include/linux/input.h2
-rw-r--r--include/linux/uinput.h2
3 files changed, 10 insertions, 5 deletions
diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c
index 3367f760d75a..480eb9d9876a 100644
--- a/drivers/input/ff-core.c
+++ b/drivers/input/ff-core.c
@@ -309,9 +309,10 @@ EXPORT_SYMBOL_GPL(input_ff_event);
* Once ff device is created you need to setup its upload, erase,
* playback and other handlers before registering input device
*/
-int input_ff_create(struct input_dev *dev, int max_effects)
+int input_ff_create(struct input_dev *dev, unsigned int max_effects)
{
struct ff_device *ff;
+ size_t ff_dev_size;
int i;
if (!max_effects) {
@@ -319,8 +320,12 @@ int input_ff_create(struct input_dev *dev, int max_effects)
return -EINVAL;
}
- ff = kzalloc(sizeof(struct ff_device) +
- max_effects * sizeof(struct file *), GFP_KERNEL);
+ ff_dev_size = sizeof(struct ff_device) +
+ max_effects * sizeof(struct file *);
+ if (ff_dev_size < max_effects) /* overflow */
+ return -EINVAL;
+
+ ff = kzalloc(ff_dev_size, GFP_KERNEL);
if (!ff)
return -ENOMEM;
diff --git a/include/linux/input.h b/include/linux/input.h
index 57add325e7a8..6d5eddb18c82 100644
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -1610,7 +1610,7 @@ struct ff_device {
struct file *effect_owners[];
};
-int input_ff_create(struct input_dev *dev, int max_effects);
+int input_ff_create(struct input_dev *dev, unsigned int max_effects);
void input_ff_destroy(struct input_dev *dev);
int input_ff_event(struct input_dev *dev, unsigned int type, unsigned int code, int value);
diff --git a/include/linux/uinput.h b/include/linux/uinput.h
index d28c726ede4f..2aa2881b0df9 100644
--- a/include/linux/uinput.h
+++ b/include/linux/uinput.h
@@ -68,7 +68,7 @@ struct uinput_device {
unsigned char head;
unsigned char tail;
struct input_event buff[UINPUT_BUFFER_SIZE];
- int ff_effects_max;
+ unsigned int ff_effects_max;
struct uinput_request *requests[UINPUT_NUM_REQUESTS];
wait_queue_head_t requests_waitq;