aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/input
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/input')
-rw-r--r--drivers/input/misc/uinput.c23
1 files changed, 12 insertions, 11 deletions
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index c3eebf593ab6..d5c5b32045af 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -251,6 +251,7 @@ static int uinput_alloc_device(struct file *file, const char __user *buffer, siz
251 struct uinput_user_dev *user_dev; 251 struct uinput_user_dev *user_dev;
252 struct input_dev *dev; 252 struct input_dev *dev;
253 struct uinput_device *udev; 253 struct uinput_device *udev;
254 char *name;
254 int size; 255 int size;
255 int retval; 256 int retval;
256 257
@@ -274,13 +275,13 @@ static int uinput_alloc_device(struct file *file, const char __user *buffer, siz
274 kfree(dev->name); 275 kfree(dev->name);
275 276
276 size = strnlen(user_dev->name, UINPUT_MAX_NAME_SIZE) + 1; 277 size = strnlen(user_dev->name, UINPUT_MAX_NAME_SIZE) + 1;
277 dev->name = kmalloc(size, GFP_KERNEL); 278 dev->name = name = kmalloc(size, GFP_KERNEL);
278 if (!dev->name) { 279 if (!name) {
279 retval = -ENOMEM; 280 retval = -ENOMEM;
280 goto exit; 281 goto exit;
281 } 282 }
283 strlcpy(name, user_dev->name, size);
282 284
283 strlcpy(dev->name, user_dev->name, size);
284 dev->id.bustype = user_dev->id.bustype; 285 dev->id.bustype = user_dev->id.bustype;
285 dev->id.vendor = user_dev->id.vendor; 286 dev->id.vendor = user_dev->id.vendor;
286 dev->id.product = user_dev->id.product; 287 dev->id.product = user_dev->id.product;
@@ -397,6 +398,7 @@ static int uinput_ioctl(struct inode *inode, struct file *file, unsigned int cmd
397 struct uinput_ff_erase ff_erase; 398 struct uinput_ff_erase ff_erase;
398 struct uinput_request *req; 399 struct uinput_request *req;
399 int length; 400 int length;
401 char *phys;
400 402
401 udev = file->private_data; 403 udev = file->private_data;
402 404
@@ -494,20 +496,19 @@ static int uinput_ioctl(struct inode *inode, struct file *file, unsigned int cmd
494 retval = -EFAULT; 496 retval = -EFAULT;
495 break; 497 break;
496 } 498 }
497 if (NULL != udev->dev->phys) 499 kfree(udev->dev->phys);
498 kfree(udev->dev->phys); 500 udev->dev->phys = phys = kmalloc(length, GFP_KERNEL);
499 udev->dev->phys = kmalloc(length, GFP_KERNEL); 501 if (!phys) {
500 if (!udev->dev->phys) {
501 retval = -ENOMEM; 502 retval = -ENOMEM;
502 break; 503 break;
503 } 504 }
504 if (copy_from_user(udev->dev->phys, p, length)) { 505 if (copy_from_user(phys, p, length)) {
505 retval = -EFAULT;
506 kfree(udev->dev->phys);
507 udev->dev->phys = NULL; 506 udev->dev->phys = NULL;
507 kfree(phys);
508 retval = -EFAULT;
508 break; 509 break;
509 } 510 }
510 udev->dev->phys[length - 1] = '\0'; 511 phys[length - 1] = '\0';
511 break; 512 break;
512 513
513 case UI_BEGIN_FF_UPLOAD: 514 case UI_BEGIN_FF_UPLOAD: