]> git.proxmox.com Git - mirror_ubuntu-disco-kernel.git/commitdiff
Input: uinput - use memdup_user() and friends
authorDmitry Torokhov <dmitry.torokhov@gmail.com>
Fri, 11 Feb 2011 09:10:45 +0000 (01:10 -0800)
committerDmitry Torokhov <dmitry.torokhov@gmail.com>
Mon, 21 Feb 2011 09:02:28 +0000 (01:02 -0800)
Instead of open-coding copying of data structures from userspace use
memdup_user() and strndup_user(). Note that this introduces change in
behavior because driver used to truncate 'phys' longer than 1024 bytes,
but now it will refuse to set 'phys' that long. Arguably trying to set
such 'phys' is suspect anyways.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
drivers/input/misc/uinput.c

index c0888e3d2fb40e9d56d1cd8935916a0473984b34..7f8331f45bad4199e35b12b1c1f6951817867370 100644 (file)
@@ -361,14 +361,9 @@ static int uinput_setup_device(struct uinput_device *udev, const char __user *bu
 
        dev = udev->dev;
 
-       user_dev = kmalloc(sizeof(struct uinput_user_dev), GFP_KERNEL);
-       if (!user_dev)
-               return -ENOMEM;
-
-       if (copy_from_user(user_dev, buffer, sizeof(struct uinput_user_dev))) {
-               retval = -EFAULT;
-               goto exit;
-       }
+       user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev));
+       if (!IS_ERR(user_dev))
+               return PTR_ERR(user_dev);
 
        udev->ff_effects_max = user_dev->ff_effects_max;
 
@@ -621,7 +616,6 @@ static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
        struct uinput_ff_upload ff_up;
        struct uinput_ff_erase  ff_erase;
        struct uinput_request   *req;
-       int                     length;
        char                    *phys;
 
        retval = mutex_lock_interruptible(&udev->mutex);
@@ -688,24 +682,15 @@ static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
                                retval = -EINVAL;
                                goto out;
                        }
-                       length = strnlen_user(p, 1024);
-                       if (length <= 0) {
-                               retval = -EFAULT;
-                               break;
+
+                       phys = strndup_user(p, 1024);
+                       if (IS_ERR(phys)) {
+                               retval = PTR_ERR(phys);
+                               goto out;
                        }
+
                        kfree(udev->dev->phys);
-                       udev->dev->phys = phys = kmalloc(length, GFP_KERNEL);
-                       if (!phys) {
-                               retval = -ENOMEM;
-                               break;
-                       }
-                       if (copy_from_user(phys, p, length)) {
-                               udev->dev->phys = NULL;
-                               kfree(phys);
-                               retval = -EFAULT;
-                               break;
-                       }
-                       phys[length - 1] = '\0';
+                       udev->dev->phys = phys;
                        break;
 
                case UI_BEGIN_FF_UPLOAD: