When userspace sets effect->u.rumble.strong_magnitude to 0x8001 or larger,
ml_combine_effects() would always return strong_magnitude 0xffff.
Problem is that 'gain' is passed in as signed integer. Multiplying magnitude
(__u16) with gain (int) causes magnitude read as signed and results negative
value (with magnitude > 0x8000). This signed integer is then divided and
value, still negative, converted to 32bit unsigned integer. Finally checking
combine overflow min(new+old, 0xffff) gives out 0xffff.
Fix is to simply change 'gain' to unsigned int.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@xxxxxxxx>
---
drivers/input/ff-memless.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/input/ff-memless.c b/drivers/input/ff-memless.c
index bc4e40f..2d1415e 100644
--- a/drivers/input/ff-memless.c
+++ b/drivers/input/ff-memless.c
@@ -226,7 +226,7 @@ static int get_compatible_type(struct ff_device *ff, int effect_type)
*/
static void ml_combine_effects(struct ff_effect *effect,
struct ml_effect_state *state,
- int gain)
+ unsigned int gain)
{
struct ff_effect *new = state->effect;
unsigned int strong, weak, i;
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
