From bf61f8d357e5d71d74a3ca3be3cce52bf1a2c01a Mon Sep 17 00:00:00 2001
From: Kenichi Nagai <kenichi3.nagai@toshiba.co.jp>
Date: Fri, 11 May 2007 01:12:15 -0400
Subject: [PATCH] Input: evdev - fix overflow in compat_ioctl

When exporting input device bitmaps via compat_ioctl on BIG_ENDIAN
platforms evdev calculates data size incorrectly. This causes buffer
overflow if user specifies buffer smaller than maxlen.

Signed-off-by: Kenichi Nagai <kenichi3.nagai@toshiba.co.jp>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 drivers/input/evdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
index 55a72592704..b234729706b 100644
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -336,7 +336,7 @@ static int bits_to_user(unsigned long *bits, unsigned int maxbit,
 
 	if (compat) {
 		len = NBITS_COMPAT(maxbit) * sizeof(compat_long_t);
-		if (len < maxlen)
+		if (len > maxlen)
 			len = maxlen;
 
 		for (i = 0; i < len / sizeof(compat_long_t); i++)
-- 
2.41.0