The type defined for the BINDER_SET_MAX_THREADS ioctl was changed from size_t to __u32 in order to avoid incompatibility issues between 32 and 64-bit kernels. However, the internal types used to copy from user and store the value were never updated. Use u32 to fix the inconsistency.
Fixes: a9350fc859ae ("staging: android: binder: fix BINDER_SET_MAX_THREADS declaration") Reported-by: Arve Hjønnevåg arve@android.com Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas cmllamas@google.com ---
Notes: v2: rebased, send fix patch separately per Greg's feedback.
drivers/android/binder.c | 2 +- drivers/android/binder_internal.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index bad28cf42010..5834e829f391 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -5365,7 +5365,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) goto err; break; case BINDER_SET_MAX_THREADS: { - int max_threads; + u32 max_threads;
if (copy_from_user(&max_threads, ubuf, sizeof(max_threads))) { diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h index 7270d4d22207..5b7c80b99ae8 100644 --- a/drivers/android/binder_internal.h +++ b/drivers/android/binder_internal.h @@ -421,7 +421,7 @@ struct binder_proc { struct list_head todo; struct binder_stats stats; struct list_head delivered_death; - int max_threads; + u32 max_threads; int requested_threads; int requested_threads_started; int tmp_ref;