From: Zhang Qilong zhangqilong3@huawei.com
[ Upstream commit 88f6c77927e4aee04e0193fd94e13a55753a72b0 ]
Depending on the context, the error return value here (extra_buffers_size < added_size) should be negative.
Acked-by: Martijn Coenen maco@android.com Acked-by: Christian Brauner christian.brauner@ubuntu.com Signed-off-by: Zhang Qilong zhangqilong3@huawei.com Link: https://lore.kernel.org/r/20201026110314.135481-1-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index b62b1ab6bb699..6091a3e20506d 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3107,7 +3107,7 @@ static void binder_transaction(struct binder_proc *proc, if (extra_buffers_size < added_size) { /* integer overflow of extra_buffers_size */ return_error = BR_FAILED_REPLY; - return_error_param = EINVAL; + return_error_param = -EINVAL; return_error_line = __LINE__; goto err_bad_extra_size; }