From: Lisa Du <cldu@marvell.com>
Date: Wed, 17 Feb 2016 01:32:52 +0000 (+0800)
Subject: drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE
X-Git-Tag: v4.1.20~68
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cbd382759e953e56701202591e765e7e17957eef;p=platform%2Fkernel%2Flinux-exynos.git

drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE

[ Upstream commit 7a64cd887fdb97f074c3fda03bee0bfb9faceac3 ]

There's one point was missed in the patch commit da49889deb34 ("staging:
binder: Support concurrent 32 bit and 64 bit processes."). When configure
BINDER_IPC_32BIT, the size of binder_uintptr_t was 32bits, but size of
void * is 64bit on 64bit system. Correct it here.

Signed-off-by: Lisa Du <cldu@marvell.com>
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Fixes: da49889deb34 ("staging: binder: Support concurrent 32 bit and 64 bit processes.")
Cc: <stable@vger.kernel.org>
Acked-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 6607f3c..f1a26d9 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2074,7 +2074,7 @@ static int binder_thread_write(struct binder_proc *proc,
 			if (get_user(cookie, (binder_uintptr_t __user *)ptr))
 				return -EFAULT;
 
-			ptr += sizeof(void *);
+			ptr += sizeof(cookie);
 			list_for_each_entry(w, &proc->delivered_death, entry) {
 				struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work);