From: Zhang Qilong <zhangqilo...@huawei.com> [ Upstream commit 88f6c77927e4aee04e0193fd94e13a55753a72b0 ]
Depending on the context, the error return value here (extra_buffers_size < added_size) should be negative. Acked-by: Martijn Coenen <m...@android.com> Acked-by: Christian Brauner <christian.brau...@ubuntu.com> Signed-off-by: Zhang Qilong <zhangqilo...@huawei.com> Link: https://lore.kernel.org/r/20201026110314.135481-1-zhangqilo...@huawei.com Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> Signed-off-by: Sasha Levin <sas...@kernel.org> --- drivers/android/binder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index b5117576792bc..8bbfb9124fa29 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3103,7 +3103,7 @@ static void binder_transaction(struct binder_proc *proc, if (extra_buffers_size < added_size) { /* integer overflow of extra_buffers_size */ return_error = BR_FAILED_REPLY; - return_error_param = EINVAL; + return_error_param = -EINVAL; return_error_line = __LINE__; goto err_bad_extra_size; } -- 2.27.0
