diff options
Diffstat (limited to 'drivers/android/binder.c')
| -rw-r--r-- | drivers/android/binder.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d055b3f2a207..ab34239a76ee 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c | |||
| @@ -2217,7 +2217,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, | |||
| 2217 | debug_id, (u64)fda->num_fds); | 2217 | debug_id, (u64)fda->num_fds); |
| 2218 | continue; | 2218 | continue; |
| 2219 | } | 2219 | } |
| 2220 | fd_array = (u32 *)(parent_buffer + fda->parent_offset); | 2220 | fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); |
| 2221 | for (fd_index = 0; fd_index < fda->num_fds; fd_index++) | 2221 | for (fd_index = 0; fd_index < fda->num_fds; fd_index++) |
| 2222 | task_close_fd(proc, fd_array[fd_index]); | 2222 | task_close_fd(proc, fd_array[fd_index]); |
| 2223 | } break; | 2223 | } break; |
| @@ -2326,7 +2326,6 @@ static int binder_translate_handle(struct flat_binder_object *fp, | |||
| 2326 | (u64)node->ptr); | 2326 | (u64)node->ptr); |
| 2327 | binder_node_unlock(node); | 2327 | binder_node_unlock(node); |
| 2328 | } else { | 2328 | } else { |
| 2329 | int ret; | ||
| 2330 | struct binder_ref_data dest_rdata; | 2329 | struct binder_ref_data dest_rdata; |
| 2331 | 2330 | ||
| 2332 | binder_node_unlock(node); | 2331 | binder_node_unlock(node); |
| @@ -2442,7 +2441,7 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda, | |||
| 2442 | */ | 2441 | */ |
| 2443 | parent_buffer = parent->buffer - | 2442 | parent_buffer = parent->buffer - |
| 2444 | binder_alloc_get_user_buffer_offset(&target_proc->alloc); | 2443 | binder_alloc_get_user_buffer_offset(&target_proc->alloc); |
| 2445 | fd_array = (u32 *)(parent_buffer + fda->parent_offset); | 2444 | fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); |
| 2446 | if (!IS_ALIGNED((unsigned long)fd_array, sizeof(u32))) { | 2445 | if (!IS_ALIGNED((unsigned long)fd_array, sizeof(u32))) { |
| 2447 | binder_user_error("%d:%d parent offset not aligned correctly.\n", | 2446 | binder_user_error("%d:%d parent offset not aligned correctly.\n", |
| 2448 | proc->pid, thread->pid); | 2447 | proc->pid, thread->pid); |
| @@ -2508,7 +2507,7 @@ static int binder_fixup_parent(struct binder_transaction *t, | |||
| 2508 | proc->pid, thread->pid); | 2507 | proc->pid, thread->pid); |
| 2509 | return -EINVAL; | 2508 | return -EINVAL; |
| 2510 | } | 2509 | } |
| 2511 | parent_buffer = (u8 *)(parent->buffer - | 2510 | parent_buffer = (u8 *)((uintptr_t)parent->buffer - |
| 2512 | binder_alloc_get_user_buffer_offset( | 2511 | binder_alloc_get_user_buffer_offset( |
| 2513 | &target_proc->alloc)); | 2512 | &target_proc->alloc)); |
| 2514 | *(binder_uintptr_t *)(parent_buffer + bp->parent_offset) = bp->buffer; | 2513 | *(binder_uintptr_t *)(parent_buffer + bp->parent_offset) = bp->buffer; |
| @@ -3083,6 +3082,7 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 3083 | err_dead_proc_or_thread: | 3082 | err_dead_proc_or_thread: |
| 3084 | return_error = BR_DEAD_REPLY; | 3083 | return_error = BR_DEAD_REPLY; |
| 3085 | return_error_line = __LINE__; | 3084 | return_error_line = __LINE__; |
| 3085 | binder_dequeue_work(proc, tcomplete); | ||
| 3086 | err_translate_failed: | 3086 | err_translate_failed: |
| 3087 | err_bad_object_type: | 3087 | err_bad_object_type: |
| 3088 | err_bad_offset: | 3088 | err_bad_offset: |