UPSTREAM: drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_B...

There's one point was missed in the patch commit da49889deb34 ("staging:
binder: Support concurrent 32 bit and 64 bit processes."). When configure
BINDER_IPC_32BIT, the size of binder_uintptr_t was 32bits, but size of
void * is 64bit on 64bit system. Correct it here.

Signed-off-by: Lisa Du <cldu@marvell.com>
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Fixes: da49889deb34 ("staging: binder: Support concurrent 32 bit and 64 bit processes.")
Cc: <stable@vger.kernel.org>
Acked-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 7a64cd887fdb97f074c3fda03bee0bfb9faceac3)

BUG=b:26833439
TEST=See b:26833439 comment #22

Signed-off-by: Nicolas Boichat <drinkcat@google.com>
Change-Id: I204b074fd8cad74cfbeaf322fcdc976877736396

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 0672721e43463a1e9b5c37d200c4756cdd5c4d72..af0fd7bc13a3dd32016d8d7462cc676b7840fd85 100644 (file)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2670,7 +2670,7 @@ int binder_thread_write(struct binder_proc *proc,
                        if (get_user_preempt_disabled(cookie, (binder_uintptr_t __user *)ptr))
                                return -EFAULT;
 
-                       ptr += sizeof(void *);
+                       ptr += sizeof(cookie);
                        list_for_each_entry(w, &proc->delivered_death, entry) {
                                struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work);