This is a note to let you know that I've just added the patch titled binder: fix handling of error during copy to the 5.16-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: binder-fix-handling-of-error-during-copy.patch and it can be found in the queue-5.16 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 4da51e5358389c6c70cd24ba94ee2b5453eb02e1 Author: Todd Kjos <tkjos@xxxxxxxxxx> Date: Tue Nov 30 10:51:49 2021 -0800 binder: fix handling of error during copy [ Upstream commit fe6b1869243f23a485a106c214bcfdc7aa0ed593 ] If a memory copy function fails to copy the whole buffer, a positive integar with the remaining bytes is returned. In binder_translate_fd_array() this can result in an fd being skipped due to the failed copy, but the loop continues processing fds since the early return condition expects a negative integer on error. Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case. Fixes: bb4a2e48d510 ("binder: return errors from buffer copy functions") Suggested-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Acked-by: Christian Brauner <christian.brauner@xxxxxxxxxx> Signed-off-by: Todd Kjos <tkjos@xxxxxxxxxx> Link: https://lore.kernel.org/r/20211130185152.437403-2-tkjos@xxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/android/binder.c b/drivers/android/binder.c index c75fb600740cc..7d29d3d931a79 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2269,8 +2269,8 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda, if (!ret) ret = binder_translate_fd(fd, offset, t, thread, in_reply_to); - if (ret < 0) - return ret; + if (ret) + return ret > 0 ? -EINVAL : ret; } return 0; }