From 00b597e73dd23d7cc54cef7d9231742be9523dc9 Mon Sep 17 00:00:00 2001
From: Roman Kiryanov <rkir@google.com>
Date: Mon, 30 Apr 2018 14:32:34 -0700
Subject: [PATCH] goldfish: pipe: ANDROID: Do not crash

Return an error instead of crashing in signalled_pipes_add_locked.

Bug: 72717639
Bug: 66884503
Change-Id: I811ad1932f1600f8bbe4598cdaf206bd96ea921a
Signed-off-by: Roman Kiryanov <rkir@google.com>
---
 drivers/platform/goldfish/goldfish_pipe_v2.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/platform/goldfish/goldfish_pipe_v2.c b/drivers/platform/goldfish/goldfish_pipe_v2.c
index af7374f6b525..e762e5df63de 100644
--- a/drivers/platform/goldfish/goldfish_pipe_v2.c
+++ b/drivers/platform/goldfish/goldfish_pipe_v2.c
@@ -510,26 +510,30 @@ static unsigned int goldfish_pipe_poll(struct file *filp, poll_table *wait)
 	return mask;
 }
 
-static void signalled_pipes_add_locked(struct goldfish_pipe_dev *dev,
+static int signalled_pipes_add_locked(struct goldfish_pipe_dev *dev,
 	u32 id, u32 flags)
 {
 	struct goldfish_pipe *pipe;
 
-	BUG_ON(id >= dev->pipes_capacity);
+	if (id >= dev->pipes_capacity)
+		return -EINVAL;
 
 	pipe = dev->pipes[id];
 	if (!pipe)
-		return;
+		return -ENXIO;
+
 	pipe->signalled_flags |= flags;
 
 	if (pipe->prev_signalled || pipe->next_signalled
 		|| dev->first_signalled_pipe == pipe)
-		return;	/* already in the list */
+		return 0;  /* already in the list */
+
 	pipe->next_signalled = dev->first_signalled_pipe;
 	if (dev->first_signalled_pipe)
 		dev->first_signalled_pipe->prev_signalled = pipe;
-
 	dev->first_signalled_pipe = pipe;
+
+	return 0;
 }
 
 static void signalled_pipes_remove_locked(struct goldfish_pipe_dev *dev,