In binder_ioctl function, the legitimacy check of cmd size has been
done in switch-case code:
switch (cmd) {
	case BINDER_WRITE_READ;//BINDER_WRITE_READ contains size info

So unneeded do size check in binder_ioctl and binder_ioctl_write_read
again.

In the following version of Google GKI:

Linux version 5.10.110-android12-9-00011-g2c814f559132-ab8969555

It seems that the compiler has made optimization and has not passed
cmd parameters to binder_ioctl_write_read:
<binder_ioctl+628>:  mov     w8, #0x6201                     // #25089
<binder_ioctl+632>:  movk    w8, #0xc030, lsl #16
<binder_ioctl+636>:  cmp     w20, w8
<binder_ioctl+640>:  b.ne    0xffffffda8aa97880 <binder_ioctl+3168>
<binder_ioctl+644>:  mov     x0, x23 //filp
<binder_ioctl+648>:  mov     x1, x27 //arg
<binder_ioctl+652>:  mov     x2, x22 //thread
<binder_ioctl+656>:  bl      0xffffffda8aa9e6e4 <binder_ioctl_write_read>
<binder_ioctl+660>:  mov     w26, w0
Signed-off-by: Jiazi.Li <jiazi.li@transsion.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20221115120351.2769-1-jiazi.li@transsion.comSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>