From 6c080a1a353c6fc2590555ec7dd8982d1143d02d Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Tue, 7 May 2024 04:18:07 +0200
Subject: Merging upstream version 6.1.90.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 drivers/android/binder.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'drivers/android')

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 55cd17a13..8c2b7c074 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1707,8 +1707,10 @@ static size_t binder_get_object(struct binder_proc *proc,
 	size_t object_size = 0;
 
 	read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
-	if (offset > buffer->data_size || read_size < sizeof(*hdr))
+	if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
+	    !IS_ALIGNED(offset, sizeof(u32)))
 		return 0;
+
 	if (u) {
 		if (copy_from_user(object, u + offset, read_size))
 			return 0;
-- 
cgit v1.2.3