Merge tag 'char-misc-6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char / misc driver fixes from Greg KH:
 "Here are some small char/misc and other driver fixes for 6.9-rc5.
  Included in here are the following:

   - binder driver fix for reported problem

   - speakup crash fix

   - mei driver fixes for reported problems

   - comdei driver fix

   - interconnect driver fixes

   - rtsx driver fix

   - peci.h kernel doc fix

  All of these have been in linux-next for over a week with no reported
  problems"

* tag 'char-misc-6.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  peci: linux/peci.h: fix Excess kernel-doc description warning
  binder: check offset alignment in binder_get_object()
  comedi: vmk80xx: fix incomplete endpoint checking
  mei: vsc: Unregister interrupt handler for system suspend
  Revert "mei: vsc: Call wake_up() in the threaded IRQ handler"
  misc: rtsx: Fix rts5264 driver status incorrect when card removed
  mei: me: disable RPL-S on SPS and IGN firmwares
  speakup: Avoid crash on very long word
  interconnect: Don't access req_list while it's being manipulated
  interconnect: qcom: x1e80100: Remove inexistent ACV_PERF BCM

1 files changed, 3 insertions, 1 deletions

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index bad28cf42010..dd6923d37931 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1708,8 +1708,10 @@ static size_t binder_get_object(struct binder_proc *proc,
 	size_t object_size = 0;
 
 	read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
-	if (offset > buffer->data_size || read_size < sizeof(*hdr))
+	if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
+	    !IS_ALIGNED(offset, sizeof(u32)))
 		return 0;
+
 	if (u) {
 		if (copy_from_user(object, u + offset, read_size))
 			return 0;