binder: return errors from buffer copy functions

mainline inclusion
from mainline-v5.3-rc1
commit bb4a2e48
category: bugfix
bugzilla: 188431, https://gitee.com/src-openeuler/kernel/issues/I6DKVG
CVE: CVE-2023-20938

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bb4a2e48d5100ed3ff614df158a636bca3c6bf9f



--------------------------------

The buffer copy functions assumed the caller would ensure
correct alignment and that the memory to be copied was
completely within the binder buffer. There have been
a few cases discovered by syzkallar where a malformed
transaction created by a user could violated the
assumptions and resulted in a BUG_ON.

The fix is to remove the BUG_ON and always return the
error to be handled appropriately by the caller.

Acked-by: Martijn Coenen <maco@android.com>
Reported-by:  <syzbot+3ae18325f96190606754@syzkaller.appspotmail.com>
Fixes: bde4a19f ("binder: use userspace pointer as base of buffer space")
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Li Huafei <lihuafei1@huawei.com>
Reviewed-by: Zheng Yejian <zhengyejian1@huawei.com>
Reviewed-by: Wang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>