5.10-stable patches

added patches:
	binderfs-fix-ida_alloc_max-upper-bound.patch

diff --git a/queue-5.10/binderfs-fix-ida_alloc_max-upper-bound.patch b/queue-5.10/binderfs-fix-ida_alloc_max-upper-bound.patch
new file mode 100644 (file)
index 0000000..18a045d
--- /dev/null
+++ b/queue-5.10/binderfs-fix-ida_alloc_max-upper-bound.patch
@@ -0,0 +1,47 @@
+From ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Tue, 27 Jan 2026 23:55:11 +0000
+Subject: binderfs: fix ida_alloc_max() upper bound
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 upstream.
+
+The 'max' argument of ida_alloc_max() takes the maximum valid ID and not
+the "count". Using an ID of BINDERFS_MAX_MINOR (1 << 20) for dev->minor
+would exceed the limits of minor numbers (20-bits). Fix this off-by-one
+error by subtracting 1 from the 'max'.
+
+Cc: stable@vger.kernel.org
+Fixes: 3ad20fe393b3 ("binder: implement binderfs")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://patch.msgid.link/20260127235545.2307876-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binderfs.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/android/binderfs.c
++++ b/drivers/android/binderfs.c
+@@ -122,8 +122,8 @@ static int binderfs_binder_device_create
+       mutex_lock(&binderfs_minors_mutex);
+       if (++info->device_count <= info->mount_opts.max)
+               minor = ida_alloc_max(&binderfs_minors,
+-                                    use_reserve ? BINDERFS_MAX_MINOR :
+-                                                  BINDERFS_MAX_MINOR_CAPPED,
++                                    use_reserve ? BINDERFS_MAX_MINOR - 1 :
++                                                  BINDERFS_MAX_MINOR_CAPPED - 1,
+                                     GFP_KERNEL);
+       else
+               minor = -ENOSPC;
+@@ -423,8 +423,8 @@ static int binderfs_binder_ctl_create(st
+       /* Reserve a new minor number for the new device. */
+       mutex_lock(&binderfs_minors_mutex);
+       minor = ida_alloc_max(&binderfs_minors,
+-                            use_reserve ? BINDERFS_MAX_MINOR :
+-                                          BINDERFS_MAX_MINOR_CAPPED,
++                            use_reserve ? BINDERFS_MAX_MINOR - 1 :
++                                          BINDERFS_MAX_MINOR_CAPPED - 1,
+                             GFP_KERNEL);
+       mutex_unlock(&binderfs_minors_mutex);
+       if (minor < 0) {

diff --git a/queue-5.10/series b/queue-5.10/series
index e05905ec638dafcc4a0d5afa5dca9319252af993..067220b73b1099ae842fca3ed965a8abfeec6a1c 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -2,3 +2,4 @@ rbd-check-for-eod-after-exclusive-lock-is-ensured-to-be-held.patch
 arm-9468-1-fix-memset64-on-big-endian.patch
 kvm-don-t-clobber-irqfd-routing-type-when-deassigning-irqfd.patch
 netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch
+binderfs-fix-ida_alloc_max-upper-bound.patch