--- /dev/null
+From 1769f90e5ba2a6d24bb46b85da33fe861c68f005 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 23 Jan 2026 17:57:02 +0000
+Subject: binder: fix BR_FROZEN_REPLY error log
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 1769f90e5ba2a6d24bb46b85da33fe861c68f005 upstream.
+
+The error logging for failed transactions is misleading as it always
+reports "dead process or thread" even when the target is actually
+frozen. Additionally, the pid and tid are reversed which can further
+confuse debugging efforts. Fix both issues.
+
+Cc: stable@kernel.org
+Cc: Steven Moreland <smoreland@google.com>
+Fixes: a15dac8b2286 ("binder: additional transaction error logs")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260123175702.2154348-1-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3663,8 +3663,9 @@ static void binder_transaction(struct bi
+ return;
+
+ err_dead_proc_or_thread:
+- binder_txn_error("%d:%d dead process or thread\n",
+- thread->pid, proc->pid);
++ binder_txn_error("%d:%d %s process or thread\n",
++ proc->pid, thread->pid,
++ return_error == BR_FROZEN_REPLY ? "frozen" : "dead");
+ return_error_line = __LINE__;
+ binder_dequeue_work(proc, tcomplete);
+ err_translate_failed:
--- /dev/null
+From ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Tue, 27 Jan 2026 23:55:11 +0000
+Subject: binderfs: fix ida_alloc_max() upper bound
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 upstream.
+
+The 'max' argument of ida_alloc_max() takes the maximum valid ID and not
+the "count". Using an ID of BINDERFS_MAX_MINOR (1 << 20) for dev->minor
+would exceed the limits of minor numbers (20-bits). Fix this off-by-one
+error by subtracting 1 from the 'max'.
+
+Cc: stable@vger.kernel.org
+Fixes: 3ad20fe393b3 ("binder: implement binderfs")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://patch.msgid.link/20260127235545.2307876-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binderfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/android/binderfs.c
++++ b/drivers/android/binderfs.c
+@@ -130,8 +130,8 @@ static int binderfs_binder_device_create
+ mutex_lock(&binderfs_minors_mutex);
+ if (++info->device_count <= info->mount_opts.max)
+ minor = ida_alloc_max(&binderfs_minors,
+- use_reserve ? BINDERFS_MAX_MINOR :
+- BINDERFS_MAX_MINOR_CAPPED,
++ use_reserve ? BINDERFS_MAX_MINOR - 1 :
++ BINDERFS_MAX_MINOR_CAPPED - 1,
+ GFP_KERNEL);
+ else
+ minor = -ENOSPC;
+@@ -421,8 +421,8 @@ static int binderfs_binder_ctl_create(st
+ /* Reserve a new minor number for the new device. */
+ mutex_lock(&binderfs_minors_mutex);
+ minor = ida_alloc_max(&binderfs_minors,
+- use_reserve ? BINDERFS_MAX_MINOR :
+- BINDERFS_MAX_MINOR_CAPPED,
++ use_reserve ? BINDERFS_MAX_MINOR - 1 :
++ BINDERFS_MAX_MINOR_CAPPED - 1,
+ GFP_KERNEL);
+ mutex_unlock(&binderfs_minors_mutex);
+ if (minor < 0) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
