From 301b5fa19271be9d1278bc48f511a73433ce01f9 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Feb 2026 13:10:08 +0100
Subject: [PATCH] 5.10-stable patches

added patches:
	binderfs-fix-ida_alloc_max-upper-bound.patch
---
 ...nderfs-fix-ida_alloc_max-upper-bound.patch | 47 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 queue-5.10/binderfs-fix-ida_alloc_max-upper-bound.patch

diff --git a/queue-5.10/binderfs-fix-ida_alloc_max-upper-bound.patch b/queue-5.10/binderfs-fix-ida_alloc_max-upper-bound.patch
new file mode 100644
index 0000000000..18a045d3d1
--- /dev/null
+++ b/queue-5.10/binderfs-fix-ida_alloc_max-upper-bound.patch
@@ -0,0 +1,47 @@
+From ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Tue, 27 Jan 2026 23:55:11 +0000
+Subject: binderfs: fix ida_alloc_max() upper bound
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 upstream.
+
+The 'max' argument of ida_alloc_max() takes the maximum valid ID and not
+the "count". Using an ID of BINDERFS_MAX_MINOR (1 << 20) for dev->minor
+would exceed the limits of minor numbers (20-bits). Fix this off-by-one
+error by subtracting 1 from the 'max'.
+
+Cc: stable@vger.kernel.org
+Fixes: 3ad20fe393b3 ("binder: implement binderfs")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://patch.msgid.link/20260127235545.2307876-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binderfs.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/android/binderfs.c
++++ b/drivers/android/binderfs.c
+@@ -122,8 +122,8 @@ static int binderfs_binder_device_create
+ 	mutex_lock(&binderfs_minors_mutex);
+ 	if (++info->device_count <= info->mount_opts.max)
+ 		minor = ida_alloc_max(&binderfs_minors,
+-				      use_reserve ? BINDERFS_MAX_MINOR :
+-						    BINDERFS_MAX_MINOR_CAPPED,
++				      use_reserve ? BINDERFS_MAX_MINOR - 1 :
++						    BINDERFS_MAX_MINOR_CAPPED - 1,
+ 				      GFP_KERNEL);
+ 	else
+ 		minor = -ENOSPC;
+@@ -423,8 +423,8 @@ static int binderfs_binder_ctl_create(st
+ 	/* Reserve a new minor number for the new device. */
+ 	mutex_lock(&binderfs_minors_mutex);
+ 	minor = ida_alloc_max(&binderfs_minors,
+-			      use_reserve ? BINDERFS_MAX_MINOR :
+-					    BINDERFS_MAX_MINOR_CAPPED,
++			      use_reserve ? BINDERFS_MAX_MINOR - 1 :
++					    BINDERFS_MAX_MINOR_CAPPED - 1,
+ 			      GFP_KERNEL);
+ 	mutex_unlock(&binderfs_minors_mutex);
+ 	if (minor < 0) {
diff --git a/queue-5.10/series b/queue-5.10/series
index e05905ec63..067220b73b 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -2,3 +2,4 @@ rbd-check-for-eod-after-exclusive-lock-is-ensured-to-be-held.patch
 arm-9468-1-fix-memset64-on-big-endian.patch
 kvm-don-t-clobber-irqfd-routing-type-when-deassigning-irqfd.patch
 netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch
+binderfs-fix-ida_alloc_max-upper-bound.patch
-- 
2.47.3