From 6f2cadac08897c1978ca81446dd4688be338693f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Feb 2026 13:10:31 +0100
Subject: [PATCH] 6.1-stable patches

added patches:
	binder-fix-br_frozen_reply-error-log.patch
	binderfs-fix-ida_alloc_max-upper-bound.patch
---
 ...binder-fix-br_frozen_reply-error-log.patch | 39 +++++++++++++++
 ...nderfs-fix-ida_alloc_max-upper-bound.patch | 47 +++++++++++++++++++
 queue-6.1/series                              |  2 +
 3 files changed, 88 insertions(+)
 create mode 100644 queue-6.1/binder-fix-br_frozen_reply-error-log.patch
 create mode 100644 queue-6.1/binderfs-fix-ida_alloc_max-upper-bound.patch

diff --git a/queue-6.1/binder-fix-br_frozen_reply-error-log.patch b/queue-6.1/binder-fix-br_frozen_reply-error-log.patch
new file mode 100644
index 0000000000..d9287404d0
--- /dev/null
+++ b/queue-6.1/binder-fix-br_frozen_reply-error-log.patch
@@ -0,0 +1,39 @@
+From 1769f90e5ba2a6d24bb46b85da33fe861c68f005 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Fri, 23 Jan 2026 17:57:02 +0000
+Subject: binder: fix BR_FROZEN_REPLY error log
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 1769f90e5ba2a6d24bb46b85da33fe861c68f005 upstream.
+
+The error logging for failed transactions is misleading as it always
+reports "dead process or thread" even when the target is actually
+frozen. Additionally, the pid and tid are reversed which can further
+confuse debugging efforts. Fix both issues.
+
+Cc: stable@kernel.org
+Cc: Steven Moreland <smoreland@google.com>
+Fixes: a15dac8b2286 ("binder: additional transaction error logs")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260123175702.2154348-1-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3642,8 +3642,9 @@ static void binder_transaction(struct bi
+ 	return;
+ 
+ err_dead_proc_or_thread:
+-	binder_txn_error("%d:%d dead process or thread\n",
+-		thread->pid, proc->pid);
++	binder_txn_error("%d:%d %s process or thread\n",
++			 proc->pid, thread->pid,
++			 return_error == BR_FROZEN_REPLY ? "frozen" : "dead");
+ 	return_error_line = __LINE__;
+ 	binder_dequeue_work(proc, tcomplete);
+ err_translate_failed:
diff --git a/queue-6.1/binderfs-fix-ida_alloc_max-upper-bound.patch b/queue-6.1/binderfs-fix-ida_alloc_max-upper-bound.patch
new file mode 100644
index 0000000000..9a16952005
--- /dev/null
+++ b/queue-6.1/binderfs-fix-ida_alloc_max-upper-bound.patch
@@ -0,0 +1,47 @@
+From ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Tue, 27 Jan 2026 23:55:11 +0000
+Subject: binderfs: fix ida_alloc_max() upper bound
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 upstream.
+
+The 'max' argument of ida_alloc_max() takes the maximum valid ID and not
+the "count". Using an ID of BINDERFS_MAX_MINOR (1 << 20) for dev->minor
+would exceed the limits of minor numbers (20-bits). Fix this off-by-one
+error by subtracting 1 from the 'max'.
+
+Cc: stable@vger.kernel.org
+Fixes: 3ad20fe393b3 ("binder: implement binderfs")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://patch.msgid.link/20260127235545.2307876-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binderfs.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/android/binderfs.c
++++ b/drivers/android/binderfs.c
+@@ -131,8 +131,8 @@ static int binderfs_binder_device_create
+ 	mutex_lock(&binderfs_minors_mutex);
+ 	if (++info->device_count <= info->mount_opts.max)
+ 		minor = ida_alloc_max(&binderfs_minors,
+-				      use_reserve ? BINDERFS_MAX_MINOR :
+-						    BINDERFS_MAX_MINOR_CAPPED,
++				      use_reserve ? BINDERFS_MAX_MINOR - 1 :
++						    BINDERFS_MAX_MINOR_CAPPED - 1,
+ 				      GFP_KERNEL);
+ 	else
+ 		minor = -ENOSPC;
+@@ -422,8 +422,8 @@ static int binderfs_binder_ctl_create(st
+ 	/* Reserve a new minor number for the new device. */
+ 	mutex_lock(&binderfs_minors_mutex);
+ 	minor = ida_alloc_max(&binderfs_minors,
+-			      use_reserve ? BINDERFS_MAX_MINOR :
+-					    BINDERFS_MAX_MINOR_CAPPED,
++			      use_reserve ? BINDERFS_MAX_MINOR - 1 :
++					    BINDERFS_MAX_MINOR_CAPPED - 1,
+ 			      GFP_KERNEL);
+ 	mutex_unlock(&binderfs_minors_mutex);
+ 	if (minor < 0) {
diff --git a/queue-6.1/series b/queue-6.1/series
index bc12f0ff66..67c164d164 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -6,3 +6,5 @@ arm-9468-1-fix-memset64-on-big-endian.patch
 revert-drm-amd-check-if-aspm-is-enabled-from-pcie-subsystem.patch
 kvm-don-t-clobber-irqfd-routing-type-when-deassigning-irqfd.patch
 netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch
+binder-fix-br_frozen_reply-error-log.patch
+binderfs-fix-ida_alloc_max-upper-bound.patch
-- 
2.47.3