From c12ccba8b19f0b3596dda899364ccd11cc744a70 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Feb 2026 13:10:20 +0100
Subject: [PATCH] 5.15-stable patches

added patches:
	binderfs-fix-ida_alloc_max-upper-bound.patch
---
 ...nderfs-fix-ida_alloc_max-upper-bound.patch | 47 +++++++++++++++++++
 queue-5.15/series                             |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 queue-5.15/binderfs-fix-ida_alloc_max-upper-bound.patch

diff --git a/queue-5.15/binderfs-fix-ida_alloc_max-upper-bound.patch b/queue-5.15/binderfs-fix-ida_alloc_max-upper-bound.patch
new file mode 100644
index 0000000000..4fc9025d10
--- /dev/null
+++ b/queue-5.15/binderfs-fix-ida_alloc_max-upper-bound.patch
@@ -0,0 +1,47 @@
+From ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Tue, 27 Jan 2026 23:55:11 +0000
+Subject: binderfs: fix ida_alloc_max() upper bound
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit ec4ddc90d201d09ef4e4bef8a2c6d9624525ad68 upstream.
+
+The 'max' argument of ida_alloc_max() takes the maximum valid ID and not
+the "count". Using an ID of BINDERFS_MAX_MINOR (1 << 20) for dev->minor
+would exceed the limits of minor numbers (20-bits). Fix this off-by-one
+error by subtracting 1 from the 'max'.
+
+Cc: stable@vger.kernel.org
+Fixes: 3ad20fe393b3 ("binder: implement binderfs")
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://patch.msgid.link/20260127235545.2307876-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binderfs.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/android/binderfs.c
++++ b/drivers/android/binderfs.c
+@@ -130,8 +130,8 @@ static int binderfs_binder_device_create
+ 	mutex_lock(&binderfs_minors_mutex);
+ 	if (++info->device_count <= info->mount_opts.max)
+ 		minor = ida_alloc_max(&binderfs_minors,
+-				      use_reserve ? BINDERFS_MAX_MINOR :
+-						    BINDERFS_MAX_MINOR_CAPPED,
++				      use_reserve ? BINDERFS_MAX_MINOR - 1 :
++						    BINDERFS_MAX_MINOR_CAPPED - 1,
+ 				      GFP_KERNEL);
+ 	else
+ 		minor = -ENOSPC;
+@@ -433,8 +433,8 @@ static int binderfs_binder_ctl_create(st
+ 	/* Reserve a new minor number for the new device. */
+ 	mutex_lock(&binderfs_minors_mutex);
+ 	minor = ida_alloc_max(&binderfs_minors,
+-			      use_reserve ? BINDERFS_MAX_MINOR :
+-					    BINDERFS_MAX_MINOR_CAPPED,
++			      use_reserve ? BINDERFS_MAX_MINOR - 1 :
++					    BINDERFS_MAX_MINOR_CAPPED - 1,
+ 			      GFP_KERNEL);
+ 	mutex_unlock(&binderfs_minors_mutex);
+ 	if (minor < 0) {
diff --git a/queue-5.15/series b/queue-5.15/series
index a99df25a66..4bb00ffe1d 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -20,3 +20,4 @@ timers-provide-timer_shutdown.patch
 timers-update-the-documentation-to-reflect-on-the-new-timer_shutdown-api.patch
 bluetooth-hci_qca-fix-the-teardown-problem-for-real.patch
 timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch
+binderfs-fix-ida_alloc_max-upper-bound.patch
-- 
2.47.3