CVE-2023-52609

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix race between mmput() and do_exit()<br /> <br /> Task A calls binder_update_page_range() to allocate and insert pages on<br /> a remote address space from Task B. For this, Task A pins the remote mm<br /> via mmget_not_zero() first. This can race with Task B do_exit() and the<br /> final mmput() refcount decrement will come from Task A.<br /> <br /> Task A | Task B<br /> ------------------+------------------<br /> mmget_not_zero() |<br /> | do_exit()<br /> | exit_mm()<br /> | mmput()<br /> mmput() |<br /> exit_mmap() |<br /> remove_vma() |<br /> fput() |<br /> <br /> In this case, the work of ____fput() from Task B is queued up in Task A<br /> as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup<br /> work gets executed. However, Task A instead sleep, waiting for a reply<br /> from Task B that never comes (it&amp;#39;s dead).<br /> <br /> This means the binder_deferred_release() is blocked until an unrelated<br /> binder event forces Task A to go back to userspace. All the associated<br /> death notifications will also be delayed until then.<br /> <br /> In order to fix this use mmput_async() that will schedule the work in<br /> the corresponding mm-&gt;async_put_work WQ instead of Task A.