In the Linux kernel, the following vulnerability has been resolved:
binder: make sure fd closes complete
During BCFREEBUFFER processing, the BINDERTYPEFDA object cleanup may close 1 or more fds. The close operations are completed using the task work mechanism -- which means the thread needs to return to userspace or the file object may never be dereferenced -- which can lead to hung processes.
Force the binder thread back to userspace if an fd is closed during BCFREEBUFFER handling.