In the Linux kernel, the following vulnerability has been resolved:
binder: fix UAF of ref->proc caused by race condition
A transaction of type BINDERTYPEWEAKHANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binderdeferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled.
The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spinlock(&ref->proc->innerlock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so.
================================================================== BUG: KASAN: use-after-free in rawspin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590
CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binderdeferredfunc Call trace: dumpbacktrace.part.0+0x1d0/0x1e0 showstack+0x18/0x70 dumpstacklvl+0x68/0x84 printreport+0x2e4/0x61c kasanreport+0xa4/0x110 kasancheckrange+0xfc/0x1a4 _kasancheckwrite+0x3c/0x50 _rawspinlock+0xa8/0x150 binderdeferredfunc+0x5e0/0x9b0 processonework+0x38c/0x5f0 workerthread+0x9c/0x694 kthread+0x188/0x190 retfromfork+0x10/0x20