In the Linux kernel, the following vulnerability has been resolved:
binder: fix race between mmput() and do_exit()
Task A calls binderupdatepagerange() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmgetnotzero() first. This can race with Task B doexit() and the final mmput() refcount decrement will come from Task A.
Task A | Task B ------------------+------------------ mmgetnotzero() | | doexit() | exitmm() | mmput() mmput() | exitmmap() | removevma() | fput() |
In this case, the work of _fput() from Task B is queued up in Task A as TWARESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead).
This means the binderdeferredrelease() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then.
In order to fix this use mmputasync() that will schedule the work in the corresponding mm->asyncput_work WQ instead of Task A.