In the Linux kernel, the following vulnerability has been resolved:
binder: fix memleak of proc->delivered_freeze
If a freeze notification is cleared with BCCLEARFREEZENOTIFICATION before calling binderfreezenotificationdone(), then it is detached from its reference (e.g. ref->freeze) but the work remains queued in proc->deliveredfreeze. This leads to a memory leak when the process exits as any pending entries in proc->deliveredfreeze are not freed:
unreferenced object 0xffff38e8cfa36180 (size 64): comm "binder-util", pid 655, jiffies 4294936641 hex dump (first 32 bytes): b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8.. 0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K..... backtrace (crc 95983b32): [<000000000d0582cf>] kmemleakalloc+0x34/0x40 [<000000009c99a513>] _kmalloccachenoprof+0x208/0x280 [<00000000313b1704>] binderthreadwrite+0xdec/0x439c [<000000000cbd33bb>] binderioctl+0x1b68/0x22cc [<000000002bbedeeb>] _arm64sysioctl+0x124/0x190 [<00000000b439adee>] invokesyscall+0x6c/0x254 [<00000000173558fc>] el0svccommon.constprop.0+0xac/0x230 [<0000000084f72311>] doel0svc+0x40/0x58 [<000000008b872457>] el0svc+0x38/0x78 [<00000000ee778653>] el0t64synchandler+0x120/0x12c [<00000000a8ec61bf>] el0t64_sync+0x190/0x194
This patch fixes the leak by ensuring that any pending entries in proc->deliveredfreeze are freed during binderdeferred_release().