CVE-2025-38176

In the Linux kernel, the following vulnerability has been resolved:

binder: fix use-after-free in binderfsevictinode()

Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following:

BUG: KASAN: slab-use-after-free in binderfsevictinode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699

CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x1c2/0x2a0 ? pfxdumpstacklvl+0x10/0x10 ? _pfxprintk+0x10/0x10 ? _pfxlockrelease+0x10/0x10 ? _virtaddrvalid+0x18c/0x540 ? _virtaddrvalid+0x469/0x540 printreport+0x155/0x840 ? _virtaddrvalid+0x18c/0x540 ? _virtaddrvalid+0x469/0x540 ? _physaddr+0xba/0x170 ? binderfsevictinode+0x1de/0x2d0 kasanreport+0x147/0x180 ? binderfsevictinode+0x1de/0x2d0 binderfsevictinode+0x1de/0x2d0 ? _pfxbinderfsevictinode+0x10/0x10 evict+0x524/0x9f0 ? _pfxlockrelease+0x10/0x10 ? _pfxevict+0x10/0x10 ? dorawspinunlock+0x4d/0x210 ? _rawspinunlock+0x28/0x50 ? iput+0x697/0x9b0 _dentrykill+0x209/0x660 ? shrinkkill+0x8d/0x2c0 shrinkkill+0xa9/0x2c0 shrinkdentrylist+0x2e0/0x5e0 shrinkdcacheparent+0xa2/0x2c0 ? _pfxshrinkdcacheparent+0x10/0x10 ? _pfxlockrelease+0x10/0x10 ? _pfxdorawspinlock+0x10/0x10 doonetree+0x23/0xe0 shrinkdcacheforumount+0xa0/0x170 genericshutdownsuper+0x67/0x390 killlittersuper+0x76/0xb0 binderfskillsuper+0x44/0x90 deactivatelockedsuper+0xb9/0x130 cleanupmnt+0x422/0x4c0 ? lockdephardirqson+0x9d/0x150 taskworkrun+0x1d2/0x260 ? _pfxtaskworkrun+0x10/0x10 resumeusermodework+0x52/0x60 syscallexittousermode+0x9a/0x120 dosyscall64+0x103/0x210 ? asmsysvecapictimerinterrupt+0x1a/0x20 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830 </TASK>

Allocated by task 1705: kasansavetrack+0x3e/0x80 _kasankmalloc+0x8f/0xa0 _kmalloccachenoprof+0x213/0x3e0 binderfsbinderdevicecreate+0x183/0xa80 binderctlioctl+0x138/0x190 _x64sysioctl+0x120/0x1b0 dosyscall64+0xf6/0x210 entrySYSCALL64after_hwframe+0x77/0x7f

Freed by task 1705: kasansavetrack+0x3e/0x80 kasansavefreeinfo+0x46/0x50 _kasanslabfree+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 dounlinkat+0x390/0x5b0 _x64sysunlink+0x47/0x50 dosyscall64+0xf6/0x210 entrySYSCALL64afterhwframe+0x77/0x7f

This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption.

I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well.