Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]binder: fix double-free in dbitmap[EOL][EOL]A process might fail to allocate a new bitmap when trying to expand its[EOL]proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap[EOL]via dbitmap_free(). However, the driver calls dbitmap_free() again when[EOL]the same process terminates, leading to a double-free error:[EOL][EOL]  ==================================================================[EOL]  BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c[EOL]  Free of addr ffff00000b7c1420 by task kworker/9:1/209[EOL][EOL]  CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT[EOL]  Hardware name: linux,dummy-virt (DT)[EOL]  Workqueue: events binder_deferred_func[EOL]  Call trace:[EOL]   kfree+0x164/0x31c[EOL]   binder_proc_dec_tmpref+0x2e0/0x55c[EOL]   binder_deferred_func+0xc24/0x1120[EOL]   process_one_work+0x520/0xba4[EOL]  [...][EOL][EOL]  Allocated by task 448:[EOL]   __kmalloc_noprof+0x178/0x3c0[EOL]   bitmap_zalloc+0x24/0x30[EOL]   binder_open+0x14c/0xc10[EOL]  [...][EOL][EOL]  Freed by task 449:[EOL]   kfree+0x184/0x31c[EOL]   binder_inc_ref_for_node+0xb44/0xe44[EOL]   binder_transaction+0x29b4/0x7fbc[EOL]   binder_thread_write+0x1708/0x442c[EOL]   binder_ioctl+0x1b50/0x2900[EOL]  [...][EOL]  ==================================================================[EOL][EOL]Fix this issue by marking proc->map NULL in dbitmap_free().