CVE-2025-38175

In the Linux kernel, the following vulnerability has been resolved:

binder: fix yet another UAF in binder_devices

Commit e77aff5528a18 ("binderfs: fix use-after-free in binderdevices") addressed a use-after-free where devices could be released without first being removed from the binderdevices list. However, there is a similar path in binderfreeproc() that was missed:

================================================================== BUG: KASAN: slab-use-after-free in binderremovedevice+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binderremovedevice+0xd4/0x100 binderfsevictinode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentryunlinkinode+0x208/0x46c _dentrykill+0x154/0x530 [...]

Allocated by task 463: _kmalloccachenoprof+0x13c/0x324 binderfsbinderdevicecreate.isra.0+0x138/0xa60 binderctlioctl+0x1ac/0x230 [...]

Freed by task 215: kfree+0x184/0x31c binderprocdectmpref+0x33c/0x4ac binderdeferredfunc+0xc10/0x1108 processone_work+0x520/0xba4 [...] ==================================================================

Call binderremovedevice() within binderfreeproc() to ensure the device is removed from the binder_devices list before being kfreed.