CVE-2024-56554

In the Linux kernel, the following vulnerability has been resolved:

binder: fix freeze UAF in binderreleasework()

When a binder reference is cleaned up, any freeze work queued in the associated process should also be removed. Otherwise, the reference is freed while its ref->freeze.work is still queued in proc->work leading to a use-after-free issue as shown by the following KASAN report:

================================================================== BUG: KASAN: slab-use-after-free in binderreleasework+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211

CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binderdeferredfunc Call trace: binderreleasework+0x398/0x3d0 binderdeferredfunc+0xb60/0x109c processonework+0x51c/0xbd4 worker_thread+0x608/0xee8

Allocated by task 703: _kmalloccachenoprof+0x130/0x280 binderthreadwrite+0xdb4/0x42a0 binderioctl+0x18f0/0x25ac _arm64sysioctl+0x124/0x190 invokesyscall+0x6c/0x254

Freed by task 211: kfree+0xc4/0x230 binderdeferredfunc+0xae8/0x109c processonework+0x51c/0xbd4 worker_thread+0x608/0xee8 ==================================================================

This commit fixes the issue by ensuring any queued freeze work is removed when cleaning up a binder reference.