DEBIAN-CVE-2025-40028

In the Linux kernel, the following vulnerability has been resolved: binder: fix double-free in dbitmap A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmapgrow() fails and frees the old bitmap via dbitmapfree(). However, the driver calls dbitmapfree() again when the same process terminates, leading to a double-free error: ================================================================== BUG: KASAN: double-free in binderprocdectmpref+0x2e0/0x55c Free of addr ffff00000b7c1420 by task kworker/9:1/209 CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events binderdeferredfunc Call trace: kfree+0x164/0x31c binderprocdectmpref+0x2e0/0x55c binderdeferredfunc+0xc24/0x1120 processonework+0x520/0xba4 [...] Allocated by task 448: _kmallocnoprof+0x178/0x3c0 bitmapzalloc+0x24/0x30 binderopen+0x14c/0xc10 [...] Freed by task 449: kfree+0x184/0x31c binderincreffornode+0xb44/0xe44 bindertransaction+0x29b4/0x7fbc binderthreadwrite+0x1708/0x442c binderioctl+0x1b50/0x2900 [...] ================================================================== Fix this issue by marking proc->map NULL in dbitmapfree().