{"id":"CVE-2023-52609","summary":"binder: fix race between mmput() and do_exit()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix race between mmput() and do_exit()\n\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\n\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\n\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\n\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\n\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm-\u003easync_put_work WQ instead of Task A.","modified":"2026-04-02T09:43:07.374749Z","published":"2024-03-18T10:07:45.486Z","related":["USN-6818-2","USN-6819-2"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52609.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918"},{"type":"WEB","url":"https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608"},{"type":"WEB","url":"https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52609.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52609"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"457b9a6f09f011ebcb9b52cc203a6331a6fc2de7"},{"fixed":"95b1d336b0642198b56836b89908d07b9a0c9608"},{"fixed":"252a2a5569eb9f8d16428872cc24dea1ac0bb097"},{"fixed":"7e7a0d86542b0ea903006d3f42f33c4f7ead6918"},{"fixed":"98fee5bee97ad47b527a997d5786410430d1f0e9"},{"fixed":"6696f76c32ff67fec26823fc2df46498e70d9bf3"},{"fixed":"67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e"},{"fixed":"77d210e8db4d61d43b2d16df66b1ec46fad2ee01"},{"fixed":"9a9ab0d963621d9d12199df9817e66982582d5a5"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52609.json"}}],"schema_version":"1.7.5"}