Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in io_poll_remove_entries

From: Jens Axboe
Date: Tue Jul 22 2025 - 09:57:15 EST

Next message: Lorenzo Stoakes: "Re: [RFC PATCH] MAINTAINERS: add further core files to mm core section"
Previous message: Michael Walle: "Re: [PATCH v2] mtd: spi-nor: winbond: Add support for W77Q51NW"
In reply to: Ian Abbott: "Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in io_poll_remove_entries"
Next in thread: Ian Abbott: "Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in io_poll_remove_entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Thanks for your investigation and initial fix. I think dev->attach_lock
> needs to be write-locked before calling is_device_busy() and released
> after comedi_device_detach() (although that also write-locks it, so we
> need to refactor that). Otherwise, someone could get added to the
> wait_head after is_device_busy() returns.

Looked at this one post coffee, and this looks good to me. If the
->cancel() part is all fine with attach_lock being held, this looks like
the simplest solution to the issue.

I still think the whole busy notion etc needs rethinking in comedi, it
should follow a more idiomatic approach rather than be special. But
that's really separate from this fix.

--
Jens Axboe

Next message: Lorenzo Stoakes: "Re: [RFC PATCH] MAINTAINERS: add further core files to mm core section"
Previous message: Michael Walle: "Re: [PATCH v2] mtd: spi-nor: winbond: Add support for W77Q51NW"
In reply to: Ian Abbott: "Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in io_poll_remove_entries"
Next in thread: Ian Abbott: "Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in io_poll_remove_entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]