Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in io_poll_remove_entries
From: Ian Abbott
Date: Tue Jul 22 2025 - 10:26:39 EST
On 22/07/2025 14:53, Jens Axboe wrote:
Thanks for your investigation and initial fix. I think dev->attach_lock
needs to be write-locked before calling is_device_busy() and released
after comedi_device_detach() (although that also write-locks it, so we
need to refactor that). Otherwise, someone could get added to the
wait_head after is_device_busy() returns.
Looked at this one post coffee, and this looks good to me. If the
->cancel() part is all fine with attach_lock being held, this looks like
the simplest solution to the issue.
I still think the whole busy notion etc needs rethinking in comedi, it
should follow a more idiomatic approach rather than be special. But
that's really separate from this fix.
The reason for the separate dev->attach_lock and dev->mutex is to reduce
the latency for read() and write() operations because dev->mutex can
sometimes be locked for quite a while when processing the
COMEDI_INSNLIST ioctl command, for example. (At some point, I want to
make the COMEDI_BUFINFO ioctl use dev->attach_lock instead of
dev->mutex, because that is used when using mmap() instead of
read()/write().)
--
-=( Ian Abbott <abbotti@xxxxxxxxx> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-