Re: [PATCH] comedi: fix race between polling and detaching

[Jens Axboe]

On 7/22/25 9:53 AM, Ian Abbott wrote:
> syzbot reports a use-after-free in comedi in the below link, which is
> due to comedi gladly removing the allocated async area even though poll
> requests are still active on the wait_queue_head inside of it. This can
> cause a use-after-free when the poll entries are later triggered or
> removed, as the memory for the wait_queue_head has been freed.  We need
> to check there are no tasks queued on any of the subdevices' wait queues
> before allowing the device to be detached by the `COMEDI_DEVCONFIG`
> ioctl.
> 
> Tasks will read-lock `dev->attach_lock` before adding themselves to the
> subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl
> handler by write-locking `dev->attach_lock` before checking that all of
> the subdevices are safe to be deleted.  This includes testing for any
> sleepers on the subdevices' wait queues.  It remains locked until the
> device has been detached.  This requires the `comedi_device_detach()`
> function to be refactored slightly, moving the bulk of it into new
> function `comedi_device_detach_locked()`.
> 
> Note that the refactor of `comedi_device_detach()` results in
> `comedi_device_cancel_all()` now being called while `dev->attach_lock`
> is write-locked, which wasn't the case previously, but that does not
> matter.
> 
> Thanks to Jens Axboe for diagnosing the problem and co-developing this
> patch.

Thanks for taking care of this!

Tested-by: Jens Axboe <axboe@xxxxxxxxx>

-- 
Jens Axboe