lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ef2ee915-a74f-4fe8-80f7-dc940827b302@kernel.dk>
Date: Tue, 22 Jul 2025 10:00:07 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Ian Abbott <abbotti@....co.uk>, linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 H Hartley Sweeten <hsweeten@...ionengravers.com>, stable@...r.kernel.org,
 syzbot+01523a0ae5600aef5895@...kaller.appspotmail.com
Subject: Re: [PATCH] comedi: fix race between polling and detaching

On 7/22/25 9:53 AM, Ian Abbott wrote:
> syzbot reports a use-after-free in comedi in the below link, which is
> due to comedi gladly removing the allocated async area even though poll
> requests are still active on the wait_queue_head inside of it. This can
> cause a use-after-free when the poll entries are later triggered or
> removed, as the memory for the wait_queue_head has been freed.  We need
> to check there are no tasks queued on any of the subdevices' wait queues
> before allowing the device to be detached by the `COMEDI_DEVCONFIG`
> ioctl.
> 
> Tasks will read-lock `dev->attach_lock` before adding themselves to the
> subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl
> handler by write-locking `dev->attach_lock` before checking that all of
> the subdevices are safe to be deleted.  This includes testing for any
> sleepers on the subdevices' wait queues.  It remains locked until the
> device has been detached.  This requires the `comedi_device_detach()`
> function to be refactored slightly, moving the bulk of it into new
> function `comedi_device_detach_locked()`.
> 
> Note that the refactor of `comedi_device_detach()` results in
> `comedi_device_cancel_all()` now being called while `dev->attach_lock`
> is write-locked, which wasn't the case previously, but that does not
> matter.
> 
> Thanks to Jens Axboe for diagnosing the problem and co-developing this
> patch.

Thanks for taking care of this!

Tested-by: Jens Axboe <axboe@...nel.dk>

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ