CVE-2025-38687

Summary

In the Linux kernel, the following vulnerability has been resolved:

comedi: fix race between polling and detaching

syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the COMEDI_DEVCONFIG ioctl.

Tasks will read-lock dev->attach_lock before adding themselves to the subdevice wait queue, so fix the problem in the COMEDI_DEVCONFIG ioctl handler by write-locking dev->attach_lock before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the comedi_device_detach() function to be refactored slightly, moving the bulk of it into new function comedi_device_detach_locked().

Note that the refactor of comedi_device_detach() results in comedi_device_cancel_all() now being called while dev->attach_lock is write-locked, which wasn't the case previously, but that does not matter.

Thanks to Jens Axboe for diagnosing the problem and co-developing this patch.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < fe67122ba781df44a1a9716eb1dfd751321ab512affected
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < cd4286123d6948ff638ea9cd5818ae4796d5d252affected
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < d85fac8729c9acfd72368faff1d576ec585e5c8faffected
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < 0f989f9d05492028afd2bded4b42023c57d8a76eaffected
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < 5c4a2ffcbd052c69bbf4680677d4c4eaa5a252d4affected
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < 017198079551a2a5cf61eae966af3c4b145e1f3baffected
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < 71ca60d2e631cf9c63bcbc7017961c61ff04e419affected
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < 5724e82df4f9a4be62908362c97d522d25de75ddaffected
LinuxLinux2f3fdcd7ce935f6f2899ceab57dc8fe5286db3e1 < 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2affected
LinuxLinux3.14affected
LinuxLinux0 < 3.14unaffected
LinuxLinux5.4.297 <= 5.4.*unaffected
LinuxLinux5.10.241 <= 5.10.*unaffected
LinuxLinux5.15.190 <= 5.15.*unaffected
LinuxLinux6.1.149 <= 6.1.*unaffected
LinuxLinux6.6.103 <= 6.6.*unaffected
LinuxLinux6.12.43 <= 6.12.*unaffected
LinuxLinux6.15.11 <= 6.15.*unaffected
LinuxLinux6.16.2 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

Additional References

References