CVE-2025-38687

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: fix race between polling and detaching<br /> <br /> syzbot reports a use-after-free in comedi in the below link, which is<br /> due to comedi gladly removing the allocated async area even though poll<br /> requests are still active on the wait_queue_head inside of it. This can<br /> cause a use-after-free when the poll entries are later triggered or<br /> removed, as the memory for the wait_queue_head has been freed. We need<br /> to check there are no tasks queued on any of the subdevices&amp;#39; wait queues<br /> before allowing the device to be detached by the `COMEDI_DEVCONFIG`<br /> ioctl.<br /> <br /> Tasks will read-lock `dev-&gt;attach_lock` before adding themselves to the<br /> subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl<br /> handler by write-locking `dev-&gt;attach_lock` before checking that all of<br /> the subdevices are safe to be deleted. This includes testing for any<br /> sleepers on the subdevices&amp;#39; wait queues. It remains locked until the<br /> device has been detached. This requires the `comedi_device_detach()`<br /> function to be refactored slightly, moving the bulk of it into new<br /> function `comedi_device_detach_locked()`.<br /> <br /> Note that the refactor of `comedi_device_detach()` results in<br /> `comedi_device_cancel_all()` now being called while `dev-&gt;attach_lock`<br /> is write-locked, which wasn&amp;#39;t the case previously, but that does not<br /> matter.<br /> <br /> Thanks to Jens Axboe for diagnosing the problem and co-developing this<br /> patch.