CVE-2025-68332

In the Linux kernel, the following vulnerability has been resolved:

comedi: c6xdigio: Fix invalid PNP driver unregistration

The Comedi low-level driver "c6xdigio" seems to be for a parallel port connected device. When the Comedi core calls the driver's Comedi "attach" handler c6xdigio_attach() to configure a Comedi to use this driver, it tries to enable the parallel port PNP resources by registering a PNP driver with pnp_register_driver(), but ignores the return value. (The struct pnp_driver it uses has only the name and id_table members filled in.) The driver's Comedi "detach" handler c6xdigio_detach() unconditionally unregisters the PNP driver with pnp_unregister_driver().

It is possible for c6xdigio_attach() to return an error before it calls pnp_register_driver() and it is possible for the call to pnp_register_driver() to return an error (that is ignored). In both cases, the driver should not be calling pnp_unregister_driver() as it does in c6xdigio_detach(). (Note that c6xdigio_detach() will be called by the Comedi core if c6xdigio_attach() returns an error, or if the Comedi core decides to detach the Comedi device from the driver for some other reason.)

The unconditional call to pnp_unregister_driver() without a previous successful call to pnp_register_driver() will cause driver_unregister() to issue a warning "Unexpected driver unregister!". This was detected by Syzbot [1].

Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.)

Change the driver to do the PNP driver registration at module init time, and the unregistration at module exit time. Since c6xdigio_detach() now only calls comedi_legacy_detach(), remove the function and change the Comedi driver "detach" handler to comedi_legacy_detach.

[1] Syzbot sample crash report: Unexpected driver unregister! WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driverunregister drivers/base/driver.c:273 [inline] WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driverunregister+0x90/0xb0 drivers/base/driver.c:270 Modules linked in: CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:driverunregister drivers/base/driver.c:273 [inline] RIP: 0010:driverunregister+0x90/0xb0 drivers/base/driver.c:270 Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 Call Trace: <TASK> comedidevicedetachlocked+0x12f/0xa50 drivers/comedi/drivers.c:207 comedidevicedetach+0x67/0xb0 drivers/comedi/drivers.c:215 comedideviceattach+0x43d/0x900 drivers/comedi/drivers.c:1011 dodevconfigioctl+0x1b1/0x710 drivers/comedi/comedifops.c:872 comediunlockedioctl+0x165d/0x2f00 drivers/comedi/comedifops.c:2178 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:597 [inline] __sesysioctl fs/ioctl.c:583 [inline] __x64sysioctl+0x18e/0x210 fs/ioctl.c:583 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosys ---truncated---