CVE-2025-68335

In the Linux kernel, the following vulnerability has been resolved:

comedi: pcl818: fix null-ptr-deref in pcl818aicancel()

Syzbot identified an issue [1] in pcl818aicancel(), which stems from the fact that in case of early device detach via pcl818detach(), subdevice dev->readsubdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash.

Mitigate this problem by removing a call to pcl818aicancel() from pcl818detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedidevicedetachlocked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either.

[1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818aicancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace: <TASK> pcl818detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedidevicedetachlocked+0x178/0x750 drivers/comedi/drivers.c:207 dodevconfigioctl drivers/comedi/comedifops.c:848 [inline] comediunlockedioctl+0xcde/0x1020 drivers/comedi/comedifops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:597 [inline] ...