CVE-2025-68332 (GCVE-0-2025-68332)

Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2025-12-22 16:14
VLAI?
Title
comedi: c6xdigio: Fix invalid PNP driver unregistration
Summary
In the Linux kernel, the following vulnerability has been resolved: comedi: c6xdigio: Fix invalid PNP driver unregistration The Comedi low-level driver "c6xdigio" seems to be for a parallel port connected device. When the Comedi core calls the driver's Comedi "attach" handler `c6xdigio_attach()` to configure a Comedi to use this driver, it tries to enable the parallel port PNP resources by registering a PNP driver with `pnp_register_driver()`, but ignores the return value. (The `struct pnp_driver` it uses has only the `name` and `id_table` members filled in.) The driver's Comedi "detach" handler `c6xdigio_detach()` unconditionally unregisters the PNP driver with `pnp_unregister_driver()`. It is possible for `c6xdigio_attach()` to return an error before it calls `pnp_register_driver()` and it is possible for the call to `pnp_register_driver()` to return an error (that is ignored). In both cases, the driver should not be calling `pnp_unregister_driver()` as it does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be called by the Comedi core if `c6xdigio_attach()` returns an error, or if the Comedi core decides to detach the Comedi device from the driver for some other reason.) The unconditional call to `pnp_unregister_driver()` without a previous successful call to `pnp_register_driver()` will cause `driver_unregister()` to issue a warning "Unexpected driver unregister!". This was detected by Syzbot [1]. Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.) Change the driver to do the PNP driver registration at module init time, and the unregistration at module exit time. Since `c6xdigio_detach()` now only calls `comedi_legacy_detach()`, remove the function and change the Comedi driver "detach" handler to `comedi_legacy_detach`. ------------------------------------------- [1] Syzbot sample crash report: Unexpected driver unregister! WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline] WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Modules linked in: CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline] RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 Call Trace: <TASK> comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215 comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011 do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_sys ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072 (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 698149d797d0178162f394c55d4ed52aa0e0b7f6 (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 888f7e2847bcb9df8257e656e1e837828942c53b (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72262330f7b3ad2130e800cecf02adcce3c32c77 (git)
Create a notification for this product.
    Linux Linux Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/c6xdigio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "698149d797d0178162f394c55d4ed52aa0e0b7f6",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "888f7e2847bcb9df8257e656e1e837828942c53b",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "72262330f7b3ad2130e800cecf02adcce3c32c77",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/c6xdigio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\n\nThe Comedi low-level driver \"c6xdigio\" seems to be for a parallel port\nconnected device.  When the Comedi core calls the driver\u0027s Comedi\n\"attach\" handler `c6xdigio_attach()` to configure a Comedi to use this\ndriver, it tries to enable the parallel port PNP resources by\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\nreturn value.  (The `struct pnp_driver` it uses has only the `name` and\n`id_table` members filled in.)  The driver\u0027s Comedi \"detach\" handler\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\n`pnp_unregister_driver()`.\n\nIt is possible for `c6xdigio_attach()` to return an error before it\ncalls `pnp_register_driver()` and it is possible for the call to\n`pnp_register_driver()` to return an error (that is ignored).  In both\ncases, the driver should not be calling `pnp_unregister_driver()` as it\ndoes in `c6xdigio_detach()`.  (Note that `c6xdigio_detach()` will be\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\nthe Comedi core decides to detach the Comedi device from the driver for\nsome other reason.)\n\nThe unconditional call to `pnp_unregister_driver()` without a previous\nsuccessful call to `pnp_register_driver()` will cause\n`driver_unregister()` to issue a warning \"Unexpected driver\nunregister!\".  This was detected by Syzbot [1].\n\nAlso, the PNP driver registration and unregistration should be done at\nmodule init and exit time, respectively, not when attaching or detaching\nComedi devices to the driver.  (There might be more than one Comedi\ndevice being attached to the driver, although that is unlikely.)\n\nChange the driver to do the PNP driver registration at module init time,\nand the unregistration at module exit time.  Since `c6xdigio_detach()`\nnow only calls `comedi_legacy_detach()`, remove the function and change\nthe Comedi driver \"detach\" handler to `comedi_legacy_detach`.\n\n-------------------------------------------\n[1] Syzbot sample crash report:\nUnexpected driver unregister!\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nModules linked in:\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 \u003c0f\u003e 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\nFS:  000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_sys\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-22T16:14:10.146Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072"
        },
        {
          "url": "https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b"
        },
        {
          "url": "https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77"
        }
      ],
      "title": "comedi: c6xdigio: Fix invalid PNP driver unregistration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68332",
    "datePublished": "2025-12-22T16:14:10.146Z",
    "dateReserved": "2025-12-16T14:48:05.297Z",
    "dateUpdated": "2025-12-22T16:14:10.146Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68332\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-22T17:16:00.910\",\"lastModified\":\"2025-12-23T14:51:52.650\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\\n\\nThe Comedi low-level driver \\\"c6xdigio\\\" seems to be for a parallel port\\nconnected device.  When the Comedi core calls the driver\u0027s Comedi\\n\\\"attach\\\" handler `c6xdigio_attach()` to configure a Comedi to use this\\ndriver, it tries to enable the parallel port PNP resources by\\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\\nreturn value.  (The `struct pnp_driver` it uses has only the `name` and\\n`id_table` members filled in.)  The driver\u0027s Comedi \\\"detach\\\" handler\\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\\n`pnp_unregister_driver()`.\\n\\nIt is possible for `c6xdigio_attach()` to return an error before it\\ncalls `pnp_register_driver()` and it is possible for the call to\\n`pnp_register_driver()` to return an error (that is ignored).  In both\\ncases, the driver should not be calling `pnp_unregister_driver()` as it\\ndoes in `c6xdigio_detach()`.  (Note that `c6xdigio_detach()` will be\\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\\nthe Comedi core decides to detach the Comedi device from the driver for\\nsome other reason.)\\n\\nThe unconditional call to `pnp_unregister_driver()` without a previous\\nsuccessful call to `pnp_register_driver()` will cause\\n`driver_unregister()` to issue a warning \\\"Unexpected driver\\nunregister!\\\".  This was detected by Syzbot [1].\\n\\nAlso, the PNP driver registration and unregistration should be done at\\nmodule init and exit time, respectively, not when attaching or detaching\\nComedi devices to the driver.  (There might be more than one Comedi\\ndevice being attached to the driver, although that is unlikely.)\\n\\nChange the driver to do the PNP driver registration at module init time,\\nand the unregistration at module exit time.  Since `c6xdigio_detach()`\\nnow only calls `comedi_legacy_detach()`, remove the function and change\\nthe Comedi driver \\\"detach\\\" handler to `comedi_legacy_detach`.\\n\\n-------------------------------------------\\n[1] Syzbot sample crash report:\\nUnexpected driver unregister!\\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\\nModules linked in:\\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 \u003c0f\u003e 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\\nFS:  000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\\nCall Trace:\\n \u003cTASK\u003e\\n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:597 [inline]\\n __se_sys_ioctl fs/ioctl.c:583 [inline]\\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n do_sys\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.