CVE-2025-39686

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: Make insn_rw_emulate_bits() do insn-&gt;n samples<br /> <br /> The `insn_rw_emulate_bits()` function is used as a default handler for<br /> `INSN_READ` instructions for subdevices that have a handler for<br /> `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default<br /> handler for `INSN_WRITE` instructions for subdevices that have a handler<br /> for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the<br /> `INSN_READ` or `INSN_WRITE` instruction handling with a constructed<br /> `INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`<br /> instructions are supposed to be able read or write multiple samples,<br /> indicated by the `insn-&gt;n` value, but `insn_rw_emulate_bits()` currently<br /> only handles a single sample. For `INSN_READ`, the comedi core will<br /> copy `insn-&gt;n` samples back to user-space. (That triggered KASAN<br /> kernel-infoleak errors when `insn-&gt;n` was greater than 1, but that is<br /> being fixed more generally elsewhere in the comedi core.)<br /> <br /> Make `insn_rw_emulate_bits()` either handle `insn-&gt;n` samples, or return<br /> an error, to conform to the general expectation for `INSN_READ` and<br /> `INSN_WRITE` handlers.