CVE-2025-68335

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()<br /> <br /> Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from<br /> the fact that in case of early device detach via pcl818_detach(),<br /> subdevice dev-&gt;read_subdev may not have initialized its pointer to<br /> &amp;struct comedi_async as intended. Thus, any such dereferencing of<br /> &amp;s-&gt;async-&gt;cmd will lead to general protection fault and kernel crash.<br /> <br /> Mitigate this problem by removing a call to pcl818_ai_cancel() from<br /> pcl818_detach() altogether. This way, if the subdevice setups its<br /> support for async commands, everything async-related will be<br /> handled via subdevice&amp;#39;s own -&gt;cancel() function in<br /> comedi_device_detach_locked() even before pcl818_detach(). If no<br /> support for asynchronous commands is provided, there is no need<br /> to cancel anything either.<br /> <br /> [1] Syzbot crash:<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI<br /> KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]<br /> CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025<br /> RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762<br /> ...<br /> Call Trace:<br /> <br /> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115<br /> comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207<br /> do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]<br /> comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:597 [inline]<br /> ...