lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025120427-elves-stinging-843d@gregkh>
Date: Thu, 4 Dec 2025 16:35:22 +0100
From: gregkh <gregkh@...uxfoundation.org>
To: 李天宇 <2200013188@....pku.edu.cn>
Cc: linux-kernel <linux-kernel@...r.kernel.org>, rafael <rafael@...nel.org>,
	dakr <dakr@...nel.org>, abbotti <abbotti@....co.uk>,
	hsweeten <hsweeten@...ionengravers.com>,
	xujiakai2025 <xujiakai2025@...as.ac.cn>,
	"zhaoruilin22@...ls.ucas.ac.cn" <zhaoruilin22@...ls.ucas.ac.cn>
Subject: Re: [BUG] WARN "Unexpected driver unregister!" when configuring
 c6xdigio via COMEDI_DEVCONFIG

On Thu, Dec 04, 2025 at 11:00:51PM +0800, 李天宇 wrote:
> Hello maintainers,
> 
> I encountered a WARN in driver_unregister (drivers/base/driver.c:273) when configuring the c6xdigio COMEDI driver via ioctl(COMEDI_DEVCONFIG). This issue is first found on Linux 6.18-rc6 via a fuzzing framework and later confirmed reproducible on Linux v6.18.
> 
> Based on the call trace and source review, the path appears to be:
> 
>     - drivers/comedi/drivers.c:207: dev-&gt;driver-&gt;detach(dev) (detach is set as c6xdigio_detach in c6xdigio.c:290)
>     - drivers/comedi/drivers/c6xdigio.c:283: pnp_unregister_driver()
>     - drivers/pnp/driver.c:286: driver_unregister()
>     - drivers/base/driver.c:273: WARN triggered
> 
> The WARN occurs because driver_unregister() finds drv-&gt;p == NULL and prints:
>     WARN(1, "Unexpected driver unregister!\n");
> 
> It seems the attach process fails early (e.g. due to a request-region conflict), but the detach path still calls pnp_unregister_driver() unconditionally. If pnp_register_driver() was never successful, calling unregister on an unregistered driver results in driver_unregister() being invoked with drv-&gt;p == NULL, which leads to the warning.
> 
> Related information is listed below:
> 
>     Kernel source: https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.18.tar.xz
>     Kernel configuration: https://github.com/j1akai/KConfigFuzz_bug/raw/refs/heads/main/x86/mainline-config
>     Kernel log: https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/b42a57a980ac99dba76418f8daaa80e2a90831a1/report0
>     Reproduction C code: https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/b42a57a980ac99dba76418f8daaa80e2a90831a1/repro.cprog
>     Syscall sequence for reproduction (more precise): https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/b42a57a980ac99dba76418f8daaa80e2a90831a1/repro.prog
>     GCC info: https://github.com/Wxm-233/KConfigFuzz_crashes/raw/refs/heads/main/b42a57a980ac99dba76418f8daaa80e2a90831a1/gccinfo
> 
> I hope this report helps in identifying and resolving the issue. Thanks for your time and attention.

Can you make up a patch that properly checks the return value of
pnp_register_driver() and handles it and submit it to resolve this
issue?  As you have a reproducer, that's the best way to get this
resolved, and you get full credit for fixing the issue.

Also, do you really have any pnp hardware?  That's some really old
stuff, or is this just fuzzing testing?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ