In the Linux kernel, the following vulnerability has been resolved:
comedi: c6xdigio: Fix invalid PNP driver unregistration
The Comedi low-level driver "c6xdigio" seems to be for a parallel port
connected device. When the Comedi core calls the driver's Comedi
"attach" handler c6xdigio_attach() to configure a Comedi to use this
driver, it tries to enable the parallel port PNP resources by
registering a PNP driver with pnp_register_driver(), but ignores the
return value. (The struct pnp_driver it uses has only the name and
id_table members filled in.) The driver's Comedi "detach" handler
c6xdigio_detach() unconditionally unregisters the PNP driver with
pnp_unregister_driver().
It is possible for c6xdigio_attach() to return an error before it
calls pnp_register_driver() and it is possible for the call to
pnp_register_driver() to return an error (that is ignored). In both
cases, the driver should not be calling pnp_unregister_driver() as it
does in c6xdigio_detach(). (Note that c6xdigio_detach() will be
called by the Comedi core if c6xdigio_attach() returns an error, or if
the Comedi core decides to detach the Comedi device from the driver for
some other reason.)
The unconditional call to pnp_unregister_driver() without a previous
successful call to pnp_register_driver() will cause
driver_unregister() to issue a warning "Unexpected driver
unregister!". This was detected by Syzbot [1].
Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.)
Change the driver to do the PNP driver registration at module init time,
and the unregistration at module exit time. Since c6xdigio_detach()
now only calls comedi_legacy_detach(), remove the function and change
the Comedi driver "detach" handler to...