CVE-2026-31750

Summary

In the Linux kernel, the following vulnerability has been resolved:

comedi: runflags cannot determine whether to reclaim chanlist

syzbot reported a memory leak [1], because commit 4e1da516debb ("comedi: Add reference counting for Comedi command handling") did not consider the exceptional exit case in do_cmd_ioctl() where runflags is not set. This caused chanlist not to be properly freed by do_become_nonbusy(), as it only frees chanlist when runflags is correctly set.

Added a check in do_become_nonbusy() for the case where runflags is not set, to properly free the chanlist memory.

[1] BUG: memory leak backtrace (crc 844a0efa): __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline] do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890 do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux4e1da516debbe6a573ffa0392e2809d180d0575c < 830c848aba9f047eb6b34288975ebeb8e8621451affected
LinuxLinux4e1da516debbe6a573ffa0392e2809d180d0575c < 29f644f14b89e6c4965e3c89251929e451190a66affected
LinuxLinux6.19affected
LinuxLinux0 < 6.19unaffected
LinuxLinux6.19.12 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References