From: syzbot <syzbot+f6c3c066162d2c43a66c@syzkaller.appspotmail.com>
To: kartikey406@gmail.com
Cc: kartikey406@gmail.com, stable@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] comedi: fix divide-by-zero in comedi_buf_munge()
Date: Tue, 23 Sep 2025 18:47:32 -0700 [thread overview]
Message-ID: <68d34db4.a70a0220.1b52b.02bc.GAE@google.com> (raw)
In-Reply-To: <20250924014724.1097866-1-kartikey406@gmail.com>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
This crash does not have a reproducer. I cannot test it.
>
> The comedi_buf_munge() function performs a modulo operation
> `async->munge_chan %= async->cmd.chanlist_len` without first
> checking if chanlist_len is zero. If a user program submits
> a command with chanlist_len set to zero, this causes a
> divide-by-zero error when the device processes data in the
> interrupt handler path.
>
> Add a check for zero chanlist_len at the beginning of the
> function, similar to the existing checks for !map and
> CMDF_RAWDATA flag. When chanlist_len is zero, update
> munge_count and return early, indicating the data was
> handled without munging.
>
> This prevents potential kernel panics from malformed user commands.
>
> Reported-by: syzbot+f6c3c066162d2c43a66c@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c
> Cc: stable@vger.kernel.org
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
> drivers/comedi/comedi_buf.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c
> index 002c0e76baff..786f888299ce 100644
> --- a/drivers/comedi/comedi_buf.c
> +++ b/drivers/comedi/comedi_buf.c
> @@ -321,6 +321,11 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s,
> async->munge_count += num_bytes;
> return num_bytes;
> }
> +
> + if (async->cmd.chanlist_len == 0) {
> + async->munge_count += num_bytes;
> + return num_bytes;
> + }
>
> /* don't munge partial samples */
> num_bytes -= num_bytes % num_sample_bytes;
> --
> 2.43.0
>
next prev parent reply other threads:[~2025-09-24 1:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-24 1:47 [PATCH] comedi: fix divide-by-zero in comedi_buf_munge() Deepanshu Kartikey
2025-09-24 1:47 ` syzbot [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-09-24 1:56 Deepanshu Kartikey
2025-09-24 9:03 ` Ian Abbott
2025-09-24 1:49 Deepanshu Kartikey
2025-09-24 1:49 ` syzbot
2025-09-13 6:00 Deepanshu Kartikey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68d34db4.a70a0220.1b52b.02bc.GAE@google.com \
--to=syzbot+f6c3c066162d2c43a66c@syzkaller.appspotmail.com \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.