Re: [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach
Date: Sun, 25 Jan 2026 22:04:04 -0800	[thread overview]
Message-ID: <697703d4.050a0220.1d05e9.000e.GAE@google.com> (raw)
In-Reply-To: <20260126054835.7392-1-kartikey406@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in dt2815_attach

BUG: kernel NULL pointer dereference, address: 0000000000000390
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 365dc067 P4D 365dc067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5841 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x4f3/0xa40 drivers/comedi/drivers/dt2815.c:179
Code: 24 4c 8d b8 d0 01 00 00 4c 89 fb 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 ff e8 a9 00 4c f9 48 8b 04 24 8b 90 d0 01 00 00 ff c2 <31> 66 90 bf e8 03 00 00 be b8 0b 00 00 ba 02 00 00 00 e8 56 0a 9e
RSP: 0018:ffffc90002befa88 EFLAGS: 00010206
RAX: ffff888040c87000 RBX: 1ffff11008190e3a RCX: 0000000000000000
RDX: 000000000000007e RSI: 0000000000000400 RDI: 0000000000000000
RBP: 0000000000000400 R08: 0000000000000dc0 R09: 00000000ffffffff
R10: 000000000000000a R11: ffffffff81ae5bd0 R12: ffffc90002befc04
R13: dffffc0000000000 R14: ffffc90002befbc0 R15: ffff888040c871d0
FS:  00007fa9eb7d96c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000390 CR3: 00000000595eb000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 comedi_device_attach+0x51f/0x720 drivers/comedi/drivers.c:1069
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:928 [inline]
 comedi_unlocked_ioctl+0x701/0x1240 drivers/comedi/comedi_fops.c:2240
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa9ea99acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa9eb7d9028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa9eac15fa0 RCX: 00007fa9ea99acb9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007fa9eaa08bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa9eac16038 R14: 00007fa9eac15fa0 R15: 00007fff0dbc24e8
 </TASK>
Modules linked in:
CR2: 0000000000000390
---[ end trace 0000000000000000 ]---
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x4f3/0xa40 drivers/comedi/drivers/dt2815.c:179
Code: 24 4c 8d b8 d0 01 00 00 4c 89 fb 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 ff e8 a9 00 4c f9 48 8b 04 24 8b 90 d0 01 00 00 ff c2 <31> 66 90 bf e8 03 00 00 be b8 0b 00 00 ba 02 00 00 00 e8 56 0a 9e
RSP: 0018:ffffc90002befa88 EFLAGS: 00010206
RAX: ffff888040c87000 RBX: 1ffff11008190e3a RCX: 0000000000000000
RDX: 000000000000007e RSI: 0000000000000400 RDI: 0000000000000000
RBP: 0000000000000400 R08: 0000000000000dc0 R09: 00000000ffffffff
R10: 000000000000000a R11: ffffffff81ae5bd0 R12: ffffc90002befc04
R13: dffffc0000000000 R14: ffffc90002befbc0 R15: ffff888040c871d0
FS:  00007fa9eb7d96c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000390 CR3: 00000000595eb000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	24 4c                	and    $0x4c,%al
   2:	8d b8 d0 01 00 00    	lea    0x1d0(%rax),%edi
   8:	4c 89 fb             	mov    %r15,%rbx
   b:	48 c1 eb 03          	shr    $0x3,%rbx
   f:	42 80 3c 2b 00       	cmpb   $0x0,(%rbx,%r13,1)
  14:	74 08                	je     0x1e
  16:	4c 89 ff             	mov    %r15,%rdi
  19:	e8 a9 00 4c f9       	call   0xf94c00c7
  1e:	48 8b 04 24          	mov    (%rsp),%rax
  22:	8b 90 d0 01 00 00    	mov    0x1d0(%rax),%edx
  28:	ff c2                	inc    %edx
* 2a:	31 66 90             	xor    %esp,-0x70(%rsi) <-- trapping instruction
  2d:	bf e8 03 00 00       	mov    $0x3e8,%edi
  32:	be b8 0b 00 00       	mov    $0xbb8,%esi
  37:	ba 02 00 00 00       	mov    $0x2,%edx
  3c:	e8                   	.byte 0xe8
  3d:	56                   	push   %rsi
  3e:	0a                   	.byte 0xa
  3f:	9e                   	sahf


Tested on:

commit:         63804fed Linux 6.19-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1083f294580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e2e5d7c9c1e01cf4
dashboard link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=164bfe8a580000

next      parent reply	other threads:[~2026-01-26  6:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260126054835.7392-1-kartikey406@gmail.com>
2026-01-26  6:04 ` syzbot [this message]
     [not found] <20260126064243.10298-1-kartikey406@gmail.com>
2026-01-26  7:04 ` [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach syzbot
     [not found] <20260126061729.9345-1-kartikey406@gmail.com>
2026-01-26  6:33 ` syzbot
     [not found] <20260126051936.5684-1-kartikey406@gmail.com>
2026-01-26  5:36 ` syzbot
2026-01-24  6:45 syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=697703d4.050a0220.1d05e9.000e.GAE@google.com \
    --to=syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com \
    --cc=kartikey406@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.