[syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

[syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c072629f05d7 Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=158b8bfa580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e2e5d7c9c1e01cf4
dashboard link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10144452580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1434df9a580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c072629f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bd5acf0ccc3e/vmlinux-c072629f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab6178baf781/bzImage-c072629f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: fffffffffffffff0
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD e14b067 P4D e14b067 PUD e14d067 PMD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5496 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x5a3/0x8f0 drivers/comedi/drivers/dt2815.c:199
Code: e6 83 e6 60 31 ff e8 0c 7d e3 f8 41 83 e4 60 74 35 e8 c1 78 e3 f8 42 80 3c 2b 00 74 08 4c 89 ff e8 32 0b 4c f9 41 8b 17 ff c2 <31> 66 90 83 fd 63 75 1e e9 96 00 00 00 e8 9b 78 e3 f8 83 fd 63 75
RSP: 0018:ffffc90002a5fa78 EFLAGS: 00010206
RAX: ffffffff88df2f7f RBX: 1ffff110081a053a RCX: ffff888011d224c0
RDX: 000000000000007e RSI: 0000000000000060 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffff888011d224c0 R09: 0000000000000002
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000060
R13: dffffc0000000000 R14: ffffc90002a5fbc0 R15: ffff888040d029d0
FS:  000055555a3d0500(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff0 CR3: 0000000040fed000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 comedi_device_attach+0x51f/0x720 drivers/comedi/drivers.c:1069
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:928 [inline]
 comedi_unlocked_ioctl+0x701/0x1240 drivers/comedi/comedi_fops.c:2240
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f975339acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc13841358 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9753615fa0 RCX: 00007f975339acb9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007f9753408bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9753615fac R14: 00007f9753615fa0 R15: 00007f9753615fa0
 </TASK>
Modules linked in:
CR2: fffffffffffffff0
---[ end trace 0000000000000000 ]---
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x5a3/0x8f0 drivers/comedi/drivers/dt2815.c:199
Code: e6 83 e6 60 31 ff e8 0c 7d e3 f8 41 83 e4 60 74 35 e8 c1 78 e3 f8 42 80 3c 2b 00 74 08 4c 89 ff e8 32 0b 4c f9 41 8b 17 ff c2 <31> 66 90 83 fd 63 75 1e e9 96 00 00 00 e8 9b 78 e3 f8 83 fd 63 75
RSP: 0018:ffffc90002a5fa78 EFLAGS: 00010206
RAX: ffffffff88df2f7f RBX: 1ffff110081a053a RCX: ffff888011d224c0
RDX: 000000000000007e RSI: 0000000000000060 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffff888011d224c0 R09: 0000000000000002
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000060
R13: dffffc0000000000 R14: ffffc90002a5fbc0 R15: ffff888040d029d0
FS:  000055555a3d0500(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff0 CR3: 0000000040fed000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	e6 83                	out    %al,$0x83
   2:	e6 60                	out    %al,$0x60
   4:	31 ff                	xor    %edi,%edi
   6:	e8 0c 7d e3 f8       	call   0xf8e37d17
   b:	41 83 e4 60          	and    $0x60,%r12d
   f:	74 35                	je     0x46
  11:	e8 c1 78 e3 f8       	call   0xf8e378d7
  16:	42 80 3c 2b 00       	cmpb   $0x0,(%rbx,%r13,1)
  1b:	74 08                	je     0x25
  1d:	4c 89 ff             	mov    %r15,%rdi
  20:	e8 32 0b 4c f9       	call   0xf94c0b57
  25:	41 8b 17             	mov    (%r15),%edx
  28:	ff c2                	inc    %edx
* 2a:	31 66 90             	xor    %esp,-0x70(%rsi) <-- trapping instruction
  2d:	83 fd 63             	cmp    $0x63,%ebp
  30:	75 1e                	jne    0x50
  32:	e9 96 00 00 00       	jmp    0xcd
  37:	e8 9b 78 e3 f8       	call   0xf8e378d7
  3c:	83 fd 63             	cmp    $0x63,%ebp
  3f:	75                   	.byte 0x75


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] comedi: dt2815: Add debug logging to diagnose iobase issue

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] comedi: dt2815: Add debug logging to diagnose iobase issue
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add comprehensive debug logging to dt2815_attach() to diagnose the
page fault crash reported by syzbot. The crash occurs at line 199
when attempting outb() operation, with a fault at address 0xfffffffffffffff0.

This debug patch will help determine:
- Whether it->options[0] is correctly passed
- If dev->iobase is properly set by comedi_request_region()
- If dev->iobase value changes during execution
- The exact status value that triggers the crash path

Once we identify the root cause from the logs, a proper fix will be
implemented.

Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/comedi/drivers/dt2815.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/comedi/drivers/dt2815.c b/drivers/comedi/drivers/dt2815.c
index 03ba2fd18a21..8e77c9851110 100644
--- a/drivers/comedi/drivers/dt2815.c
+++ b/drivers/comedi/drivers/dt2815.c
@@ -144,10 +144,15 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 	const struct comedi_lrange *current_range_type, *voltage_range_type;
 	int ret;
 
+	printk(KERN_INFO "dt2815: it->options[0] = 0x%lx\n", it->options[0]);
+
 	ret = comedi_request_region(dev, it->options[0], 0x2);
 	if (ret)
 		return ret;
 
+	printk(KERN_INFO "dt2815: after comedi_request_region, dev->iobase = 0x%lx\n", dev->iobase);
+
+
 	ret = comedi_alloc_subdevices(dev, 1);
 	if (ret)
 		return ret;
@@ -176,13 +181,18 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 	}
 
 	/* Init the 2815 */
+	printk(KERN_INFO "dt2815: Before first outb, dev->iobase = 0x%lx\n", dev->iobase);
 	outb(0x00, dev->iobase + DT2815_STATUS);
+	printk(KERN_INFO "dt2815: After first outb\n");
+
 	for (i = 0; i < 100; i++) {
 		/* This is incredibly slow (approx 20 ms) */
 		unsigned int status;
 
 		usleep_range(1000, 3000);
+		printk(KERN_INFO "dt2815: Loop iteration %d, dev->iobase = 0x%lx\n", i, dev->iobase);
 		status = inb(dev->iobase + DT2815_STATUS);
+		printk(KERN_INFO "dt2815: status = 0x%x\n", status);
 		if (status == 4) {
 			unsigned int program;
 
@@ -195,8 +205,11 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 			dev_dbg(dev->class_dev,
 				"unexpected status 0x%x (@t=%d)\n",
 				status, i);
-			if (status & 0x60)
+			if (status & 0x60) {
+				printk(KERN_INFO "dt2815: About to do second outb, dev = %px, dev->iobase = 0x%lx\n", dev, dev->iobase);
 				outb(0x00, dev->iobase + DT2815_STATUS);
+				printk(KERN_INFO "dt2815: After second outb\n");
+			}
 		}
 	}
 
-- 
2.43.0

Forwarded: [PATCH] comedi: dt2815: add hardware detection to prevent crash on invalid I/O ports

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] comedi: dt2815: add hardware detection to prevent crash on invalid I/O ports
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

The dt2815 driver crashes when attached to I/O ports without actual
hardware present. This occurs because syzkaller or users can attach the
driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.

When no hardware exists at the specified port, inb() operations return
0xff (floating bus). The driver misinterprets this as a valid status and
attempts error recovery via outb(), which triggers undefined behavior on
the second iteration, ultimately causing a page fault:

  BUG: unable to handle page fault for address: 000000007fffff90
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  RIP: 0010:dt2815_attach+0x6a8/0x9e0

Add an early hardware detection check: if the first status read returns
0xff, assume no hardware is present and fail the attach with -ENODEV.
This prevents the crash and provides a clear error message to users.

Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/comedi/drivers/dt2815.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/comedi/drivers/dt2815.c b/drivers/comedi/drivers/dt2815.c
index 03ba2fd18a21..1578cebae8e7 100644
--- a/drivers/comedi/drivers/dt2815.c
+++ b/drivers/comedi/drivers/dt2815.c
@@ -183,6 +183,15 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 
 		usleep_range(1000, 3000);
 		status = inb(dev->iobase + DT2815_STATUS);
+
+		   /* 0xff usually indicates no hardware present on the bus */
+		if (i == 0 && status == 0xff) {
+			dev_err(dev->class_dev,
+				"No hardware detected at I/O base 0x%lx\n",
+				dev->iobase);
+			return -ENODEV;
+		}
+
 		if (status == 4) {
 			unsigned int program;
 
-- 
2.43.0

Forwarded: [PATCH] comedi: dt2815: add comprehensive debug logging to diagnose crashes

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] comedi: dt2815: add comprehensive debug logging to diagnose crashes
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Add detailed debug logging throughout dt2815_attach() to diagnose
multiple crash scenarios reported by syzbot. The crashes occur at
different offsets within the function when attaching to I/O ports
without actual hardware present.

This debug patch adds:
- PID tracking to identify concurrent execution
- Logging before/after each outb() operation
- Status register values at each iteration
- Device pointer and iobase values at critical points
- Entry/exit tracking for the attach function

Additionally, implements an early hardware detection check: if the
first status read returns 0xff (floating bus indicating no hardware),
the driver returns -ENODEV immediately instead of attempting further
I/O operations.

This is a debug patch to gather information about the crash patterns
before implementing a final fix.

Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/comedi/drivers/dt2815.c | 37 +++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/drivers/comedi/drivers/dt2815.c b/drivers/comedi/drivers/dt2815.c
index 03ba2fd18a21..285bf13fc74d 100644
--- a/drivers/comedi/drivers/dt2815.c
+++ b/drivers/comedi/drivers/dt2815.c
@@ -144,10 +144,16 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 	const struct comedi_lrange *current_range_type, *voltage_range_type;
 	int ret;
 
+	printk(KERN_INFO "dt2815: [PID %d] ENTER dt2815_attach, it->options[0] = 0x%lx\n", 
+               current->pid, it->options[0]);
+
 	ret = comedi_request_region(dev, it->options[0], 0x2);
 	if (ret)
 		return ret;
 
+	printk(KERN_INFO "dt2815: [PID %d] after comedi_request_region, dev->iobase = 0x%lx\n", 
+	       current->pid, dev->iobase);
+
 	ret = comedi_alloc_subdevices(dev, 1);
 	if (ret)
 		return ret;
@@ -175,31 +181,58 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 		    ? current_range_type : voltage_range_type;
 	}
 
+	printk(KERN_INFO "dt2815: [PID %d] About to do FIRST outb, dev = %px, dev->iobase = 0x%lx\n",
+               current->pid, dev, dev->iobase);
 	/* Init the 2815 */
 	outb(0x00, dev->iobase + DT2815_STATUS);
+
+	printk(KERN_INFO "dt2815: [PID %d] FIRST outb completed successfully\n", current->pid);
+
 	for (i = 0; i < 100; i++) {
 		/* This is incredibly slow (approx 20 ms) */
 		unsigned int status;
 
+		printk(KERN_INFO "dt2815: [PID %d] Loop iteration %d, dev->iobase = 0x%lx\n",
+			 current->pid, i, dev->iobase);
 		usleep_range(1000, 3000);
 		status = inb(dev->iobase + DT2815_STATUS);
+		printk(KERN_INFO "dt2815: [PID %d] iteration %d: status = 0x%x\n",
+				  current->pid, i, status);
+		   /* 0xff usually indicates no hardware present on the bus */
+                if (i == 0 && status == 0xff) {
+                        dev_err(dev->class_dev,
+                                "No hardware detected at I/O base 0x%lx\n",
+                                dev->iobase);
+			printk(KERN_INFO "dt2815: [PID %d] Returning -ENODEV (no hardware)\n",
+				 current->pid);
+                        return -ENODEV;
+                }
+
 		if (status == 4) {
 			unsigned int program;
 
 			program = (it->options[4] & 0x3) << 3 | 0x7;
 			outb(program, dev->iobase + DT2815_DATA);
+			printk(KERN_INFO "dt2815: [PID %d] Hardware ready, programmed successfully\n",
+                               current->pid);
 			dev_dbg(dev->class_dev, "program: 0x%x (@t=%d)\n",
 				program, i);
+			printk(KERN_INFO "dt2815: [PID %d] Unexpected status 0x%x at iteration %d\n",
+			       current->pid, status, i);
 			break;
 		} else if (status != 0x00) {
 			dev_dbg(dev->class_dev,
 				"unexpected status 0x%x (@t=%d)\n",
 				status, i);
-			if (status & 0x60)
+			if (status & 0x60) {
+				printk(KERN_INFO "dt2815: [PID %d] About to do recovery outb, dev = %px, dev->iobase = 0x%lx\n",
+				       current->pid, dev, dev->iobase);
 				outb(0x00, dev->iobase + DT2815_STATUS);
+				printk(KERN_INFO "dt2815: [PID %d] Recovery outb completed\n", current->pid);
+			}
 		}
 	}
-
+	printk(KERN_INFO "dt2815: [PID %d] EXIT dt2815_attach successfully\n", current->pid);
 	return 0;
 }
 
-- 
2.43.0

Forwarded: [PATCH] comedi: dt2815: add hardware detection to prevent crash

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] comedi: dt2815: add hardware detection to prevent crash
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


The dt2815 driver crashes when attached to I/O ports without actual
hardware present. This occurs because syzkaller or users can attach
the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.

When no hardware exists at the specified port, inb() operations return
0xff (floating bus), but outb() operations can trigger page faults due
to undefined behavior, especially under race conditions:

  BUG: unable to handle page fault for address: 000000007fffff90
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  RIP: 0010:dt2815_attach+0x6e0/0x1110

Add hardware detection by reading the status register before attempting
any write operations. If the read returns 0xff, assume no hardware is
present and fail the attach with -ENODEV. This prevents crashes from
outb() operations on non-existent hardware.

Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/comedi/drivers/dt2815.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/comedi/drivers/dt2815.c b/drivers/comedi/drivers/dt2815.c
index 03ba2fd18a21..7c642860f127 100644
--- a/drivers/comedi/drivers/dt2815.c
+++ b/drivers/comedi/drivers/dt2815.c
@@ -175,6 +175,18 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 		    ? current_range_type : voltage_range_type;
 	}
 
+	/*
+	 * Check if hardware is present before attempting any I/O operations.
+	 * Reading 0xff from status register typically indicates no hardware
+	 * on the bus (floating bus reads as all 1s).
+	 */
+	if (inb(dev->iobase + DT2815_STATUS) == 0xff) {
+		dev_err(dev->class_dev,
+			"No hardware detected at I/O base 0x%lx\n",
+			dev->iobase);
+		return -ENODEV;
+	}
+
 	/* Init the 2815 */
 	outb(0x00, dev->iobase + DT2815_STATUS);
 	for (i = 0; i < 100; i++) {
-- 
2.43.0