Re: [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach
Date: Sun, 25 Jan 2026 22:33:02 -0800	[thread overview]
Message-ID: <69770a9e.a00a0220.33ccc7.0033.GAE@google.com> (raw)
In-Reply-To: <20260126061729.9345-1-kartikey406@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in dt2815_attach

dt2815: [PID 5821] ENTER dt2815_attach, it->options[0] = 0x7d
dt2815: [PID 5821] after comedi_request_region, dev->iobase = 0x7d
dt2815: [PID 5821] About to do FIRST outb, dev = ffff888040506800, dev->iobase = 0x7d
BUG: unable to handle page fault for address: 000000007fffff90
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 57fb4067 P4D 57fb4067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5821 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x6e0/0x1110 drivers/comedi/drivers/dt2815.c:187
Code: f5 ff 48 bd 00 00 00 00 00 fc ff df 41 80 3c 2c 00 74 12 4c 89 f7 e8 9f 02 f9 00 48 bd 00 00 00 00 00 fc ff df 41 8b 16 ff c2 <31> 66 90 41 0f b6 44 2d 00 84 c0 0f 85 00 08 00 00 8b 33 48 c7 c7
RSP: 0018:ffffc90002a8fa78 EFLAGS: 00010206
RAX: 0000000000000055 RBX: ffff88803405cf98 RCX: c9cdd809989aea00
RDX: 000000000000007e RSI: 0000000080000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffff88801fc247d3 R09: 1ffff11003f848fa
R10: dffffc0000000000 R11: ffffed1003f848fb R12: 1ffff110080a0d3a
R13: 1ffff1100680b9f3 R14: ffff8880405069d0 R15: ffff888040506800
FS:  00007f8323dfe6c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000007fffff90 CR3: 0000000057ff9000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 comedi_device_attach+0x51f/0x720 drivers/comedi/drivers.c:1069
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:928 [inline]
 comedi_unlocked_ioctl+0x701/0x1240 drivers/comedi/comedi_fops.c:2240
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f832479acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8323dfe028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8324a15fa0 RCX: 00007f832479acb9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007f8324808bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8324a16038 R14: 00007f8324a15fa0 R15: 00007fff45a7cad8
 </TASK>
Modules linked in:
CR2: 000000007fffff90
---[ end trace 0000000000000000 ]---
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x6e0/0x1110 drivers/comedi/drivers/dt2815.c:187
Code: f5 ff 48 bd 00 00 00 00 00 fc ff df 41 80 3c 2c 00 74 12 4c 89 f7 e8 9f 02 f9 00 48 bd 00 00 00 00 00 fc ff df 41 8b 16 ff c2 <31> 66 90 41 0f b6 44 2d 00 84 c0 0f 85 00 08 00 00 8b 33 48 c7 c7
RSP: 0018:ffffc90002a8fa78 EFLAGS: 00010206
RAX: 0000000000000055 RBX: ffff88803405cf98 RCX: c9cdd809989aea00
RDX: 000000000000007e RSI: 0000000080000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffff88801fc247d3 R09: 1ffff11003f848fa
R10: dffffc0000000000 R11: ffffed1003f848fb R12: 1ffff110080a0d3a
R13: 1ffff1100680b9f3 R14: ffff8880405069d0 R15: ffff888040506800
FS:  00007f8323dfe6c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000007fffff90 CR3: 0000000057ff9000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	f5                   	cmc
   1:	ff 48 bd             	decl   -0x43(%rax)
   4:	00 00                	add    %al,(%rax)
   6:	00 00                	add    %al,(%rax)
   8:	00 fc                	add    %bh,%ah
   a:	ff                   	lcall  (bad)
   b:	df 41 80             	filds  -0x80(%rcx)
   e:	3c 2c                	cmp    $0x2c,%al
  10:	00 74 12 4c          	add    %dh,0x4c(%rdx,%rdx,1)
  14:	89 f7                	mov    %esi,%edi
  16:	e8 9f 02 f9 00       	call   0xf902ba
  1b:	48 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%rbp
  22:	fc ff df
  25:	41 8b 16             	mov    (%r14),%edx
  28:	ff c2                	inc    %edx
* 2a:	31 66 90             	xor    %esp,-0x70(%rsi) <-- trapping instruction
  2d:	41 0f b6 44 2d 00    	movzbl 0x0(%r13,%rbp,1),%eax
  33:	84 c0                	test   %al,%al
  35:	0f 85 00 08 00 00    	jne    0x83b
  3b:	8b 33                	mov    (%rbx),%esi
  3d:	48                   	rex.W
  3e:	c7                   	.byte 0xc7
  3f:	c7                   	.byte 0xc7


Tested on:

commit:         63804fed Linux 6.19-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12d6905a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e2e5d7c9c1e01cf4
dashboard link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16a40a44580000

next      parent reply	other threads:[~2026-01-26  6:33 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260126061729.9345-1-kartikey406@gmail.com>
2026-01-26  6:33 ` syzbot [this message]
     [not found] <20260126064243.10298-1-kartikey406@gmail.com>
2026-01-26  7:04 ` [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach syzbot
     [not found] <20260126054835.7392-1-kartikey406@gmail.com>
2026-01-26  6:04 ` syzbot
     [not found] <20260126051936.5684-1-kartikey406@gmail.com>
2026-01-26  5:36 ` syzbot
2026-01-24  6:45 syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69770a9e.a00a0220.33ccc7.0033.GAE@google.com \
    --to=syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com \
    --cc=kartikey406@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.