[syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

[syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c072629f05d7 Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=158b8bfa580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e2e5d7c9c1e01cf4
dashboard link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10144452580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1434df9a580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c072629f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bd5acf0ccc3e/vmlinux-c072629f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab6178baf781/bzImage-c072629f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: fffffffffffffff0
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD e14b067 P4D e14b067 PUD e14d067 PMD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5496 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x5a3/0x8f0 drivers/comedi/drivers/dt2815.c:199
Code: e6 83 e6 60 31 ff e8 0c 7d e3 f8 41 83 e4 60 74 35 e8 c1 78 e3 f8 42 80 3c 2b 00 74 08 4c 89 ff e8 32 0b 4c f9 41 8b 17 ff c2 <31> 66 90 83 fd 63 75 1e e9 96 00 00 00 e8 9b 78 e3 f8 83 fd 63 75
RSP: 0018:ffffc90002a5fa78 EFLAGS: 00010206
RAX: ffffffff88df2f7f RBX: 1ffff110081a053a RCX: ffff888011d224c0
RDX: 000000000000007e RSI: 0000000000000060 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffff888011d224c0 R09: 0000000000000002
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000060
R13: dffffc0000000000 R14: ffffc90002a5fbc0 R15: ffff888040d029d0
FS:  000055555a3d0500(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff0 CR3: 0000000040fed000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 comedi_device_attach+0x51f/0x720 drivers/comedi/drivers.c:1069
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:928 [inline]
 comedi_unlocked_ioctl+0x701/0x1240 drivers/comedi/comedi_fops.c:2240
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f975339acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc13841358 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9753615fa0 RCX: 00007f975339acb9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007f9753408bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9753615fac R14: 00007f9753615fa0 R15: 00007f9753615fa0
 </TASK>
Modules linked in:
CR2: fffffffffffffff0
---[ end trace 0000000000000000 ]---
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x5a3/0x8f0 drivers/comedi/drivers/dt2815.c:199
Code: e6 83 e6 60 31 ff e8 0c 7d e3 f8 41 83 e4 60 74 35 e8 c1 78 e3 f8 42 80 3c 2b 00 74 08 4c 89 ff e8 32 0b 4c f9 41 8b 17 ff c2 <31> 66 90 83 fd 63 75 1e e9 96 00 00 00 e8 9b 78 e3 f8 83 fd 63 75
RSP: 0018:ffffc90002a5fa78 EFLAGS: 00010206
RAX: ffffffff88df2f7f RBX: 1ffff110081a053a RCX: ffff888011d224c0
RDX: 000000000000007e RSI: 0000000000000060 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffff888011d224c0 R09: 0000000000000002
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000060
R13: dffffc0000000000 R14: ffffc90002a5fbc0 R15: ffff888040d029d0
FS:  000055555a3d0500(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff0 CR3: 0000000040fed000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	e6 83                	out    %al,$0x83
   2:	e6 60                	out    %al,$0x60
   4:	31 ff                	xor    %edi,%edi
   6:	e8 0c 7d e3 f8       	call   0xf8e37d17
   b:	41 83 e4 60          	and    $0x60,%r12d
   f:	74 35                	je     0x46
  11:	e8 c1 78 e3 f8       	call   0xf8e378d7
  16:	42 80 3c 2b 00       	cmpb   $0x0,(%rbx,%r13,1)
  1b:	74 08                	je     0x25
  1d:	4c 89 ff             	mov    %r15,%rdi
  20:	e8 32 0b 4c f9       	call   0xf94c0b57
  25:	41 8b 17             	mov    (%r15),%edx
  28:	ff c2                	inc    %edx
* 2a:	31 66 90             	xor    %esp,-0x70(%rsi) <-- trapping instruction
  2d:	83 fd 63             	cmp    $0x63,%ebp
  30:	75 1e                	jne    0x50
  32:	e9 96 00 00 00       	jmp    0xcd
  37:	e8 9b 78 e3 f8       	call   0xf8e378d7
  3c:	83 fd 63             	cmp    $0x63,%ebp
  3f:	75                   	.byte 0x75


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in dt2815_attach

dt2815: After second outb
dt2815: Loop iteration 1, dev->iobase = 0x7d
dt2815: status = 0xff
dt2815: About to do second outb, dev = ffff8880408c7000, dev->iobase = 0x7d
BUG: unable to handle page fault for address: 000000007fffff90
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 465c6067 P4D 465c6067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5846 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x6a8/0x9e0 drivers/comedi/drivers/dt2815.c:210
Code: 8b 96 d0 01 00 00 48 c7 c7 e0 f7 8b 8c 4c 89 f6 e8 7d 5f f5 ff 43 80 3c 27 00 74 08 4c 89 ef e8 ce 02 f9 00 41 8b 55 00 ff c2 <31> 66 90 48 c7 c7 60 f8 8b 8c e8 59 5f f5 ff 83 fd 63 75 9c eb 71
RSP: 0018:ffffc90001987a80 EFLAGS: 00010206
RAX: 000000000000004b RBX: ffffc90001987bc0 RCX: fd82e65c6f5c7300
RDX: 000000000000007e RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffc90001987807 R09: 1ffff92000330f00
R10: dffffc0000000000 R11: fffff52000330f01 R12: dffffc0000000000
R13: ffff8880408c71d0 R14: ffff8880408c7000 R15: 1ffff11008118e3a
FS:  00007f4b609056c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000007fffff90 CR3: 00000000465ca000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 comedi_device_attach+0x51f/0x720 drivers/comedi/drivers.c:1069
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:928 [inline]
 comedi_unlocked_ioctl+0x701/0x1240 drivers/comedi/comedi_fops.c:2240
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4b5f99acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4b60905028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4b5fc15fa0 RCX: 00007f4b5f99acb9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007f4b5fa08bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4b5fc16038 R14: 00007f4b5fc15fa0 R15: 00007ffc911b33b8
 </TASK>
Modules linked in:
CR2: 000000007fffff90
---[ end trace 0000000000000000 ]---
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x6a8/0x9e0 drivers/comedi/drivers/dt2815.c:210
Code: 8b 96 d0 01 00 00 48 c7 c7 e0 f7 8b 8c 4c 89 f6 e8 7d 5f f5 ff 43 80 3c 27 00 74 08 4c 89 ef e8 ce 02 f9 00 41 8b 55 00 ff c2 <31> 66 90 48 c7 c7 60 f8 8b 8c e8 59 5f f5 ff 83 fd 63 75 9c eb 71
RSP: 0018:ffffc90001987a80 EFLAGS: 00010206
RAX: 000000000000004b RBX: ffffc90001987bc0 RCX: fd82e65c6f5c7300
RDX: 000000000000007e RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffc90001987807 R09: 1ffff92000330f00
R10: dffffc0000000000 R11: fffff52000330f01 R12: dffffc0000000000
R13: ffff8880408c71d0 R14: ffff8880408c7000 R15: 1ffff11008118e3a
FS:  00007f4b609056c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000007fffff90 CR3: 00000000465ca000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	8b 96 d0 01 00 00    	mov    0x1d0(%rsi),%edx
   6:	48 c7 c7 e0 f7 8b 8c 	mov    $0xffffffff8c8bf7e0,%rdi
   d:	4c 89 f6             	mov    %r14,%rsi
  10:	e8 7d 5f f5 ff       	call   0xfff55f92
  15:	43 80 3c 27 00       	cmpb   $0x0,(%r15,%r12,1)
  1a:	74 08                	je     0x24
  1c:	4c 89 ef             	mov    %r13,%rdi
  1f:	e8 ce 02 f9 00       	call   0xf902f2
  24:	41 8b 55 00          	mov    0x0(%r13),%edx
  28:	ff c2                	inc    %edx
* 2a:	31 66 90             	xor    %esp,-0x70(%rsi) <-- trapping instruction
  2d:	48 c7 c7 60 f8 8b 8c 	mov    $0xffffffff8c8bf860,%rdi
  34:	e8 59 5f f5 ff       	call   0xfff55f92
  39:	83 fd 63             	cmp    $0x63,%ebp
  3c:	75 9c                	jne    0xffffffda
  3e:	eb 71                	jmp    0xb1


Tested on:

commit:         63804fed Linux 6.19-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15ba3002580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e2e5d7c9c1e01cf4
dashboard link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1214b9ac580000

Re: [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in dt2815_attach

BUG: kernel NULL pointer dereference, address: 0000000000000390
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 365dc067 P4D 365dc067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5841 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x4f3/0xa40 drivers/comedi/drivers/dt2815.c:179
Code: 24 4c 8d b8 d0 01 00 00 4c 89 fb 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 ff e8 a9 00 4c f9 48 8b 04 24 8b 90 d0 01 00 00 ff c2 <31> 66 90 bf e8 03 00 00 be b8 0b 00 00 ba 02 00 00 00 e8 56 0a 9e
RSP: 0018:ffffc90002befa88 EFLAGS: 00010206
RAX: ffff888040c87000 RBX: 1ffff11008190e3a RCX: 0000000000000000
RDX: 000000000000007e RSI: 0000000000000400 RDI: 0000000000000000
RBP: 0000000000000400 R08: 0000000000000dc0 R09: 00000000ffffffff
R10: 000000000000000a R11: ffffffff81ae5bd0 R12: ffffc90002befc04
R13: dffffc0000000000 R14: ffffc90002befbc0 R15: ffff888040c871d0
FS:  00007fa9eb7d96c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000390 CR3: 00000000595eb000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 comedi_device_attach+0x51f/0x720 drivers/comedi/drivers.c:1069
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:928 [inline]
 comedi_unlocked_ioctl+0x701/0x1240 drivers/comedi/comedi_fops.c:2240
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa9ea99acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa9eb7d9028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa9eac15fa0 RCX: 00007fa9ea99acb9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007fa9eaa08bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa9eac16038 R14: 00007fa9eac15fa0 R15: 00007fff0dbc24e8
 </TASK>
Modules linked in:
CR2: 0000000000000390
---[ end trace 0000000000000000 ]---
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x4f3/0xa40 drivers/comedi/drivers/dt2815.c:179
Code: 24 4c 8d b8 d0 01 00 00 4c 89 fb 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 ff e8 a9 00 4c f9 48 8b 04 24 8b 90 d0 01 00 00 ff c2 <31> 66 90 bf e8 03 00 00 be b8 0b 00 00 ba 02 00 00 00 e8 56 0a 9e
RSP: 0018:ffffc90002befa88 EFLAGS: 00010206
RAX: ffff888040c87000 RBX: 1ffff11008190e3a RCX: 0000000000000000
RDX: 000000000000007e RSI: 0000000000000400 RDI: 0000000000000000
RBP: 0000000000000400 R08: 0000000000000dc0 R09: 00000000ffffffff
R10: 000000000000000a R11: ffffffff81ae5bd0 R12: ffffc90002befc04
R13: dffffc0000000000 R14: ffffc90002befbc0 R15: ffff888040c871d0
FS:  00007fa9eb7d96c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000390 CR3: 00000000595eb000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	24 4c                	and    $0x4c,%al
   2:	8d b8 d0 01 00 00    	lea    0x1d0(%rax),%edi
   8:	4c 89 fb             	mov    %r15,%rbx
   b:	48 c1 eb 03          	shr    $0x3,%rbx
   f:	42 80 3c 2b 00       	cmpb   $0x0,(%rbx,%r13,1)
  14:	74 08                	je     0x1e
  16:	4c 89 ff             	mov    %r15,%rdi
  19:	e8 a9 00 4c f9       	call   0xf94c00c7
  1e:	48 8b 04 24          	mov    (%rsp),%rax
  22:	8b 90 d0 01 00 00    	mov    0x1d0(%rax),%edx
  28:	ff c2                	inc    %edx
* 2a:	31 66 90             	xor    %esp,-0x70(%rsi) <-- trapping instruction
  2d:	bf e8 03 00 00       	mov    $0x3e8,%edi
  32:	be b8 0b 00 00       	mov    $0xbb8,%esi
  37:	ba 02 00 00 00       	mov    $0x2,%edx
  3c:	e8                   	.byte 0xe8
  3d:	56                   	push   %rsi
  3e:	0a                   	.byte 0xa
  3f:	9e                   	sahf


Tested on:

commit:         63804fed Linux 6.19-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1083f294580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e2e5d7c9c1e01cf4
dashboard link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=164bfe8a580000

Re: [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in dt2815_attach

dt2815: [PID 5821] ENTER dt2815_attach, it->options[0] = 0x7d
dt2815: [PID 5821] after comedi_request_region, dev->iobase = 0x7d
dt2815: [PID 5821] About to do FIRST outb, dev = ffff888040506800, dev->iobase = 0x7d
BUG: unable to handle page fault for address: 000000007fffff90
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 57fb4067 P4D 57fb4067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5821 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x6e0/0x1110 drivers/comedi/drivers/dt2815.c:187
Code: f5 ff 48 bd 00 00 00 00 00 fc ff df 41 80 3c 2c 00 74 12 4c 89 f7 e8 9f 02 f9 00 48 bd 00 00 00 00 00 fc ff df 41 8b 16 ff c2 <31> 66 90 41 0f b6 44 2d 00 84 c0 0f 85 00 08 00 00 8b 33 48 c7 c7
RSP: 0018:ffffc90002a8fa78 EFLAGS: 00010206
RAX: 0000000000000055 RBX: ffff88803405cf98 RCX: c9cdd809989aea00
RDX: 000000000000007e RSI: 0000000080000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffff88801fc247d3 R09: 1ffff11003f848fa
R10: dffffc0000000000 R11: ffffed1003f848fb R12: 1ffff110080a0d3a
R13: 1ffff1100680b9f3 R14: ffff8880405069d0 R15: ffff888040506800
FS:  00007f8323dfe6c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000007fffff90 CR3: 0000000057ff9000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 comedi_device_attach+0x51f/0x720 drivers/comedi/drivers.c:1069
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:928 [inline]
 comedi_unlocked_ioctl+0x701/0x1240 drivers/comedi/comedi_fops.c:2240
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f832479acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8323dfe028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8324a15fa0 RCX: 00007f832479acb9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007f8324808bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8324a16038 R14: 00007f8324a15fa0 R15: 00007fff45a7cad8
 </TASK>
Modules linked in:
CR2: 000000007fffff90
---[ end trace 0000000000000000 ]---
RIP: 0010:__outb arch/x86/include/asm/shared/io.h:22 [inline]
RIP: 0010:dt2815_attach+0x6e0/0x1110 drivers/comedi/drivers/dt2815.c:187
Code: f5 ff 48 bd 00 00 00 00 00 fc ff df 41 80 3c 2c 00 74 12 4c 89 f7 e8 9f 02 f9 00 48 bd 00 00 00 00 00 fc ff df 41 8b 16 ff c2 <31> 66 90 41 0f b6 44 2d 00 84 c0 0f 85 00 08 00 00 8b 33 48 c7 c7
RSP: 0018:ffffc90002a8fa78 EFLAGS: 00010206
RAX: 0000000000000055 RBX: ffff88803405cf98 RCX: c9cdd809989aea00
RDX: 000000000000007e RSI: 0000000080000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffff88801fc247d3 R09: 1ffff11003f848fa
R10: dffffc0000000000 R11: ffffed1003f848fb R12: 1ffff110080a0d3a
R13: 1ffff1100680b9f3 R14: ffff8880405069d0 R15: ffff888040506800
FS:  00007f8323dfe6c0(0000) GS:ffff88808cf1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000007fffff90 CR3: 0000000057ff9000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	f5                   	cmc
   1:	ff 48 bd             	decl   -0x43(%rax)
   4:	00 00                	add    %al,(%rax)
   6:	00 00                	add    %al,(%rax)
   8:	00 fc                	add    %bh,%ah
   a:	ff                   	lcall  (bad)
   b:	df 41 80             	filds  -0x80(%rcx)
   e:	3c 2c                	cmp    $0x2c,%al
  10:	00 74 12 4c          	add    %dh,0x4c(%rdx,%rdx,1)
  14:	89 f7                	mov    %esi,%edi
  16:	e8 9f 02 f9 00       	call   0xf902ba
  1b:	48 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%rbp
  22:	fc ff df
  25:	41 8b 16             	mov    (%r14),%edx
  28:	ff c2                	inc    %edx
* 2a:	31 66 90             	xor    %esp,-0x70(%rsi) <-- trapping instruction
  2d:	41 0f b6 44 2d 00    	movzbl 0x0(%r13,%rbp,1),%eax
  33:	84 c0                	test   %al,%al
  35:	0f 85 00 08 00 00    	jne    0x83b
  3b:	8b 33                	mov    (%rbx),%esi
  3d:	48                   	rex.W
  3e:	c7                   	.byte 0xc7
  3f:	c7                   	.byte 0xc7


Tested on:

commit:         63804fed Linux 6.19-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12d6905a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e2e5d7c9c1e01cf4
dashboard link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16a40a44580000

Re: [syzbot] [comedi?] BUG: unable to handle kernel paging request in dt2815_attach

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Tested-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com

Tested on:

commit:         63804fed Linux 6.19-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=157f5e8a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e2e5d7c9c1e01cf4
dashboard link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11ebfe8a580000

Note: testing is done by a robot and is best-effort only.