From nobody Sat Feb  7 17:09:35 2026
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF95928850E
	for <linux-kernel@vger.kernel.org>; Mon, 26 Jan 2026 07:05:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769411107; cv=none;
 b=Shaq+p9vTYhdVMPa2Wfhd74LDCqytDKvEUCamcQW2dBjk71rlg+0MV6JNK4fW4YzRYQF4QOdNoGCWMSbg5rEuJFOgvkgd2Yi6su55wXCYuDs0Kkaeydd1R4uRl4MxH0SBqyP9HUgBWFeej9aNwWlQ+eMfm+s1yB8KVg2jRexp6w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769411107; c=relaxed/simple;
	bh=mcXgMxxrBBS9jGvZmpmmyNlLIrh4OjFsoA953PSp4C8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=rCzrhhyI5XxSGgpK2At2bS1JNX7iyN0XXCNak9GpuRi4ngsjU/VgKRa71WepVf8S1JtiCbComkfPFv6XroD4E5zu5y7SKD4z0RfLemVQNyPoTwbRJV4rorTECN2BJ1nwdJycDXVl3J+lZtgsjr4uLEp+zaIGFwtLrZqN9cYBR8Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=CXOedKwA; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="CXOedKwA"
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-2a0834769f0so25914125ad.2
        for <linux-kernel@vger.kernel.org>;
 Sun, 25 Jan 2026 23:05:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769411105; x=1770015905;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=l1tha9qWeeG9KuzZOL4f1lWaasKcCxf6hvWaFC2sW34=;
        b=CXOedKwAb+l3nk2nYBv8h9e4338e6e2OlzrzmUHnRlkqR7ev/AQszL+MY/NKCcJFUz
         FNwFZy5DfORkOsyRiZUkb7DJVpKw5xM1y7VQyP++Oy0U8mjsWCDsAcL4HN7WC7FohRSr
         tWAQLFxtkqoVpK8mUu3GNActTyT05F6fJpa9iJOfhkBtjON//dnizlX4g6VtlaXgxek5
         R5gLcOMN4nHVdDn7ZYw+oYBP/+EMKS9QsX9jhJ/dFjy5O6zk/b7BfSowdrZ5VBoONH1M
         p3HVqACRCd/8MzAmsm0hWSaJNFscZA7gxlnkiD4t7tOTPiG8GAeSYCOoo7KkF3zR+SI1
         U0bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769411105; x=1770015905;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=l1tha9qWeeG9KuzZOL4f1lWaasKcCxf6hvWaFC2sW34=;
        b=Mo06MYQ1ueaxEbzu5m/nXXcox+Emiv0GidRgFFqZBzRxis/L2w/WjDHgBZ2HdHCcX3
         PcEvGfAHIkRPQg24HJko8hcETpSICWcFZagyZugjntotFjtSqTG/hSmer7XtYbq9B9Bp
         fsI4dfalsdtSJLZVSxH0BGAdK9i//AdQxqEHMG4EUjnZlDJ5a1xKRuatBty9MbrlTbOY
         wncqnyjx3uDD9cVvEVNoUmmUqKy5wl7fG9FeHzi/WmxqLZpI5dHCVD1PtQy96neR/v+Q
         b5KFsFNcY3618T5AQHtJ1THUItFVWGbxX9Qk8kWW267Cp8gHo8vXgk4GYP2E+h/jkCCd
         PM6g==
X-Gm-Message-State: AOJu0YxvmEZz4pMLXZW3zmLCJR5cQd9wefv4sI5nRtoPTJBtg9kivKgf
	qBjtlOPghUgmFLhOuyTGg/ylxxJLe62OeCqO9Knsf7gpTbFkAurPEmPi6zJIXQ==
X-Gm-Gg: AZuq6aLcmhFhngib1aDbWD2e4PMWZ8BzZpVN68TAVO++YIMfX+JtBRf+RFfoX5EKxcl
	oGCdumgAuGfsfImoJdVwv8L/VT55Ecoeky4Mjxhn8wWM8L9Yr8gukJhsXq7SxXbUtUsTgWV8a4v
	8tsrk22dLHc58Jd1jtWMh6Witv356L1zvs/90suamzNtmtwqWbsdehzlk/YPNRZZOgis81iI5Np
	OjjcjXtimSEXq+3ps3Vzxd3iY/ErOYLiXVOZUDLOLgw18CToTmYtEMd++3fw1ypic7rOlqktM9i
	B3TtgFHZOzwSrKIr+ZLWpMCtfPNYA56BJ3ua7a/Olc3gzahavAikuETIfnp4a4qyiFiRDnFrNQO
	1hoHNyXRUCX58oep7hUW9O4mvM/Urc0LZ2JDsZtLTKhEIH2g4ne97cqSndEH0M29+JHxv/L/qGK
	01ZtVJwURCBnuDvv7yl/6NXxME2cadpAoYQ5bUcSY/oryMaTOaOaXsrEn7wgKnkPPaXhk=
X-Received: by 2002:a17:903:1aed:b0:2a7:a22c:90f7 with SMTP id
 d9443c01a7336-2a8453046f9mr29085335ad.51.1769411105029;
        Sun, 25 Jan 2026 23:05:05 -0800 (PST)
Received: from deepanshu-kernel-hacker..
 ([2405:201:682f:389d:e087:efb0:8539:e4c8])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a802daa994sm79831685ad.6.2026.01.25.23.05.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 25 Jan 2026 23:05:04 -0800 (PST)
From: Deepanshu Kartikey <kartikey406@gmail.com>
To: abbotti@mev.co.uk,
	hsweeten@visionengravers.com
Cc: linux-kernel@vger.kernel.org,
	Deepanshu Kartikey <kartikey406@gmail.com>,
	syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Subject: [PATCH] comedi: dt2815: add hardware detection to prevent crash
Date: Mon, 26 Jan 2026 12:34:58 +0530
Message-ID: <20260126070458.10974-1-kartikey406@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The dt2815 driver crashes when attached to I/O ports without actual
hardware present. This occurs because syzkaller or users can attach
the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.

When no hardware exists at the specified port, inb() operations return
0xff (floating bus), but outb() operations can trigger page faults due
to undefined behavior, especially under race conditions:

  BUG: unable to handle page fault for address: 000000007fffff90
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  RIP: 0010:dt2815_attach+0x6e0/0x1110

Add hardware detection by reading the status register before attempting
any write operations. If the read returns 0xff, assume no hardware is
present and fail the attach with -ENODEV. This prevents crashes from
outb() operations on non-existent hardware.

Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D72f94b474d6e50b71ffc
Tested-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
---
 drivers/comedi/drivers/dt2815.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/comedi/drivers/dt2815.c b/drivers/comedi/drivers/dt281=
5.c
index 03ba2fd18a21..7c642860f127 100644
--- a/drivers/comedi/drivers/dt2815.c
+++ b/drivers/comedi/drivers/dt2815.c
@@ -175,6 +175,18 @@ static int dt2815_attach(struct comedi_device *dev, st=
ruct comedi_devconfig *it)
 		    ? current_range_type : voltage_range_type;
 	}
=20
+	/*
+	 * Check if hardware is present before attempting any I/O operations.
+	 * Reading 0xff from status register typically indicates no hardware
+	 * on the bus (floating bus reads as all 1s).
+	 */
+	if (inb(dev->iobase + DT2815_STATUS) =3D=3D 0xff) {
+		dev_err(dev->class_dev,
+			"No hardware detected at I/O base 0x%lx\n",
+			dev->iobase);
+		return -ENODEV;
+	}
+
 	/* Init the 2815 */
 	outb(0x00, dev->iobase + DT2815_STATUS);
 	for (i =3D 0; i < 100; i++) {
--=20
2.43.0