From nobody Mon Apr  6 06:11:42 2026
Received: from smtp120.iad3b.emailsrvr.com (smtp120.iad3b.emailsrvr.com
 [146.20.161.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3E90313E32
	for <linux-kernel@vger.kernel.org>; Tue, 10 Mar 2026 11:26:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=146.20.161.120
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773142019; cv=none;
 b=j34rHTm4uzlfQD9VtdbCv0IXwdL6w/OMrHTXiiaeIwansdW03O4EMRMD1ytgwSAl/tnd49Gxkkl/czilB8X+LBD+j/7qiUzWZsooAp4eGAKfIeuTMbcWw0K+6LK9kfZmUjHRpItWdOEuDV2grWICBBN/iPa1VyaDX9uO3dI8c/E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773142019; c=relaxed/simple;
	bh=aE92pupaNgfpAcjrWGvfnpRHer38DfIUodQwoHnlewg=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=flL4DQYkEqn9d769AycsMx6fhLaGApRkc9HNUOw7DmMtEVABvVpDUgbEOLyHSYuoaVf45Y9HXntdMMIAPUClR4r5vCzhSszmfuSqnAfHbZIV6CQMPFKDEYcmxJaUJhah4a3JbbEXaa14bFC9AT+0edtn6V4ZtyFHdDhDsjN5v2Q=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=mev.co.uk;
 spf=pass smtp.mailfrom=mev.co.uk;
 dkim=pass (1024-bit key) header.d=mev.co.uk header.i=@mev.co.uk
 header.b=PvRdeXcM; arc=none smtp.client-ip=146.20.161.120
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=mev.co.uk
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=mev.co.uk
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=mev.co.uk header.i=@mev.co.uk
 header.b="PvRdeXcM"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mev.co.uk;
	s=20221208-6x11dpa4; t=1773141082;
	bh=aE92pupaNgfpAcjrWGvfnpRHer38DfIUodQwoHnlewg=;
	h=From:To:Subject:Date:From;
	b=PvRdeXcMzfhRlvemu5mdRQ1o2KCPTih0MqycnkZ7ZWQQpm1lORX4KnXQxO1a5LUQw
	 P9EaMEACQnGTCOcAKnFRTVmrFTi1qPGd3PhYx1hoBJKEq3L5BfUu+qr87sQJUWoZhN
	 ode+1opA9CwUrRkldJ/mdnhdTpPMojyYUmZ3on0o=
X-Auth-ID: abbotti@mev.co.uk
Received: by smtp24.relay.iad3b.emailsrvr.com (Authenticated sender:
 abbotti-AT-mev.co.uk) with ESMTPSA id 35607401B6;
	Tue, 10 Mar 2026 07:11:21 -0400 (EDT)
From: Ian Abbott <abbotti@mev.co.uk>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ian Abbott <abbotti@mev.co.uk>,
	H Hartley Sweeten <hsweeten@visionengravers.com>,
	Edward Adam Davis <eadavis@qq.com>,
	syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com,
	stable@vger.kernel.org
Subject: [PATCH] comedi: runflags cannot determine whether to reclaim chanlist
Date: Tue, 10 Mar 2026 11:11:04 +0000
Message-ID: <20260310111104.70959-1-abbotti@mev.co.uk>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Classification-ID: 8eb0b720-eb0d-425d-b263-4f6452de4f67-1-1
Content-Type: text/plain; charset="utf-8"

From: Edward Adam Davis <eadavis@qq.com>

syzbot reported a memory leak [1], because commit 4e1da516debb ("comedi:
Add reference counting for Comedi command handling") did not consider
the exceptional exit case in do_cmd_ioctl() where runflags is not set.
This caused chanlist not to be properly freed by do_become_nonbusy(),
as it only frees chanlist when runflags is correctly set.

Added a check in do_become_nonbusy() for the case where runflags is not
set, to properly free the chanlist memory.

[1]
BUG: memory leak
  backtrace (crc 844a0efa):
    __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
    do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
    do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]

Fixes: 4e1da516debb ("comedi: Add reference counting for Comedi command han=
dling")
Reported-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Df238baf6ded841b5a82e
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Cc: <stable@vger.kernel.org> # 6.19+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---
 drivers/comedi/comedi_fops.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index b91e0b5ac394..c09bbe04be6c 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -793,13 +793,15 @@ static void do_become_nonbusy(struct comedi_device *d=
ev,
 	__comedi_clear_subdevice_runflags(s, COMEDI_SRF_RUNNING |
 					     COMEDI_SRF_BUSY);
 	spin_unlock_irqrestore(&s->spin_lock, flags);
-	if (comedi_is_runflags_busy(runflags)) {
+	if (async) {
 		/*
 		 * "Run active" counter was set to 1 when setting up the
 		 * command.  Decrement it and wait for it to become 0.
 		 */
-		comedi_put_is_subdevice_running(s);
-		wait_for_completion(&async->run_complete);
+		if (comedi_is_runflags_busy(runflags)) {
+			comedi_put_is_subdevice_running(s);
+			wait_for_completion(&async->run_complete);
+		}
 		comedi_buf_reset(s);
 		async->inttrig =3D NULL;
 		kfree(async->cmd.chanlist);
--=20
2.51.0