From nobody Mon Jun  8 18:57:56 2026
Received: from smtp65.iad3b.emailsrvr.com (smtp65.iad3b.emailsrvr.com
 [146.20.161.65])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 354D441B369
	for <linux-kernel@vger.kernel.org>; Wed, 27 May 2026 12:56:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=146.20.161.65
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779886614; cv=none;
 b=aCT6WQuNPAB40/vqHcLhWEgMPpyYde6cvaTyfRaTiL8OyMZ0MqAMOQo53gC2HTmerDrsMXFLmhXRYYr9dkqXxhM652Ro/+5sBrYGH0tKUWCsvkbS6cvoqiUQIkQqavWeh0gNh99MRfS/0o7BOJAue2AZrY/KJ3tjTHVKC/f7IMg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779886614; c=relaxed/simple;
	bh=XvqSSkYUSUBy9N4/ud1egmd04WkJ0kBiBaR7K6fQUU4=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=cag6TMxOOKfJt+KBx12XYT6uUtP4X5HkNKuUIb8yUX0iayStJVEepRmoCU1O/Py/x7M76MtkqvfBmbWNoEE8PTOCptdEs3bFA/IwgOz8Dj2EQKQsj3tzfZcv9NUdThmTZ9X6mePyEPaL0pE/TFVu7uMAlfqdF4/JPBMbCLgS4EM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=mev.co.uk;
 spf=pass smtp.mailfrom=mev.co.uk;
 dkim=pass (1024-bit key) header.d=mev.co.uk header.i=@mev.co.uk
 header.b=Zyj0V6xi; arc=none smtp.client-ip=146.20.161.65
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=mev.co.uk
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=mev.co.uk
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=mev.co.uk header.i=@mev.co.uk
 header.b="Zyj0V6xi"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mev.co.uk;
	s=20221208-6x11dpa4; t=1779886277;
	bh=XvqSSkYUSUBy9N4/ud1egmd04WkJ0kBiBaR7K6fQUU4=;
	h=From:To:Subject:Date:From;
	b=Zyj0V6xizLwSTqtlEk3dzxJ6iteSZdozsonPDBstJGs6Oye1grmIylu87cMZY0/uB
	 gjX9nNOABDmympiiy1Pj/kX6gV+1b/XhB2aiuPXNZKUBCUFTDbUxlaXlNpxH939MeN
	 q3SRZW/UvyjyGMOvbjjrBCH4VSuguKjrvvWUYz6I=
X-Auth-ID: abbotti@mev.co.uk
Received: by smtp9.relay.iad3b.emailsrvr.com (Authenticated sender:
 abbotti-AT-mev.co.uk) with ESMTPSA id 087AC202B2;
	Wed, 27 May 2026 08:51:16 -0400 (EDT)
From: Ian Abbott <abbotti@mev.co.uk>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ian Abbott <abbotti@mev.co.uk>,
	H Hartley Sweeten <hsweeten@visionengravers.com>,
	syzbot+f24c3d5d316011bacc70@syzkaller.appspotmail.com,
	stable@vger.kernel.org
Subject: [PATCH] comedi: comedi_parport: deal with premature interrupt
Date: Wed, 27 May 2026 13:51:03 +0100
Message-ID: <20260527125104.96596-1-abbotti@mev.co.uk>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Classification-ID: 749361a5-45d2-4ce0-9db5-435fda4ae986-1-1
Content-Type: text/plain; charset="utf-8"

Syzbot reported a general protection fault in
`comedi_get_is_subdevice_running()`, which was called from the interrupt
handler `parport_interrupt()` in the "comedi_parport" driver, but it
does not currently have a C reproducer for the problem.  It's
probably due to a premature interrupt for one of two reasons:

1. The driver sets up the interrupt handler before the comedi subdevices
   used by the interrupt handler have been allocated, but does not
   disable the interrupt in the parallel port's CTRL register first.
2. The driver uses a user-supplied I/O port base address which Syzbot
   would have supplied, but it might not be backed by real parallel port
   hardware.

Change the initialization order in the driver's comedi "attach" handler
(`parport_attach()`) so that the hardware registers are initialized
before the interrupt handler is requested.  This should prevent
premature interrupts occurring for real hardware.

Also add a test to the interrupt handler to ensure the comedi device is
fully attached and return early if it isn't.

Fixes: 241ab6ad7108e ("Staging: comedi: add comedi_parport driver")
Reported-by: syzbot+f24c3d5d316011bacc70@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---
 drivers/comedi/drivers/comedi_parport.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/comedi/drivers/comedi_parport.c b/drivers/comedi/drive=
rs/comedi_parport.c
index 2604680d86c4a..57ee3f9dfba26 100644
--- a/drivers/comedi/drivers/comedi_parport.c
+++ b/drivers/comedi/drivers/comedi_parport.c
@@ -211,6 +211,13 @@ static irqreturn_t parport_interrupt(int irq, void *d)
 	unsigned int ctrl;
 	unsigned short val =3D 0;
=20
+	/*
+	 * Check device is fully attached.  Device interrupts should have
+	 * been disabled, but do this in case of bad hardware.
+	 */
+	if (!dev->attached)
+		return IRQ_NONE;
+
 	ctrl =3D inb(dev->iobase + PARPORT_CTRL_REG);
 	if (!(ctrl & PARPORT_CTRL_IRQ_ENA))
 		return IRQ_NONE;
@@ -233,6 +240,9 @@ static int parport_attach(struct comedi_device *dev,
 	if (ret)
 		return ret;
=20
+	outb(0, dev->iobase + PARPORT_DATA_REG);
+	outb(0, dev->iobase + PARPORT_CTRL_REG);
+
 	if (it->options[1]) {
 		ret =3D request_irq(it->options[1], parport_interrupt, 0,
 				  dev->board_name, dev);
@@ -288,9 +298,6 @@ static int parport_attach(struct comedi_device *dev,
 		s->cancel	=3D parport_intr_cancel;
 	}
=20
-	outb(0, dev->iobase + PARPORT_DATA_REG);
-	outb(0, dev->iobase + PARPORT_CTRL_REG);
-
 	return 0;
 }
=20
--=20
2.53.0