Forwarded: [PATCH] comedi: dt2815: Add debug logging to diagnose iobase issue

Posted by syzbot 1 week, 5 days ago
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] comedi: dt2815: Add debug logging to diagnose iobase issue
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add comprehensive debug logging to dt2815_attach() to diagnose the
page fault crash reported by syzbot. The crash occurs at line 199
when attempting outb() operation, with a fault at address 0xfffffffffffffff0.

This debug patch will help determine:
- Whether it->options[0] is correctly passed
- If dev->iobase is properly set by comedi_request_region()
- If dev->iobase value changes during execution
- The exact status value that triggers the crash path

Once we identify the root cause from the logs, a proper fix will be
implemented.

Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/comedi/drivers/dt2815.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/comedi/drivers/dt2815.c b/drivers/comedi/drivers/dt2815.c
index 03ba2fd18a21..8e77c9851110 100644
--- a/drivers/comedi/drivers/dt2815.c
+++ b/drivers/comedi/drivers/dt2815.c
@@ -144,10 +144,15 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 	const struct comedi_lrange *current_range_type, *voltage_range_type;
 	int ret;
 
+	printk(KERN_INFO "dt2815: it->options[0] = 0x%lx\n", it->options[0]);
+
 	ret = comedi_request_region(dev, it->options[0], 0x2);
 	if (ret)
 		return ret;
 
+	printk(KERN_INFO "dt2815: after comedi_request_region, dev->iobase = 0x%lx\n", dev->iobase);
+
+
 	ret = comedi_alloc_subdevices(dev, 1);
 	if (ret)
 		return ret;
@@ -176,13 +181,18 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 	}
 
 	/* Init the 2815 */
+	printk(KERN_INFO "dt2815: Before first outb, dev->iobase = 0x%lx\n", dev->iobase);
 	outb(0x00, dev->iobase + DT2815_STATUS);
+	printk(KERN_INFO "dt2815: After first outb\n");
+
 	for (i = 0; i < 100; i++) {
 		/* This is incredibly slow (approx 20 ms) */
 		unsigned int status;
 
 		usleep_range(1000, 3000);
+		printk(KERN_INFO "dt2815: Loop iteration %d, dev->iobase = 0x%lx\n", i, dev->iobase);
 		status = inb(dev->iobase + DT2815_STATUS);
+		printk(KERN_INFO "dt2815: status = 0x%x\n", status);
 		if (status == 4) {
 			unsigned int program;
 
@@ -195,8 +205,11 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
 			dev_dbg(dev->class_dev,
 				"unexpected status 0x%x (@t=%d)\n",
 				status, i);
-			if (status & 0x60)
+			if (status & 0x60) {
+				printk(KERN_INFO "dt2815: About to do second outb, dev = %px, dev->iobase = 0x%lx\n", dev, dev->iobase);
 				outb(0x00, dev->iobase + DT2815_STATUS);
+				printk(KERN_INFO "dt2815: After second outb\n");
+			}
 		}
 	}
 
-- 
2.43.0