From nobody Sat Feb 7 15:09:45 2026 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 384A0279917 for ; Mon, 26 Jan 2026 06:42:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769409772; cv=none; b=ErTYhZL6K2dy2XsB5hVvs/PR8kG+vRyOKd8Mq1N/Cezl3gk9JcodlLimKM+oLa+/At8NOQgenn0I2gLyn4pllAM7Jwxmpi0SVsAe2v0K1gErCX/Cfv/iCt4THIKkNvFu4qIs88AiUhBNKksvmPaM4tlyG/xdrzApB2MgI1hFaLY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769409772; c=relaxed/simple; bh=hwa4PFPbXt7GYIOe58+KsbCpDxpWSJgtlPZqfYZHS4I=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=oh7SzLpj0tEdXAzxU3osrRk2sSunZQK90oEdSIyX0+t8xe8dbYlIIaL27lGw/lS+r/c7Jcpkwa8IIOEzqNvLzhN2gi01IwujRHWYC9SdB9wJOJSPVs2NxDQTQCQpFcCrauOUdYZhchM1Tnqm8tBzmhaF9z0MobDMXuId1GOSu/s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-6610d90a391so7569624eaf.2 for ; Sun, 25 Jan 2026 22:42:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769409770; x=1770014570; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SGxoIzeLA29oUYKMjjwFk65EVTZIy0vlOZ1jshH3qwc=; b=bbOQzPJyKRDzvgINwHLgAZfW3cs7AYxQA3kr4lc/3oft0ugngeh78iJscGeXM3qT9I SBSmpuBfJYmdGPOyVFHlFKq+gSWxGnuFfwwY5E24FQGv2dRdPS+TCJIrhHwu+oWmcFzq HuuqiLa6EpQaNyyDx+lD4ka6phSz3TNFmLwfFxubNl7zRuG8PFz6AnOy5jmkdl9OKi1v xhgkFR3iRQHOAlFW6q77Y2FjatUO9xMs9GwWth/XZvISPI4K9xyb0jKcRqlwNjzr5P0i uh2PGnpeKXfOFXGVHl3/eFnMqKPQBN2bZ2e/xLlilEHhdOd2v+VC0dNKxnKFTe+J6CuD ZN4g== X-Gm-Message-State: AOJu0YweJqJNgFGcpfehOtRnaFryEHoQFih2XgzvkR/utyaDyhPOxm/z z6514jeJGz1VGKBMAmfyYePfykR6BzdYEmcwjGawPt422pKOTpRyaiFiFZyGYKL+5K/pEIg09GR R3m3BNFzTue6LvVUX8YUeA2AYsL4rtOjJnd4zzaM/jTRZtbf6cWaPgJ/bXFg= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:994:b0:659:9a49:9044 with SMTP id 006d021491bc7-662e01cf179mr1722983eaf.15.1769409770376; Sun, 25 Jan 2026 22:42:50 -0800 (PST) Date: Sun, 25 Jan 2026 22:42:50 -0800 In-Reply-To: <69746a86.050a0220.226181.0003.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69770cea.050a0220.226181.0014.GAE@google.com> Subject: Forwarded: [PATCH] comedi: dt2815: add hardware detection to prevent crash From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] comedi: dt2815: add hardware detection to prevent crash Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master The dt2815 driver crashes when attached to I/O ports without actual hardware present. This occurs because syzkaller or users can attach the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl. When no hardware exists at the specified port, inb() operations return 0xff (floating bus), but outb() operations can trigger page faults due to undefined behavior, especially under race conditions: BUG: unable to handle page fault for address: 000000007fffff90 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page RIP: 0010:dt2815_attach+0x6e0/0x1110 Add hardware detection by reading the status register before attempting any write operations. If the read returns 0xff, assume no hardware is present and fail the attach with -ENODEV. This prevents crashes from outb() operations on non-existent hardware. Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D72f94b474d6e50b71ffc Signed-off-by: Deepanshu Kartikey --- drivers/comedi/drivers/dt2815.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/comedi/drivers/dt2815.c b/drivers/comedi/drivers/dt281= 5.c index 03ba2fd18a21..7c642860f127 100644 --- a/drivers/comedi/drivers/dt2815.c +++ b/drivers/comedi/drivers/dt2815.c @@ -175,6 +175,18 @@ static int dt2815_attach(struct comedi_device *dev, st= ruct comedi_devconfig *it) ? current_range_type : voltage_range_type; } =20 + /* + * Check if hardware is present before attempting any I/O operations. + * Reading 0xff from status register typically indicates no hardware + * on the bus (floating bus reads as all 1s). + */ + if (inb(dev->iobase + DT2815_STATUS) =3D=3D 0xff) { + dev_err(dev->class_dev, + "No hardware detected at I/O base 0x%lx\n", + dev->iobase); + return -ENODEV; + } + /* Init the 2815 */ outb(0x00, dev->iobase + DT2815_STATUS); for (i =3D 0; i < 100; i++) { --=20 2.43.0