From nobody Wed Dec 17 00:00:57 2025 Received: from xmbghk7.mail.qq.com (xmbghk7.mail.qq.com [43.163.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 61F9432FA2F for ; Mon, 15 Dec 2025 11:11:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=43.163.128.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765797106; cv=none; b=eTvmgwf/hfBk7oyLTWmuR3Mev5suznn6ajLYUgDnMgR9H2wT7WvcR7nrPNFTa2/bHhse42qTlzMggu8B5l9uVhaQQMeBGzOwRQ+VB+/GNEZz9jxEYu4qJcB+2D7cqmj11cidGhiIMWFHoWBzYj7pWUAJCVWoRKd8u7Ewmz7LJAA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765797106; c=relaxed/simple; bh=eQn319qDgxAOW/oiig7nf0EHpN6Q7bb2elRINI6IBTM=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=LDDzRi6o6KMtzzFchkj2CQG0y3Ua98V9T12GZdGqQ5QoNfBz0WxA6lwHn06UzE9swuTiYu+8VbrpiykTD3gG2oKS0JAd9+/cMbO64+O7/41ltaoXRAw/VqW1RRnid0VK/IPAJFhZBuJD57Pquwc1rPAeCoGMU6HeXQn5UL0qXZw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=szM6D6+s; arc=none smtp.client-ip=43.163.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="szM6D6+s" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1765797099; bh=QlzcGoF7LdNDf24cRjRPViuaJAOOGDDRiz30SqJ9JUg=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=szM6D6+skA0Ug7nRFWte0k5HpGmloBqdB/F9akRs6J+zV/G9ZKXHjSGiVZvFA/CkO +x4mexrxvo9vLueTxxai5z27mOHRdV5vcEbY03At/e5qxIHsDSvH/qobwQGScpZNP1 VH2+OjkpT7v+Gr6prYom/yitJcDMbgrc4s/kfftY= Received: from lxu-ped-host.. ([111.201.7.117]) by newxmesmtplogicsvrszc50-0.qq.com (NewEsmtp) with SMTP id 2E511A71; Mon, 15 Dec 2025 19:11:37 +0800 X-QQ-mid: xmsmtpt1765797097t0jy247o3 Message-ID: X-QQ-XMAILINFO: OMp2JgCql5i3suBKFwZWgSoAPXcPRMqkSzxtyKQa/8Yzq//yxLqBnHHh85WVsg SE1XUlTEwtHqBQqw7qbPb7JmFYmN2vSoR+VT7yb0VBdkJ+B8Ro5megFH0e/oOOTgnALV6cgPx/r3 jBaMese4xWNYzZRlKEqcoqsz0qQI2pPPTrnDME/88cbroRb33+rSE/XYHw78H1ex10dxlOo7ZE8w PrVFUfk+rgWTG7oC6HSd47WxZ/VIHsRdCrKQrNHwpOh4aAZuqy8p+6sKsCxMxy2CDzw9GPbLHv5U vaOBs9SdgomF8p449q4ToRSoC6hlS0QhqhtrkX7o0lVP9hoRIB802t1RDca6BGJzYnagWmyiET8j pmjvtUZqyLmetrV0J8bnF2HMV/g89imZdUS/f6UlknNqZh3vpYDS14Yv/52+rluSMlMf8iPFQgqz k54FSeKCjdKVJtQC4YHCs32F7Yz1QBOQZpQNXXZLV9s+DRl2UxQLHdiW9f1RRDMCi4uuMgV3eObu bCb3JveSLMrquWi/V95CSUjZkyLOPFffel0iw2VVOrl/yscBj7gSDDI3OHmEX2aZisP69N7REpST HmjxFLn8UeeaRJDpWk0rWjcWvUYMU6L3oYxL0P+2W2EmHpqKq8N0bkg5H5iwdDLBnhp3CwxXaulY T9KOps6SjilYbyg/ae5fWfRLDQhsY/b2mjvaUuLwy4dHqZ5EZzTafhJBfsSJmDoZByEFCQNQCqtL iS7DUFFiXNc1ZpSbtQRyw+zgX2nAljKPhg5ePDRdEE3j7fpFD2ALDbAQipyoqe6+dLlra4+ThrD8 kcC3C+78J/BdK1tSPrJbUpz9aHnU+bSQC+k5JmXUhnZoyNxnRMAcdDMd6jiwlOWhSc+sgl60ikIa /OrcBf40ecsusKBPUL1sVqpVJiaRrwyp/355Y0EgC5rmmUBsvfdO45HqwHAHb0kHqpvciNWYQtGf HWrs1XOFx6Ao9QK5FHIGA0VnHkmMsx6TG4qGkaN3UMo25ArtSZfA02pXiEEW1l X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg= From: Edward Adam Davis To: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com Cc: abbotti@mev.co.uk, hsweeten@visionengravers.com, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] comedi: runflags cannot determine whether to reclaim chanlist Date: Mon, 15 Dec 2025 19:11:37 +0800 X-OQ-MSGID: <20251215111136.111201-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <693f889b.a70a0220.104cf0.0334.GAE@google.com> References: <693f889b.a70a0220.104cf0.0334.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a memory leak [1], because patch 4e1da516debb did not consider the exceptional exit case in do_cmd_ioctl() where runflags is not set. This caused chanlist not to be properly freed by do_become_nonbusy(), as it only frees chanlist when runflags is correctly set. Added a check in do_become_nonbusy() for the case where runflags is not set, to properly free the chanlist memory. [1] BUG: memory leak backtrace (crc 844a0efa): __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline] do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890 do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline] Fixes: 4e1da516debb ("comedi: Add reference counting for Comedi command han= dling") Reported-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Df238baf6ded841b5a82e Signed-off-by: Edward Adam Davis Reviewed-by: Ian Abbott --- drivers/comedi/comedi_fops.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 657c98cd723e..003586a381ad 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -793,13 +793,15 @@ static void do_become_nonbusy(struct comedi_device *d= ev, __comedi_clear_subdevice_runflags(s, COMEDI_SRF_RUNNING | COMEDI_SRF_BUSY); spin_unlock_irqrestore(&s->spin_lock, flags); - if (comedi_is_runflags_busy(runflags)) { + if (async) { /* * "Run active" counter was set to 1 when setting up the * command. Decrement it and wait for it to become 0. */ - comedi_put_is_subdevice_running(s); - wait_for_completion(&async->run_complete); + if (comedi_is_runflags_busy(runflags)) { + comedi_put_is_subdevice_running(s); + wait_for_completion(&async->run_complete); + } comedi_buf_reset(s); async->inttrig =3D NULL; kfree(async->cmd.chanlist); --=20 2.43.0