linux-toradex.git/drivers/comedi, branch v6.19-rc2 Linux kernel for Apalis and Colibri modules Merge tag 'char-misc-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc 2025-12-07T02:34:24+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-07T02:34:24+00:00 83bd89291f5cc866f60d32c34e268896c7ba8a3d Pull char/misc/IIO driver updates from Greg KH: "Here is the big set of char/misc/iio driver updates for 6.19-rc1. Lots of stuff in here including: - lots of IIO driver updates, cleanups, and additions - large interconnect driver changes as they get converted over to a dynamic system of ids - coresight driver updates - mwave driver updates - binder driver updates and changes - comedi driver fixes now that the fuzzers are being set loose on them - nvmem driver updates - new uio driver addition - lots of other small char/misc driver updates, full details in the shortlog All of these have been in linux-next for a while now" * tag 'char-misc-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (304 commits) char: applicom: fix NULL pointer dereference in ac_ioctl hangcheck-timer: fix coding style spacing hangcheck-timer: Replace %Ld with %lld hangcheck-timer: replace printk(KERN_CRIT) with pr_crit uio: Add SVA support for PCI devices via uio_pci_generic_sva.c dt-bindings: slimbus: fix warning from example intel_th: Fix error handling in intel_th_output_open misc: rp1: Fix an error handling path in rp1_probe() char: xillybus: add WQ_UNBOUND to alloc_workqueue users misc: bh1770glc: use pm_runtime_resume_and_get() in power_state_store misc: cb710: Fix a NULL vs IS_ERR() check in probe() mux: mmio: Add suspend and resume support virt: acrn: split acrn_mmio_dev_res out of acrn_mmiodev greybus: gb-beagleplay: Fix timeout handling in bootloader functions greybus: add WQ_PERCPU to alloc_workqueue users char/mwave: drop typedefs char/mwave: drop printk wrapper char/mwave: remove printk tracing char/mwave: remove unneeded fops char/mwave: remove MWAVE_FUTZ_WITH_OTHER_DEVICES ifdeffery ... 
Pull char/misc/IIO driver updates from Greg KH:
 "Here is the big set of char/misc/iio driver updates for 6.19-rc1. Lots
  of stuff in here including:

   - lots of IIO driver updates, cleanups, and additions

   - large interconnect driver changes as they get converted over to a
     dynamic system of ids

   - coresight driver updates

   - mwave driver updates

   - binder driver updates and changes

   - comedi driver fixes now that the fuzzers are being set loose on
     them

   - nvmem driver updates

   - new uio driver addition

   - lots of other small char/misc driver updates, full details in the
     shortlog

  All of these have been in linux-next for a while now"

* tag 'char-misc-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (304 commits)
  char: applicom: fix NULL pointer dereference in ac_ioctl
  hangcheck-timer: fix coding style spacing
  hangcheck-timer: Replace %Ld with %lld
  hangcheck-timer: replace printk(KERN_CRIT) with pr_crit
  uio: Add SVA support for PCI devices via uio_pci_generic_sva.c
  dt-bindings: slimbus: fix warning from example
  intel_th: Fix error handling in intel_th_output_open
  misc: rp1: Fix an error handling path in rp1_probe()
  char: xillybus: add WQ_UNBOUND to alloc_workqueue users
  misc: bh1770glc: use pm_runtime_resume_and_get() in power_state_store
  misc: cb710: Fix a NULL vs IS_ERR() check in probe()
  mux: mmio: Add suspend and resume support
  virt: acrn: split acrn_mmio_dev_res out of acrn_mmiodev
  greybus: gb-beagleplay: Fix timeout handling in bootloader functions
  greybus: add WQ_PERCPU to alloc_workqueue users
  char/mwave: drop typedefs
  char/mwave: drop printk wrapper
  char/mwave: remove printk tracing
  char/mwave: remove unneeded fops
  char/mwave: remove MWAVE_FUTZ_WITH_OTHER_DEVICES ifdeffery
  ...
Merge tag 'hardening-v6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux 2025-12-05T17:11:02+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-05T17:11:02+00:00 ed1b409137bb9f49090362d34360ab80f88b9a5e Pull hardening updates from Kees Cook: - string: Add missing kernel-doc return descriptions (Kriish Sharma) - Update some mis-typed allocations These correct some accidentally wrong types used in allocations (that didn't affect the resulting size) that never got picked up from the batch I sent a few months ago. - Enable GCC diagnostic context for value-tracking warnings This results in better GCC diagnostics for the value range tracking, so we can get better visibility into where those values are coming from when we get out-of-bounds warnings at compile time. * tag 'hardening-v6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: kbuild: Enable GCC diagnostic context for value-tracking warnings string: Add missing kernel-doc return descriptions media: iris: Cast iris_hfi_gen2_get_instance() allocation type drm/plane: Remove const qualifier from plane->modifiers allocation type comedi: Adjust range_table_list allocation type 
Pull hardening updates from Kees Cook:

 - string: Add missing kernel-doc return descriptions (Kriish Sharma)

 - Update some mis-typed allocations

   These correct some accidentally wrong types used in allocations (that
   didn't affect the resulting size) that never got picked up from the
   batch I sent a few months ago.

 - Enable GCC diagnostic context for value-tracking warnings

   This results in better GCC diagnostics for the value range tracking,
   so we can get better visibility into where those values are coming
   from when we get out-of-bounds warnings at compile time.

* tag 'hardening-v6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  kbuild: Enable GCC diagnostic context for value-tracking warnings
  string: Add missing kernel-doc return descriptions
  media: iris: Cast iris_hfi_gen2_get_instance() allocation type
  drm/plane: Remove const qualifier from plane->modifiers allocation type
  comedi: Adjust range_table_list allocation type
comedi: 8255: Fail to attach if fail to request I/O port region 2025-11-26T13:20:20+00:00 Ian Abbott abbotti@mev.co.uk 2025-10-28T11:28:33+00:00 98d86d87aafb01e7c60b46d327a0a32619a167ff The COMEDI standalone 8255 driver can be used to configure a COMEDI device consisting of one of more subdevices, each using an 8255 digital I/O chip mapped to a range of port I/O addresses. The base port I/O address of each chip is specified in an array of integer option values by the `COMEDI_DEVCONFIG` ioctl. When support for multiple 8255 subdevices per device was added in the out-of-tree comedi 0.7.27 back in 1999, if any port I/O region could not be requested, then the corresponding subdevice was set to be an "unused" subdevice, and the COMEDI device would still be set-up OK as long as those were the only types of errors. That has persisted until the present day, but seems a bit odd in retrospect. All the other COMEDI drivers that use port I/O or memory regions will fail to set up the device if any region cannot be requested. It seems unlikely that the sys admin would deliberately choose a port that cannot be requested just to leave a gap in the device's usable subdevice numbers, and failing to set-up the device will provide a more noticeable indication that something hasn't been set-up correctly, so change the driver to fail to set up the device if any of the port I/O regions cannot be requested. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://patch.msgid.link/20251028112833.15033-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The COMEDI standalone 8255 driver can be used to configure a COMEDI
device consisting of one of more subdevices, each using an 8255 digital
I/O chip mapped to a range of port I/O addresses.  The base port I/O
address of each chip is specified in an array of integer option values
by the `COMEDI_DEVCONFIG` ioctl.

When support for multiple 8255 subdevices per device was added in the
out-of-tree comedi 0.7.27 back in 1999, if any port I/O region could not
be requested, then the corresponding subdevice was set to be an "unused"
subdevice, and the COMEDI device would still be set-up OK as long as
those were the only types of errors.  That has persisted until the
present day, but seems a bit odd in retrospect.  All the other COMEDI
drivers that use port I/O or memory regions will fail to set up the
device if any region cannot be requested.  It seems unlikely that the
sys admin would deliberately choose a port that cannot be requested just
to leave a gap in the device's usable subdevice numbers, and failing to
set-up the device will provide a more noticeable indication that
something hasn't been set-up correctly, so change the driver to fail to
set up the device if any of the port I/O regions cannot be requested.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251028112833.15033-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: comedi_bond: Check for loops when bonding devices 2025-11-26T13:20:10+00:00 Ian Abbott abbotti@mev.co.uk 2025-10-27T15:25:03+00:00 2402f958cf3b2e96975ad5fd14784a108b7defe3 The "comedi_bond" driver allows a composite COMEDI device to be built up from the subdevices of other COMEDI devices, although it currently only supports digital I/O subdevices. Although it checks that it is not trying to bind to itself, it is possible to end up with a cycle of "comedi_bond" devices bound to each other. For example: 1. Configure /dev/comedi0 to use some COMEDI hardware device with digital I/O subdevices, but not a "comedi_bond" device. 2. Configure /dev/comedi1 as a "comedi_bond" device bound to /dev/comedi0. 3. Unconfigure /dev/comedi0 and reconfigure it as a "comedi_bond" device bound to /dev/comedi1. Now we have /dev/comedi0 and /dev/comedi1 bound in a cycle. When an operation is performed on the digital I/O subdevice of /dev/comedi0 for example, it will try and perform the operation on /dev/comedi1, which will try and perform the operation on /dev/comedi0. The task will end up deadlocked trying to lock /dev/comedi0's mutex which it has already locked. I discovered that possibility while investigating fix sysbot crash https://syzkaller.appspot.com/bug?extid=4a6138c17a47937dcea1 ("possible deadlock in comedi_do_insn"), but I think that report may be a false positive. To avoid that, replace the calls to `comedi_open()` and `comedi_close()` in "kcomedilib" with calls to `comedi_open_from()` and `comedi_close_from()`. These take an extra parameter that indicates the COMEDI minor device number from which the open or close is being performed. `comedi_open_from()` will refuse to open the device if doing so would result in a cycle. The cycle detection depends on the extra parameter having the correct value for this device and also for existing devices in the chain. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://patch.msgid.link/20251027153748.4569-3-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The "comedi_bond" driver allows a composite COMEDI device to be built up
from the subdevices of other COMEDI devices, although it currently only
supports digital I/O subdevices.  Although it checks that it is not
trying to bind to itself, it is possible to end up with a cycle of
"comedi_bond" devices bound to each other.  For example:

1. Configure /dev/comedi0 to use some COMEDI hardware device with
   digital I/O subdevices, but not a "comedi_bond" device.
2. Configure /dev/comedi1 as a "comedi_bond" device bound to
   /dev/comedi0.
3. Unconfigure /dev/comedi0 and reconfigure it as a "comedi_bond" device
   bound to /dev/comedi1.

Now we have /dev/comedi0 and /dev/comedi1 bound in a cycle.  When an
operation is performed on the digital I/O subdevice of /dev/comedi0 for
example, it will try and perform the operation on /dev/comedi1, which
will try and perform the operation on /dev/comedi0.  The task will end
up deadlocked trying to lock /dev/comedi0's mutex which it has already
locked.

I discovered that possibility while investigating fix sysbot crash
https://syzkaller.appspot.com/bug?extid=4a6138c17a47937dcea1 ("possible
deadlock in comedi_do_insn"), but I think that report may be a false
positive.

To avoid that, replace the calls to `comedi_open()` and `comedi_close()`
in "kcomedilib" with calls to `comedi_open_from()` and
`comedi_close_from()`.  These take an extra parameter that indicates the
COMEDI minor device number from which the open or close is being
performed.  `comedi_open_from()` will refuse to open the device if doing
so would result in a cycle.  The cycle detection depends on the extra
parameter having the correct value for this device and also for existing
devices in the chain.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251027153748.4569-3-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: kcomedilib: Add loop checking variants of open and close 2025-11-26T13:20:10+00:00 Ian Abbott abbotti@mev.co.uk 2025-10-27T15:25:02+00:00 d1b3b9c70e11cb4f40b4e41a4dc1503b9a3c0109 Add `comedi_open_from(path, from)` and `comedi_close_from(dev, from)` as variants of the existing `comedi_from(path)` and `comedi_close(dev)`. The additional `from` parameter is a minor device number that tells the function that the COMEDI device is being opened or closed from another COMEDI device if the value is in the range [0, `COMEDI_NUM_BOARD_MINORS`-1]. In that case the function will refuse to open the device if it would lead to a chain of devices opening each other. (It will also impose a limit on the number of simultaneous opens from one device to another because we need to count those.) The new functions are intended to be used by the "comedi_bond" driver, which is the only driver that uses the existing `comedi_open()` and `comedi_close()` functions. The new functions will be used to avoid some possible deadlock situations. Replace the existing, exported `comedi_open()` and `comedi_close()` functions with inline wrapper functions that call the newly exported `comedi_open_from()` and `comedi_close_from()` functions. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://patch.msgid.link/20251027153748.4569-2-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Add `comedi_open_from(path, from)` and `comedi_close_from(dev, from)` as
variants of the existing `comedi_from(path)` and `comedi_close(dev)`.
The additional `from` parameter is a minor device number that tells the
function that the COMEDI device is being opened or closed from another
COMEDI device if the value is in the range [0,
`COMEDI_NUM_BOARD_MINORS`-1].  In that case the function will refuse to
open the device if it would lead to a chain of devices opening each
other.  (It will also impose a limit on the number of simultaneous opens
from one device to another because we need to count those.)

The new functions are intended to be used by the "comedi_bond" driver,
which is the only driver that uses the existing `comedi_open()` and
`comedi_close()` functions.  The new functions will be used to avoid
some possible deadlock situations.

Replace the existing, exported `comedi_open()` and `comedi_close()`
functions with inline wrapper functions that call the newly exported
`comedi_open_from()` and `comedi_close_from()` functions.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251027153748.4569-2-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: Use reference count for asynchronous command functions 2025-11-26T13:19:41+00:00 Ian Abbott abbotti@mev.co.uk 2025-10-23T13:28:19+00:00 51495254fda43cf1027fe052a77bea742ca23a05 For interrupts from badly behaved hardware (as emulated by Syzbot), it is possible for the Comedi core functions that manage the progress of asynchronous data acquisition to be called from driver ISRs while no asynchronous command has been set up, which can cause problems such as invalid pointer dereferencing or dividing by zero. Change those functions in the Comedi core to use this pattern: if `comedi_get_is_subdevice_running(s)` returns `true` then call a safe version of the function with the same name prefixed with an underscore, followed by a call to `comedi_put_is_subdevice_running(s)`, otherwise take some default action. `comedi_get_is_subdevice_running(s)` returning `true` ensures that the details of the asynchronous command will not be destroyed before the matching call to `comedi_put_is_subdevice_running(s)`. Replace calls to those functions from elsewhere in the Comedi core with calls to the safe versions of the functions. The modified functions are: `comedi_buf_read_alloc()`, `comedi_buf_read_free()`, `comedi_buf_read_n_available()`, `comedi_buf_read_samples()`, `comedi_buf_write_alloc()`, `comedi_buf_write_free()`, `comedi_buf_write_samples()`, `comedi_bytes_per_scan()`, `comedi_event()`, `comedi_handle_events()`, `comedi_inc_scan_progress()`, `comedi_nsamples_left()`, `comedi_nscans_left()`. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://patch.msgid.link/20251023133001.8439-3-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
For interrupts from badly behaved hardware (as emulated by Syzbot), it
is possible for the Comedi core functions that manage the progress of
asynchronous data acquisition to be called from driver ISRs while no
asynchronous command has been set up, which can cause problems such as
invalid pointer dereferencing or dividing by zero.

Change those functions in the Comedi core to use this pattern: if
`comedi_get_is_subdevice_running(s)` returns `true` then call a safe
version of the function with the same name prefixed with an underscore,
followed by a call to `comedi_put_is_subdevice_running(s)`, otherwise
take some default action.

`comedi_get_is_subdevice_running(s)` returning `true` ensures that the
details of the asynchronous command will not be destroyed before the
matching call to `comedi_put_is_subdevice_running(s)`.

Replace calls to those functions from elsewhere in the Comedi core with
calls to the safe versions of the functions.

The modified functions are: `comedi_buf_read_alloc()`,
`comedi_buf_read_free()`, `comedi_buf_read_n_available()`,
`comedi_buf_read_samples()`, `comedi_buf_write_alloc()`,
`comedi_buf_write_free()`, `comedi_buf_write_samples()`,
`comedi_bytes_per_scan()`, `comedi_event()`, `comedi_handle_events()`,
`comedi_inc_scan_progress()`, `comedi_nsamples_left()`,
`comedi_nscans_left()`.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023133001.8439-3-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: Add reference counting for Comedi command handling 2025-11-26T13:19:41+00:00 Ian Abbott abbotti@mev.co.uk 2025-10-23T13:28:18+00:00 4e1da516debbe6a573ffa0392e2809d180d0575c For interrupts from badly behaved hardware (as emulated by Syzbot), it is possible for the Comedi core functions that manage the progress of asynchronous data acquisition to be called from driver ISRs while no asynchronous command has been set up, which can cause problems such as invalid pointer dereferencing or dividing by zero. To help protect against that, introduce new functions to maintain a reference counter for asynchronous commands that are being set up. `comedi_get_is_subdevice_running(s)` will check if a command has been set up on a subdevice and is still marked as running, and if so will increment the reference counter and return `true`, otherwise it will return `false` without modifying the reference counter. `comedi_put_is_subdevice_running(s)` will decrement the reference counter and set a completion event when decremented to 0. Change the `do_cmd_ioctl()` function (responsible for setting up the asynchronous command) to reinitialize the completion event and set the reference counter to 1 before it marks the subdevice as running. Change the `do_become_nonbusy()` function (responsible for destroying a completed command) to call `comedi_put_is_subdevice_running(s)` and wait for the completion event after marking the subdevice as not running. Because the subdevice normally gets marked as not running before the call to `do_become_nonbusy()` (and may also be called when the Comedi device is being detached from the low-level driver), add a new flag `COMEDI_SRF_BUSY` to the set of subdevice run-flags that indicates that an asynchronous command was set up and will need to be destroyed. This flag is set by `do_cmd_ioctl()` and cleared and checked by `do_become_nonbusy()`. Subsequent patches will change the Comedi core functions that are called from low-level drivers for asynchrous command handling to make use of the `comedi_get_is_subdevice_running()` and `comedi_put_is_subdevice_running()` functions, and will modify the ISRs of some of these low-level drivers if they dereference the subdevice's `async` pointer directly. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://patch.msgid.link/20251023133001.8439-2-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
For interrupts from badly behaved hardware (as emulated by Syzbot), it
is possible for the Comedi core functions that manage the progress of
asynchronous data acquisition to be called from driver ISRs while no
asynchronous command has been set up, which can cause problems such as
invalid pointer dereferencing or dividing by zero.

To help protect against that, introduce new functions to maintain a
reference counter for asynchronous commands that are being set up.
`comedi_get_is_subdevice_running(s)` will check if a command has been
set up on a subdevice and is still marked as running, and if so will
increment the reference counter and return `true`, otherwise it will
return `false` without modifying the reference counter.
`comedi_put_is_subdevice_running(s)` will decrement the reference
counter and set a completion event when decremented to 0.

Change the `do_cmd_ioctl()` function (responsible for setting up the
asynchronous command) to  reinitialize the completion event and set the
reference counter to 1 before it marks the subdevice as running.  Change
the `do_become_nonbusy()` function (responsible for destroying a
completed command) to call `comedi_put_is_subdevice_running(s)` and wait
for the completion event after marking the subdevice as not running.

Because the subdevice normally gets marked as not running before the
call to `do_become_nonbusy()` (and may also be called when the Comedi
device is being detached from the low-level driver), add a new flag
`COMEDI_SRF_BUSY` to the set of subdevice run-flags that indicates that
an asynchronous command was set up and will need to be destroyed.  This
flag is set by `do_cmd_ioctl()` and cleared and checked by
`do_become_nonbusy()`.

Subsequent patches will change the Comedi core functions that are called
from low-level drivers for asynchrous command handling to make use of
the `comedi_get_is_subdevice_running()` and
`comedi_put_is_subdevice_running()` functions, and will modify the ISRs
of some of these low-level drivers if they dereference the subdevice's
`async` pointer directly.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023133001.8439-2-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() 2025-11-26T13:19:15+00:00 Nikita Zhandarovich n.zhandarovich@fintech.ru 2025-10-23T14:14:56+00:00 a51f025b5038abd3d22eed2ede4cd46793d89565 Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either. [1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace: <TASK> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] ... Reported-by: syzbot+fce5d9d5bd067d6fbe9b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fce5d9d5bd067d6fbe9b Fixes: 00aba6e7b565 ("staging: comedi: pcl818: remove 'neverending_ai' from private data") Cc: stable <stable@kernel.org> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Link: https://patch.msgid.link/20251023141457.398685-1-n.zhandarovich@fintech.ru Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.

Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.

[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
 <TASK>
 pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
 comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
...

Reported-by: syzbot+fce5d9d5bd067d6fbe9b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fce5d9d5bd067d6fbe9b
Fixes: 00aba6e7b565 ("staging: comedi: pcl818: remove 'neverending_ai' from private data")
Cc: stable <stable@kernel.org>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023141457.398685-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: multiq3: sanitize config options in multiq3_attach() 2025-11-26T13:19:00+00:00 Nikita Zhandarovich n.zhandarovich@fintech.ru 2025-10-23T13:22:04+00:00 f24c6e3a39fa355dabfb684c9ca82db579534e72 Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_attach() via it->options[2], then multiple calls to multiq3_encoder_reset() at the end of driver-specific attach() method will be running for minutes, thus blocking tasks and affected devices as well. While this issue is most likely not too dangerous for real-life devices, it still makes sense to sanitize configuration inputs. Enable a sensible limit on the number of encoder chips (4 chips max, each with 2 channels) to stop this behaviour from manifesting. [1] Syzbot crash: INFO: task syz.2.19:6067 blocked for more than 143 seconds. ... Call Trace: <TASK> context_switch kernel/sched/core.c:5254 [inline] __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 __schedule_loop kernel/sched/core.c:6944 [inline] schedule+0x165/0x360 kernel/sched/core.c:6959 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 do_dentry_open+0x953/0x13f0 fs/open.c:965 vfs_open+0x3b/0x340 fs/open.c:1097 ... Reported-by: syzbot+7811bb68a317954a0347@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7811bb68a317954a0347 Fixes: 77e01cdbad51 ("Staging: comedi: add multiq3 driver") Cc: stable <stable@kernel.org> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Link: https://patch.msgid.link/20251023132205.395753-1-n.zhandarovich@fintech.ru Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Syzbot identified an issue [1] in multiq3_attach() that induces a
task timeout due to open() or COMEDI_DEVCONFIG ioctl operations,
specifically, in the case of multiq3 driver.

This problem arose when syzkaller managed to craft weird configuration
options used to specify the number of channels in encoder subdevice.
If a particularly great number is passed to s->n_chan in
multiq3_attach() via it->options[2], then multiple calls to
multiq3_encoder_reset() at the end of driver-specific attach() method
will be running for minutes, thus blocking tasks and affected devices
as well.

While this issue is most likely not too dangerous for real-life
devices, it still makes sense to sanitize configuration inputs. Enable
a sensible limit on the number of encoder chips (4 chips max, each
with 2 channels) to stop this behaviour from manifesting.

[1] Syzbot crash:
INFO: task syz.2.19:6067 blocked for more than 143 seconds.
...
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5254 [inline]
 __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
 __schedule_loop kernel/sched/core.c:6944 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6959
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016
 __mutex_lock_common kernel/locking/mutex.c:676 [inline]
 __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760
 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868
 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
 do_dentry_open+0x953/0x13f0 fs/open.c:965
 vfs_open+0x3b/0x340 fs/open.c:1097
...

Reported-by: syzbot+7811bb68a317954a0347@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7811bb68a317954a0347
Fixes: 77e01cdbad51 ("Staging: comedi: add multiq3 driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023132205.395753-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: check device's attached status in compat ioctls 2025-11-26T12:57:29+00:00 Nikita Zhandarovich n.zhandarovich@fintech.ru 2025-10-23T13:22:32+00:00 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig(). As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard IOCTL handlers. Several of them are modified and do not use comedi_unlocked_ioctl(). While functionality of these ioctls essentially copy their original versions, they do not have required sanity check for device's attached status. This, in turn, leads to a possibility of calling select IOCTLs on a device that has not been properly setup, even via COMEDI_DEVCONFIG. Doing so on unconfigured devices means that several crucial steps are missed, for instance, specifying dev->get_valid_routes() callback. Fix this somewhat crudely by ensuring device's attached status before performing any ioctls, improving logic consistency between modern and compat functions. [1] Syzbot report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 Call Trace: <TASK> get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 __do_compat_sys_ioctl fs/ioctl.c:695 [inline] __se_compat_sys_ioctl fs/ioctl.c:638 [inline] __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] ... Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab8008c24e84adee93ff Fixes: 3fbfd2223a27 ("comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat") Cc: stable <stable@kernel.org> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> Link: https://patch.msgid.link/20251023132234.395794-1-n.zhandarovich@fintech.ru Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Syzbot identified an issue [1] that crashes kernel, seemingly due to
unexistent callback dev->get_valid_routes(). By all means, this should
not occur as said callback must always be set to
get_zero_valid_routes() in __comedi_device_postconfig().

As the crash seems to appear exclusively in i386 kernels, at least,
judging from [1] reports, the blame lies with compat versions
of standard IOCTL handlers. Several of them are modified and
do not use comedi_unlocked_ioctl(). While functionality of these
ioctls essentially copy their original versions, they do not
have required sanity check for device's attached status. This,
in turn, leads to a possibility of calling select IOCTLs on a
device that has not been properly setup, even via COMEDI_DEVCONFIG.

Doing so on unconfigured devices means that several crucial steps
are missed, for instance, specifying dev->get_valid_routes()
callback.

Fix this somewhat crudely by ensuring device's attached status before
performing any ioctls, improving logic consistency between modern
and compat functions.

[1] Syzbot report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]
 parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401
 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594
 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]
 comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273
 __do_compat_sys_ioctl fs/ioctl.c:695 [inline]
 __se_compat_sys_ioctl fs/ioctl.c:638 [inline]
 __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
...

Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab8008c24e84adee93ff
Fixes: 3fbfd2223a27 ("comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat")
Cc: stable <stable@kernel.org>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20251023132234.395794-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>