[v5.15] general protection fault in pcl818_ai_cancel

4 views

Skip to first unread message

syzbot

unread,

Jul 6, 2025, 10:35:35 PM7/6/25

to syzkaller...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: 3dea0e7f549e Linux 5.15.186
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16d3628c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=644ffcb58c0b09d3
dashboard link: https://syzkaller.appspot.com/bug?extid=50d9e1e071221bd33136
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3d73d6f07b0c/disk-3dea0e7f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4064de18c9e9/vmlinux-3dea0e7f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/069c7b1e74a9/bzImage-3dea0e7f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+50d9e1...@syzkaller.appspotmail.com

comedi comedi3: pcl818: I/O port conflict (0xfffffffffffffffb,16)
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 0 PID: 8789 Comm: syz.1.1098 Not tainted 5.15.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:pcl818_ai_cancel+0x65/0x3e0 drivers/comedi/drivers/pcl818.c:764
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 dd 8b 4a fa 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 bc 8b 4a fa 4d 8b 24 24 48 83 c3
RSP: 0018:ffffc9000393fa10 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff88805f278100 RCX: 0000000000080000
RDX: ffffc90004d1a000 RSI: 0000000000005438 RDI: 0000000000005439
RBP: 0000000000000001 R08: dffffc0000000000 R09: ffffed10298bd326
R10: ffffed10298bd326 R11: 1ffff110298bd325 R12: 0000000000000028
R13: dffffc0000000000 R14: ffff88814c5e9800 R15: dffffc0000000000
FS: 00007fa4362e06c0(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9ae326dab8 CR3: 0000000066a03000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
pcl818_detach+0x62/0xd0 drivers/comedi/drivers/pcl818.c:1117
comedi_device_detach+0x12d/0x6e0 drivers/comedi/drivers.c:207
comedi_device_attach+0x55d/0x650 drivers/comedi/drivers.c:1000
do_devconfig_ioctl drivers/comedi/comedi_fops.c:851 [inline]
comedi_unlocked_ioctl+0x5ec/0xe90 drivers/comedi/comedi_fops.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fa438478929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa4362e0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa43869ffa0 RCX: 00007fa438478929
RDX: 0000200000000140 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007fa4384fab39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa43869ffa0 R15: 00007ffd319c1508
</TASK>
Modules linked in:
---[ end trace 58ce8e5a6ecf8c1b ]---
RIP: 0010:pcl818_ai_cancel+0x65/0x3e0 drivers/comedi/drivers/pcl818.c:764
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 dd 8b 4a fa 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 bc 8b 4a fa 4d 8b 24 24 48 83 c3
RSP: 0018:ffffc9000393fa10 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff88805f278100 RCX: 0000000000080000
RDX: ffffc90004d1a000 RSI: 0000000000005438 RDI: 0000000000005439
RBP: 0000000000000001 R08: dffffc0000000000 R09: ffffed10298bd326
R10: ffffed10298bd326 R11: 1ffff110298bd325 R12: 0000000000000028
R13: dffffc0000000000 R14: ffff88814c5e9800 R15: dffffc0000000000
FS: 00007fa4362e06c0(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005601d31d8048 CR3: 0000000066a03000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 8b 1b mov (%rbx),%ebx
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 e8 03 shr $0x3,%rax
9: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
e: 74 08 je 0x18
10: 48 89 df mov %rbx,%rdi
13: e8 dd 8b 4a fa call 0xfa4a8bf5
18: 48 8b 03 mov (%rbx),%rax
1b: 48 89 04 24 mov %rax,(%rsp)
1f: 49 83 c4 28 add $0x28,%r12
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 e7 mov %r12,%rdi
34: e8 bc 8b 4a fa call 0xfa4a8bf5
39: 4d 8b 24 24 mov (%r12),%r12
3d: 48 rex.W
3e: 83 .byte 0x83
3f: c3 ret

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,

Jul 6, 2025, 11:00:32 PM7/6/25

to syzkaller...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: 3dea0e7f549e Linux 5.15.186
git tree: linux-5.15.y

console output: https://syzkaller.appspot.com/x/log.txt?x=17f5828c580000

kernel config: https://syzkaller.appspot.com/x/.config?x=644ffcb58c0b09d3
dashboard link: https://syzkaller.appspot.com/bug?extid=50d9e1e071221bd33136
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13581582580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100d828c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3d73d6f07b0c/disk-3dea0e7f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4064de18c9e9/vmlinux-3dea0e7f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/069c7b1e74a9/bzImage-3dea0e7f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+50d9e1...@syzkaller.appspotmail.com

comedi comedi3: pcl818: I/O port conflict (0xfffffffffffffffb,16)
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]

CPU: 0 PID: 4517 Comm: syz.0.16 Not tainted 5.15.186-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:pcl818_ai_cancel+0x65/0x3e0 drivers/comedi/drivers/pcl818.c:764
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 dd 8b 4a fa 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 bc 8b 4a fa 4d 8b 24 24 48 83 c3

RSP: 0018:ffffc9000330fa10 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff888073b73d80 RCX: ffff888018dd1dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88802a2a0800
RBP: 0000000000000001 R08: dffffc0000000000 R09: ffffed1005454126
R10: ffffed1005454126 R11: 1ffff11005454125 R12: 0000000000000028
R13: dffffc0000000000 R14: ffff88802a2a0800 R15: dffffc0000000000
FS: 0000555560bed500(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f65e409feb8 CR3: 0000000073991000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
pcl818_detach+0x62/0xd0 drivers/comedi/drivers/pcl818.c:1117
comedi_device_detach+0x12d/0x6e0 drivers/comedi/drivers.c:207
comedi_device_attach+0x55d/0x650 drivers/comedi/drivers.c:1000
do_devconfig_ioctl drivers/comedi/comedi_fops.c:851 [inline]
comedi_unlocked_ioctl+0x5ec/0xe90 drivers/comedi/comedi_fops.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0

RIP: 0033:0x7f39947ae929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffeeb9d48e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f39949d5fa0 RCX: 00007f39947ae929

RDX: 0000200000000140 RSI: 0000000040946400 RDI: 0000000000000003

RBP: 00007f3994830b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f39949d5fa0 R14: 00007f39949d5fa0 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 89b3da7878de1d5e ]---

RIP: 0010:pcl818_ai_cancel+0x65/0x3e0 drivers/comedi/drivers/pcl818.c:764
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 dd 8b 4a fa 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 bc 8b 4a fa 4d 8b 24 24 48 83 c3

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055762de70950 CR3: 0000000073991000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

----------------
Code disassembly (best guess):
0: 8b 1b mov (%rbx),%ebx
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 e8 03 shr $0x3,%rax
9: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
e: 74 08 je 0x18
10: 48 89 df mov %rbx,%rdi
13: e8 dd 8b 4a fa call 0xfa4a8bf5
18: 48 8b 03 mov (%rbx),%rax
1b: 48 89 04 24 mov %rax,(%rsp)
1f: 49 83 c4 28 add $0x28,%r12
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 e7 mov %r12,%rdi
34: e8 bc 8b 4a fa call 0xfa4a8bf5
39: 4d 8b 24 24 mov (%r12),%r12
3d: 48 rex.W
3e: 83 .byte 0x83
3f: c3 ret

---

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

syzbot

unread,

Jul 7, 2025, 5:05:23 AM7/7/25

to syzkaller...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: 04d1ccaa9c28 Linux 6.1.143
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11b7128c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ad4b9c9f99d21bd2
dashboard link: https://syzkaller.appspot.com/bug?extid=da192cae9ff294f73da8

compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+da192c...@syzkaller.appspotmail.com

comedi comedi3: pcl818: I/O port conflict (0xfffffffffffffffb,16)
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]

CPU: 0 PID: 9412 Comm: syz.4.1259 Not tainted 6.1.143-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025

RIP: 0010:pcl818_ai_cancel+0x65/0x3e0 drivers/comedi/drivers/pcl818.c:762
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 cd 99 16 fa 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 ac 99 16 fa 4d 8b 24 24 48 83 c3
RSP: 0018:ffffc900039c7a10 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff888027873e00 RCX: 0000000000080000
RDX: ffffc9000e0f1000 RSI: 0000000000009b2d RDI: 0000000000009b2e
RBP: 0000000000000001 R08: dffffc0000000000 R09: ffffed1005e02226
R10: ffffed1005e02226 R11: 1ffff11005e02225 R12: 0000000000000028
R13: dffffc0000000000 R14: ffff88802f011000 R15: dffffc0000000000
FS: 00007fc7472976c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f99f63fef98 CR3: 000000004dae5000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

pcl818_detach+0x62/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach+0x12d/0x6e0 drivers/comedi/drivers.c:206
comedi_device_attach+0x55d/0x650 drivers/comedi/drivers.c:999

do_devconfig_ioctl drivers/comedi/comedi_fops.c:851 [inline]
comedi_unlocked_ioctl+0x5ec/0xe90 drivers/comedi/comedi_fops.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]

__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fc74638e929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fc747297038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc7465b5fa0 RCX: 00007fc74638e929

RDX: 0000200000000140 RSI: 0000000040946400 RDI: 0000000000000003

RBP: 00007fc746410b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007fc7465b5fa0 R15: 00007ffddf9f5dd8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pcl818_ai_cancel+0x65/0x3e0 drivers/comedi/drivers/pcl818.c:762
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 cd 99 16 fa 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 ac 99 16 fa 4d 8b 24 24 48 83 c3
RSP: 0018:ffffc900039c7a10 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff888027873e00 RCX: 0000000000080000
RDX: ffffc9000e0f1000 RSI: 0000000000009b2d RDI: 0000000000009b2e
RBP: 0000000000000001 R08: dffffc0000000000 R09: ffffed1005e02226
R10: ffffed1005e02226 R11: 1ffff11005e02225 R12: 0000000000000028
R13: dffffc0000000000 R14: ffff88802f011000 R15: dffffc0000000000
FS: 00007fc7472976c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000000000000 CR3: 000000004dae5000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 8b 1b mov (%rbx),%ebx
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 e8 03 shr $0x3,%rax
9: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
e: 74 08 je 0x18
10: 48 89 df mov %rbx,%rdi

13: e8 cd 99 16 fa call 0xfa1699e5

18: 48 8b 03 mov (%rbx),%rax
1b: 48 89 04 24 mov %rax,(%rsp)
1f: 49 83 c4 28 add $0x28,%r12
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 e7 mov %r12,%rdi

34: e8 ac 99 16 fa call 0xfa1699e5

39: 4d 8b 24 24 mov (%r12),%r12
3d: 48 rex.W
3e: 83 .byte 0x83
3f: c3 ret

---

syzbot

unread,

Jul 7, 2025, 5:26:30 AM7/7/25

to syzkaller...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: 04d1ccaa9c28 Linux 6.1.143
git tree: linux-6.1.y

console output: https://syzkaller.appspot.com/x/log.txt?x=16b6cbd4580000

kernel config: https://syzkaller.appspot.com/x/.config?x=ad4b9c9f99d21bd2
dashboard link: https://syzkaller.appspot.com/bug?extid=da192cae9ff294f73da8
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ef128c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140de28c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6eebf3671ad1/disk-04d1ccaa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3bd866d93a54/vmlinux-04d1ccaa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1eb263411e03/bzImage-04d1ccaa.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+da192c...@syzkaller.appspotmail.com

comedi comedi3: pcl818: I/O port conflict (0xfffffffffffffffb,16)
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]

CPU: 0 PID: 4423 Comm: syz.0.16 Not tainted 6.1.143-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:pcl818_ai_cancel+0x65/0x3e0 drivers/comedi/drivers/pcl818.c:762
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 cd 99 16 fa 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 ac 99 16 fa 4d 8b 24 24 48 83 c3

RSP: 0018:ffffc90003257a10 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff888027d5ac80 RCX: ffff88802ffbd940
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88814d2af800
RBP: 0000000000000001 R08: dffffc0000000000 R09: ffffed1029a55f26
R10: ffffed1029a55f26 R11: 1ffff11029a55f25 R12: 0000000000000028
R13: dffffc0000000000 R14: ffff88814d2af800 R15: dffffc0000000000
FS: 00005555577b7500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000001b2d05ffff CR3: 000000001ebf4000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
pcl818_detach+0x62/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach+0x12d/0x6e0 drivers/comedi/drivers.c:206
comedi_device_attach+0x55d/0x650 drivers/comedi/drivers.c:999
do_devconfig_ioctl drivers/comedi/comedi_fops.c:851 [inline]
comedi_unlocked_ioctl+0x5ec/0xe90 drivers/comedi/comedi_fops.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2

RIP: 0033:0x7f886758e929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc5169dac8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f88677b5fa0 RCX: 00007f886758e929

RDX: 0000200000000140 RSI: 0000000040946400 RDI: 0000000000000003

RBP: 00007f8867610b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f88677b5fa0 R14: 00007f88677b5fa0 R15: 0000000000000003

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pcl818_ai_cancel+0x65/0x3e0 drivers/comedi/drivers/pcl818.c:762
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 cd 99 16 fa 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 ac 99 16 fa 4d 8b 24 24 48 83 c3

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000557a063210c8 CR3: 000000001ebf4000 CR4: 00000000003506e0

syzbot

unread,

Jul 7, 2025, 10:36:27 AM7/7/25

to syzkaller...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: a5df3a702b2c Linux 6.6.96
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1551428c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2632deddafa957e8
dashboard link: https://syzkaller.appspot.com/bug?extid=bc9627225b4e4b9aac55

compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+bc9627...@syzkaller.appspotmail.com

CPU: 1 PID: 21787 Comm: syz.4.3929 Not tainted 6.6.96-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025

RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 c9 26 e1 f9 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 a8 26 e1 f9 4d 8b 24 24 48 83 c3
RSP: 0018:ffffc900032e7a10 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff88804610c900 RCX: 0000000000080000
RDX: ffffc90011f32000 RSI: 000000000000298f RDI: 0000000000002990
RBP: 0000000000000001 R08: ffff88814b15612f R09: 1ffff1102962ac25
R10: dffffc0000000000 R11: ffffed102962ac26 R12: 0000000000000028
R13: dffffc0000000000 R14: ffff88814b156000 R15: dffffc0000000000
FS: 00007fe8fabff6c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fe8fabfef98 CR3: 000000007b642000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach+0x131/0x6f0 drivers/comedi/drivers.c:206
comedi_device_attach+0x561/0x660 drivers/comedi/drivers.c:999
do_devconfig_ioctl drivers/comedi/comedi_fops.c:855 [inline]
comedi_unlocked_ioctl+0x68d/0xf00 drivers/comedi/comedi_fops.c:2136
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fe8fad8e929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fe8fabff038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fe8fafb6240 RCX: 00007fe8fad8e929

RDX: 0000200000000140 RSI: 0000000040946400 RDI: 0000000000000003

RBP: 00007fe8fae10b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007fe8fafb6240 R15: 00007ffda01d95b8

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000020000001b000 CR3: 000000007b642000 CR4: 00000000003506e0

13: e8 c9 26 e1 f9 call 0xf9e126e1

34: e8 a8 26 e1 f9 call 0xf9e126e1

39: 4d 8b 24 24 mov (%r12),%r12
3d: 48 rex.W
3e: 83 .byte 0x83
3f: c3 ret

---

syzbot

unread,

Jul 7, 2025, 11:32:33 AM7/7/25

to syzkaller...@googlegroups.com

syzbot has found a reproducer for the following issue on:

HEAD commit: a5df3a702b2c Linux 6.6.96
git tree: linux-6.6.y

console output: https://syzkaller.appspot.com/x/log.txt?x=10d99f70580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2632deddafa957e8
dashboard link: https://syzkaller.appspot.com/bug?extid=bc9627225b4e4b9aac55
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10c6128c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16249582580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9ba5b19f9f4d/disk-a5df3a70.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2cd779015729/vmlinux-a5df3a70.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b56fc39e5cb8/bzImage-a5df3a70.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc9627...@syzkaller.appspotmail.com

comedi comedi3: pcl818: I/O port conflict (0xfffffffffffffffb,16)
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]

CPU: 0 PID: 5944 Comm: syz.0.16 Not tainted 6.6.96-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 c9 26 e1 f9 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 a8 26 e1 f9 4d 8b 24 24 48 83 c3

RSP: 0018:ffffc90003297a10 EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff8880249b0d80 RCX: ffff888026653c00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88814c982800
RBP: 0000000000000001 R08: ffff88814c98292f R09: 1ffff11029930525
R10: dffffc0000000000 R11: ffffed1029930526 R12: 0000000000000028
R13: dffffc0000000000 R14: ffff88814c982800 R15: dffffc0000000000
FS: 0000555563aa4500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000001b2c55ffff CR3: 0000000074686000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach+0x131/0x6f0 drivers/comedi/drivers.c:206
comedi_device_attach+0x561/0x660 drivers/comedi/drivers.c:999
do_devconfig_ioctl drivers/comedi/comedi_fops.c:855 [inline]
comedi_unlocked_ioctl+0x68d/0xf00 drivers/comedi/comedi_fops.c:2136
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2

RIP: 0033:0x7f97f798e929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffefea133e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f97f7bb5fa0 RCX: 00007f97f798e929

RDX: 0000200000000140 RSI: 0000000040946400 RDI: 0000000000000003

RBP: 00007f97f7a10b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f97f7bb5fa0 R14: 00007f97f7bb5fa0 R15: 0000000000000003

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
Code: 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 c9 26 e1 f9 48 8b 03 48 89 04 24 49 83 c4 28 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 a8 26 e1 f9 4d 8b 24 24 48 83 c3

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000001b2c55ffff CR3: 0000000074686000 CR4: 00000000003506f0

Reply all

Reply to author

Forward

0 new messages