Re: [PATCH] comedi: dt2815: add hardware detection to prevent crash

[Deepanshu Kartikey]

On Mon, Jan 26, 2026 at 6:34 PM Ian Abbott <abbotti@xxxxxxxxx> wrote:
>
> On 26/01/2026 07:04, Deepanshu Kartikey wrote:
> > The dt2815 driver crashes when attached to I/O ports without actual
> > hardware present. This occurs because syzkaller or users can attach
> > the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.
> >
> > When no hardware exists at the specified port, inb() operations return
> > 0xff (floating bus), but outb() operations can trigger page faults due
> > to undefined behavior, especially under race conditions:
> >
> >    BUG: unable to handle page fault for address: 000000007fffff90
> >    #PF: supervisor write access in kernel mode
> >    #PF: error_code(0x0002) - not-present page
> >    RIP: 0010:dt2815_attach+0x6e0/0x1110
> >
> > Add hardware detection by reading the status register before attempting
> > any write operations. If the read returns 0xff, assume no hardware is
> > present and fail the attach with -ENODEV. This prevents crashes from
> > outb() operations on non-existent hardware.
> >
> > Reported-by: syzbot+72f94b474d6e50b71ffc@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
> > Tested-by: syzbot+72f94b474d6e50b71ffc@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
> > ---
> >   drivers/comedi/drivers/dt2815.c | 12 ++++++++++++
> >   1 file changed, 12 insertions(+)
> >
> > diff --git a/drivers/comedi/drivers/dt2815.c b/drivers/comedi/drivers/dt2815.c
> > index 03ba2fd18a21..7c642860f127 100644
> > --- a/drivers/comedi/drivers/dt2815.c
> > +++ b/drivers/comedi/drivers/dt2815.c
> > @@ -175,6 +175,18 @@ static int dt2815_attach(struct comedi_device *dev, struct comedi_devconfig *it)
> >                   ? current_range_type : voltage_range_type;
> >       }
> >
> > +     /*
> > +      * Check if hardware is present before attempting any I/O operations.
> > +      * Reading 0xff from status register typically indicates no hardware
> > +      * on the bus (floating bus reads as all 1s).
> > +      */
> > +     if (inb(dev->iobase + DT2815_STATUS) == 0xff) {
> > +             dev_err(dev->class_dev,
> > +                     "No hardware detected at I/O base 0x%lx\n",
> > +                     dev->iobase);
> > +             return -ENODEV;
> > +     }
> > +
> >       /* Init the 2815 */
> >       outb(0x00, dev->iobase + DT2815_STATUS);
> >       for (i = 0; i < 100; i++) {
>
> Thanks.  Looks good with some reservations.
>
> It's probably fine for this device (assuming the status register cannot
> legitimately read back 0xff before the board has been initialized), but
> the same technique might not work for other devices (for example 8255,
> which has 4 registers, 3 of which can legitimately read 0xff, and the
> other being a write-only register).
>
> In general, we assume the device is being configured correctly as
> configuration requires CAP_SYSADMIN privileges.
>
> I think I will start adding some base address sanity checks to the
> drivers.  For example, The DT2815 hardware jumpers to configure the base
> address base addresses in the range 0x200 to 0x3FE aligned on 2-byte
> boundaries.
>
> Reviewed-by: Ian Abbott <abbotti@xxxxxxxxx>
>

Hi Ian,
Gentle ping on the dt2815 hardware detection patch that you approved on

[26th jan 2026] Subject: [PATCH] comedi: dt2815: add hardware
detection to prevent crash
Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@xxxxxxxxx/T/

It's been more than 30 days since approval.
Could you please let me know the status or if any further action is
needed from my side?

Thank you,
Deepanshu