comedi: KASAN null-ptr-deref in ISA driver IRQ handlers on early IRQ
From: Jaeyoung Chung
Date: Wed Jun 10 2026 - 08:01:47 EST
Hi,
Several comedi ISA drivers register their interrupt handler before
initializing the subdevice the handler uses. If the device raises an
interrupt before the subdevice is initialized, the handler runs against an
uninitialized subdevice, causing a kernel panic.
The attach path, shown for das6402_attach() in
drivers/comedi/drivers/das6402.c:
request_irq(it->options[1], das6402_interrupt, 0,
dev->board_name, dev); /* register handler */
...
ret = comedi_alloc_subdevices(dev, 4);
...
s = &dev->subdevices[0];
...
dev->read_subdev = s; /* initialize read_subdev */
The handler, das6402_interrupt(), dereferences read_subdev directly:
struct comedi_subdevice *s = dev->read_subdev;
struct comedi_async *async = s->async; /* deref NULL s */
interrupt_pcmmio() and pcl711_interrupt() likewise dereference read_subdev
directly. atmio16d_interrupt(), aio_iiro_16_cos() and parport_interrupt()
pass the NULL subdevice into comedi_buf_write_samples(s, ...), which then
calls comedi_get_is_subdevice_running(s) and takes &s->spin_lock.
Affected drivers (handler / attach function):
das6402.c das6402_interrupt / das6402_attach
ni_atmio16d.c atmio16d_interrupt / atmio16d_attach
aio_iiro_16.c aio_iiro_16_cos / aio_iiro_16_attach
pcmmio.c interrupt_pcmmio / pcmmio_attach
comedi_parport.c parport_interrupt / parport_attach
pcl711.c pcl711_interrupt / pcl711_attach
If the device raises an interrupt after request_irq() and before
dev->read_subdev is assigned, the handler dereferences a NULL subdevice,
triggering a KASAN null-ptr-deref in any of these drivers.
Suggested fix: call request_irq() after dev->read_subdev is assigned, or
guard the handler against a NULL read_subdev.
Reported-by: Sangyun Kim <sangyun.kim@xxxxxxxxx>
Reported-by: Kyungwook Boo <bookyungwook@xxxxxxxxx>
Thanks,
Jaeyoung Chung