Linux-Watchdog Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] watchdog: initialize device before misc_register
@ 2020-07-15 13:57 krzysztof.sobota
  2020-07-15 15:09 ` Guenter Roeck
  0 siblings, 1 reply; 7+ messages in thread
From: krzysztof.sobota @ 2020-07-15 13:57 UTC (permalink / raw)
  To: wim, linux, linux-watchdog, linux-kernel
  Cc: krzysztof.sobota, alexander.sverdlin

From: Krzysztof Sobota <krzysztof.sobota@nokia.com>
Date: Wed, 15 Jul 2020 13:13:42 +0200
Subject: [PATCH] watchdog: initialize device before misc_register

When watchdog device is being registered, it calls misc_register that
makes watchdog available for systemd to open. This is a data race
scenario, because when device is open it may still have device struct
not initialized - this in turn causes a crash. This patch moves
device initialization before misc_register call and it solves the
problem printed below.

------------[ cut here ]------------
WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is 
being called.
Modules linked in: k2_reset_status(O) davinci_wdt(+) 
sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) 
fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) 
evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge 
stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G           O 
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
[<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
[<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
[<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
[<c0221fd8>] (warn_slowpath_fmt) from [<c07fd394>] (kobject_get+0x50/0x54)
[<c07fd394>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
[<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
[<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
[<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
[<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
[<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
[<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
[<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
[<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 
00000000
ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 
bed7bb78
ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb105513974f ]---

------------[ cut here ]------------
WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
refcount_t: increment on 0; use-after-free.
Modules linked in: k2_reset_status(O) davinci_wdt(+) 
sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) 
fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) 
evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge 
stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G        W  O 
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
[<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
[<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
[<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
[<c0221fd8>] (warn_slowpath_fmt) from [<c07fd368>] (kobject_get+0x24/0x54)
[<c07fd368>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
[<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
[<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
[<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
[<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
[<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
[<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
[<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
[<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 
00000000
ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 
bed7bb78
ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb1055139750 ]---

Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of 
watchdog_core_data and cdev")
Signed-off-by: Krzysztof Sobota <krzysztof.sobota@nokia.com>

Change-Id: I3b85f615d67ab5b8dc6c5c2dc42efd236d502d09
---
  drivers/watchdog/watchdog_dev.c | 18 +++++++++---------
  1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/watchdog/watchdog_dev.c 
b/drivers/watchdog/watchdog_dev.c
index 10b2090f3e5e..1c322caecf7f 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct 
watchdog_device *wdd)
         if (IS_ERR_OR_NULL(watchdog_kworker))
                 return -ENODEV;

+       device_initialize(&wd_data->dev);
+       wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
+       wd_data->dev.class = &watchdog_class;
+       wd_data->dev.parent = wdd->parent;
+       wd_data->dev.groups = wdd->groups;
+       wd_data->dev.release = watchdog_core_data_release;
+       dev_set_drvdata(&wd_data->dev, wdd);
+       dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
+
         kthread_init_work(&wd_data->work, watchdog_ping_work);
         hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
         wd_data->timer.function = watchdog_timer_expired;
@@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct 
watchdog_device *wdd)
                 }
         }

-       device_initialize(&wd_data->dev);
-       wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
-       wd_data->dev.class = &watchdog_class;
-       wd_data->dev.parent = wdd->parent;
-       wd_data->dev.groups = wdd->groups;
-       wd_data->dev.release = watchdog_core_data_release;
-       dev_set_drvdata(&wd_data->dev, wdd);
-       dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
-
         /* Fill in the data structures */
         cdev_init(&wd_data->cdev, &watchdog_fops);

--
2.14.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] watchdog: initialize device before misc_register
  2020-07-15 13:57 [PATCH] watchdog: initialize device before misc_register krzysztof.sobota
@ 2020-07-15 15:09 ` Guenter Roeck
  2020-07-16  8:31   ` [PATCH v2] " krzysztof.sobota
  0 siblings, 1 reply; 7+ messages in thread
From: Guenter Roeck @ 2020-07-15 15:09 UTC (permalink / raw)
  To: krzysztof.sobota, wim, linux-watchdog, linux-kernel; +Cc: alexander.sverdlin

On 7/15/20 6:57 AM, krzysztof.sobota@nokia.com wrote:
> From: Krzysztof Sobota <krzysztof.sobota@nokia.com>
> Date: Wed, 15 Jul 2020 13:13:42 +0200
> Subject: [PATCH] watchdog: initialize device before misc_register
> 
> When watchdog device is being registered, it calls misc_register that
> makes watchdog available for systemd to open. This is a data race
> scenario, because when device is open it may still have device struct
> not initialized - this in turn causes a crash. This patch moves
> device initialization before misc_register call and it solves the
> problem printed below.
> 
A cleaner fix would probably be to move misc device registration
after cdev registration, but then handling misc device registration
failures would be much more complicated. With that,

Reviewed-by: Guenter Roeck <linux@roeck-us.net>

> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
> kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is being called.
> Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
> CPU: 3 PID: 1 Comm: systemd Tainted: G           O 4.19.113-g2579778-fsm4_k2 #1
> Hardware name: Keystone
> [<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
> [<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
> [<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
> [<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
> [<c0221fd8>] (warn_slowpath_fmt) from [<c07fd394>] (kobject_get+0x50/0x54)
> [<c07fd394>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
> [<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
> [<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
> [<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
> [<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
> [<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
> [<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
> [<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
> [<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
> Exception stack(0xd2ceffa8 to 0xd2cefff0)
> ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000
> ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78
> ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
> ---[ end trace 7b16eb105513974f ]---
> 
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
> refcount_t: increment on 0; use-after-free.
> Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
> CPU: 3 PID: 1 Comm: systemd Tainted: G        W  O 4.19.113-g2579778-fsm4_k2 #1
> Hardware name: Keystone
> [<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
> [<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
> [<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
> [<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
> [<c0221fd8>] (warn_slowpath_fmt) from [<c07fd368>] (kobject_get+0x24/0x54)
> [<c07fd368>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
> [<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
> [<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
> [<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
> [<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
> [<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
> [<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
> [<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
> [<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
> Exception stack(0xd2ceffa8 to 0xd2cefff0)
> ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000
> ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78
> ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
> ---[ end trace 7b16eb1055139750 ]---
> 
> Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev")
> Signed-off-by: Krzysztof Sobota <krzysztof.sobota@nokia.com>
> 
> Change-Id: I3b85f615d67ab5b8dc6c5c2dc42efd236d502d09
> ---
>  drivers/watchdog/watchdog_dev.c | 18 +++++++++---------
>  1 file changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
> index 10b2090f3e5e..1c322caecf7f 100644
> --- a/drivers/watchdog/watchdog_dev.c
> +++ b/drivers/watchdog/watchdog_dev.c
> @@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
>         if (IS_ERR_OR_NULL(watchdog_kworker))
>                 return -ENODEV;
> 
> +       device_initialize(&wd_data->dev);
> +       wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
> +       wd_data->dev.class = &watchdog_class;
> +       wd_data->dev.parent = wdd->parent;
> +       wd_data->dev.groups = wdd->groups;
> +       wd_data->dev.release = watchdog_core_data_release;
> +       dev_set_drvdata(&wd_data->dev, wdd);
> +       dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
> +
>         kthread_init_work(&wd_data->work, watchdog_ping_work);
>         hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
>         wd_data->timer.function = watchdog_timer_expired;
> @@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
>                 }
>         }
> 
> -       device_initialize(&wd_data->dev);
> -       wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
> -       wd_data->dev.class = &watchdog_class;
> -       wd_data->dev.parent = wdd->parent;
> -       wd_data->dev.groups = wdd->groups;
> -       wd_data->dev.release = watchdog_core_data_release;
> -       dev_set_drvdata(&wd_data->dev, wdd);
> -       dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
> -
>         /* Fill in the data structures */
>         cdev_init(&wd_data->cdev, &watchdog_fops);
> 
> -- 
> 2.14.0
> 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2] watchdog: initialize device before misc_register
  2020-07-15 15:09 ` Guenter Roeck
@ 2020-07-16  8:31   ` krzysztof.sobota
  2020-07-16 11:32     ` [PATCH v3] " krzysztof.sobota
  0 siblings, 1 reply; 7+ messages in thread
From: krzysztof.sobota @ 2020-07-16  8:31 UTC (permalink / raw)
  To: Guenter Roeck, wim, linux-watchdog, linux-kernel; +Cc: alexander.sverdlin

watchdog: initialize device before misc_register

When watchdog device is being registered, it calls misc_register that
makes watchdog available for systemd to open. This is a data race
scenario, because when device is open it may still have device struct
not initialized - this in turn causes a crash. This patch moves
device initialization before misc_register call and it solves the
problem printed below.

------------[ cut here ]------------
WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is 
being called.
Modules linked in: k2_reset_status(O) davinci_wdt(+) 
sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) 
fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) 
evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge 
stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G           O 
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
[<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
[<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
[<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
[<c0221fd8>] (warn_slowpath_fmt) from [<c07fd394>] (kobject_get+0x50/0x54)
[<c07fd394>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
[<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
[<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
[<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
[<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
[<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
[<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
[<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
[<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 
00000000
ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 
bed7bb78
ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb105513974f ]---

------------[ cut here ]------------
WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
refcount_t: increment on 0; use-after-free.
Modules linked in: k2_reset_status(O) davinci_wdt(+) 
sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) 
fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) 
evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge 
stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G        W  O 
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
[<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
[<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
[<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
[<c0221fd8>] (warn_slowpath_fmt) from [<c07fd368>] (kobject_get+0x24/0x54)
[<c07fd368>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
[<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
[<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
[<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
[<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
[<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
[<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
[<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
[<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 
00000000
ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 
bed7bb78
ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb1055139750 ]---

Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of 
watchdog_core_data and cdev")
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Krzysztof Sobota <krzysztof.sobota@nokia.com>
---
v1 -> v2:
* removed Change-Id tag
* added Review-by tag
---
  drivers/watchdog/watchdog_dev.c | 18 +++++++++---------
  1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/watchdog/watchdog_dev.c 
b/drivers/watchdog/watchdog_dev.c
index 10b2090f3e5e..1c322caecf7f 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct 
watchdog_device *wdd)
         if (IS_ERR_OR_NULL(watchdog_kworker))
                 return -ENODEV;

+       device_initialize(&wd_data->dev);
+       wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
+       wd_data->dev.class = &watchdog_class;
+       wd_data->dev.parent = wdd->parent;
+       wd_data->dev.groups = wdd->groups;
+       wd_data->dev.release = watchdog_core_data_release;
+       dev_set_drvdata(&wd_data->dev, wdd);
+       dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
+
         kthread_init_work(&wd_data->work, watchdog_ping_work);
         hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
         wd_data->timer.function = watchdog_timer_expired;
@@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct 
watchdog_device *wdd)
                 }
         }

-       device_initialize(&wd_data->dev);
-       wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
-       wd_data->dev.class = &watchdog_class;
-       wd_data->dev.parent = wdd->parent;
-       wd_data->dev.groups = wdd->groups;
-       wd_data->dev.release = watchdog_core_data_release;
-       dev_set_drvdata(&wd_data->dev, wdd);
-       dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
-
         /* Fill in the data structures */
         cdev_init(&wd_data->cdev, &watchdog_fops);

--
2.14.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3] watchdog: initialize device before misc_register
  2020-07-16  8:31   ` [PATCH v2] " krzysztof.sobota
@ 2020-07-16 11:32     ` krzysztof.sobota
  2020-07-16 11:48       ` Alexander Sverdlin
  2020-07-16 14:00       ` Guenter Roeck
  0 siblings, 2 replies; 7+ messages in thread
From: krzysztof.sobota @ 2020-07-16 11:32 UTC (permalink / raw)
  To: Guenter Roeck, wim, linux-watchdog, linux-kernel
  Cc: alexander.sverdlin, krzysztof.sobota

When watchdog device is being registered, it calls misc_register that
makes watchdog available for systemd to open. This is a data race
scenario, because when device is open it may still have device struct
not initialized - this in turn causes a crash. This patch moves
device initialization before misc_register call and it solves the
problem printed below.

------------[ cut here ]------------
WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is being called.
Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G           O      4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
[<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
[<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
[<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
[<c0221fd8>] (warn_slowpath_fmt) from [<c07fd394>] (kobject_get+0x50/0x54)
[<c07fd394>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
[<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
[<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
[<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
[<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
[<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
[<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
[<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
[<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000
ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78
ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb105513974f ]---

------------[ cut here ]------------
WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
refcount_t: increment on 0; use-after-free.
Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G        W  O      4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
[<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
[<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
[<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
[<c0221fd8>] (warn_slowpath_fmt) from [<c07fd368>] (kobject_get+0x24/0x54)
[<c07fd368>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
[<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
[<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
[<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
[<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
[<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
[<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
[<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
[<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000
ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78
ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb1055139750 ]---

Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev")
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Krzysztof Sobota <krzysztof.sobota@nokia.com>
---
v1 -> v2:
* removed Change-Id tag
* added Review-by tag
v2 -> v3
* convert spaces to tabs
* convert (hopefully) mail to plaintext
---
 drivers/watchdog/watchdog_dev.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
index 10b2090f3e5e..1c322caecf7f 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
	if (IS_ERR_OR_NULL(watchdog_kworker))
		return -ENODEV;

+	device_initialize(&wd_data->dev);
+	wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
+	wd_data->dev.class = &watchdog_class;
+	wd_data->dev.parent = wdd->parent;
+	wd_data->dev.groups = wdd->groups;
+	wd_data->dev.release = watchdog_core_data_release;
+	dev_set_drvdata(&wd_data->dev, wdd);
+	dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
+
	kthread_init_work(&wd_data->work, watchdog_ping_work);
	hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
	wd_data->timer.function = watchdog_timer_expired;
@@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
		}
	}

-	device_initialize(&wd_data->dev);
-	wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
-	wd_data->dev.class = &watchdog_class;
-	wd_data->dev.parent = wdd->parent;
-	wd_data->dev.groups = wdd->groups;
-	wd_data->dev.release = watchdog_core_data_release;
-	dev_set_drvdata(&wd_data->dev, wdd);
-	dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
-
	/* Fill in the data structures */
	cdev_init(&wd_data->cdev, &watchdog_fops);

--
2.14.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3] watchdog: initialize device before misc_register
  2020-07-16 11:32     ` [PATCH v3] " krzysztof.sobota
@ 2020-07-16 11:48       ` Alexander Sverdlin
  2020-07-16 14:00       ` Guenter Roeck
  1 sibling, 0 replies; 7+ messages in thread
From: Alexander Sverdlin @ 2020-07-16 11:48 UTC (permalink / raw)
  To: krzysztof.sobota, Guenter Roeck, wim, linux-watchdog, linux-kernel

Hello Krzysztof,

On 16/07/2020 13:32, krzysztof.sobota@nokia.com wrote:
> When watchdog device is being registered, it calls misc_register that
> makes watchdog available for systemd to open. This is a data race
> scenario, because when device is open it may still have device struct
> not initialized - this in turn causes a crash. This patch moves
> device initialization before misc_register call and it solves the
> problem printed below.

[...]

thank you for looking into this!

> Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev")
> Reviewed-by: Guenter Roeck <linux@roeck-us.net>

Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>

> Signed-off-by: Krzysztof Sobota <krzysztof.sobota@nokia.com>
> ---
> v1 -> v2:
> * removed Change-Id tag
> * added Review-by tag
> v2 -> v3
> * convert spaces to tabs
> * convert (hopefully) mail to plaintext
> ---
>  drivers/watchdog/watchdog_dev.c | 18 +++++++++---------
>  1 file changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
> index 10b2090f3e5e..1c322caecf7f 100644
> --- a/drivers/watchdog/watchdog_dev.c
> +++ b/drivers/watchdog/watchdog_dev.c
> @@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
> 	if (IS_ERR_OR_NULL(watchdog_kworker))
> 		return -ENODEV;
> 
> +	device_initialize(&wd_data->dev);
> +	wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
> +	wd_data->dev.class = &watchdog_class;
> +	wd_data->dev.parent = wdd->parent;
> +	wd_data->dev.groups = wdd->groups;
> +	wd_data->dev.release = watchdog_core_data_release;
> +	dev_set_drvdata(&wd_data->dev, wdd);
> +	dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
> +
> 	kthread_init_work(&wd_data->work, watchdog_ping_work);
> 	hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
> 	wd_data->timer.function = watchdog_timer_expired;
> @@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
> 		}
> 	}
> 
> -	device_initialize(&wd_data->dev);
> -	wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
> -	wd_data->dev.class = &watchdog_class;
> -	wd_data->dev.parent = wdd->parent;
> -	wd_data->dev.groups = wdd->groups;
> -	wd_data->dev.release = watchdog_core_data_release;
> -	dev_set_drvdata(&wd_data->dev, wdd);
> -	dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
> -
> 	/* Fill in the data structures */
> 	cdev_init(&wd_data->cdev, &watchdog_fops);
> 
> --
> 2.14.0
> 

-- 
Best regards,
Alexander Sverdlin.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3] watchdog: initialize device before misc_register
  2020-07-16 11:32     ` [PATCH v3] " krzysztof.sobota
  2020-07-16 11:48       ` Alexander Sverdlin
@ 2020-07-16 14:00       ` Guenter Roeck
  1 sibling, 0 replies; 7+ messages in thread
From: Guenter Roeck @ 2020-07-16 14:00 UTC (permalink / raw)
  To: krzysztof.sobota; +Cc: wim, linux-watchdog, linux-kernel, alexander.sverdlin

PLEASE PLEASE PLEASE _never_ send a new version of a patch as reply
to a previous one. All this ensures it that it won't find its way
into patchwork, which I and others use to track patches.
This means such patches will likely get lost.

Guenter

On Thu, Jul 16, 2020 at 01:32:12PM +0200, krzysztof.sobota@nokia.com wrote:
> When watchdog device is being registered, it calls misc_register that
> makes watchdog available for systemd to open. This is a data race
> scenario, because when device is open it may still have device struct
> not initialized - this in turn causes a crash. This patch moves
> device initialization before misc_register call and it solves the
> problem printed below.
> 
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
> kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is being called.
> Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
> CPU: 3 PID: 1 Comm: systemd Tainted: G           O      4.19.113-g2579778-fsm4_k2 #1
> Hardware name: Keystone
> [<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
> [<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
> [<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
> [<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
> [<c0221fd8>] (warn_slowpath_fmt) from [<c07fd394>] (kobject_get+0x50/0x54)
> [<c07fd394>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
> [<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
> [<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
> [<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
> [<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
> [<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
> [<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
> [<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
> [<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
> Exception stack(0xd2ceffa8 to 0xd2cefff0)
> ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000
> ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78
> ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
> ---[ end trace 7b16eb105513974f ]---
> 
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
> refcount_t: increment on 0; use-after-free.
> Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
> CPU: 3 PID: 1 Comm: systemd Tainted: G        W  O      4.19.113-g2579778-fsm4_k2 #1
> Hardware name: Keystone
> [<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
> [<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
> [<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
> [<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
> [<c0221fd8>] (warn_slowpath_fmt) from [<c07fd368>] (kobject_get+0x24/0x54)
> [<c07fd368>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
> [<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
> [<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
> [<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
> [<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
> [<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
> [<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
> [<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
> [<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
> Exception stack(0xd2ceffa8 to 0xd2cefff0)
> ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000
> ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78
> ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
> ---[ end trace 7b16eb1055139750 ]---
> 
> Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev")
> Reviewed-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Krzysztof Sobota <krzysztof.sobota@nokia.com>
> ---
> v1 -> v2:
> * removed Change-Id tag
> * added Review-by tag
> v2 -> v3
> * convert spaces to tabs
> * convert (hopefully) mail to plaintext
> ---
>  drivers/watchdog/watchdog_dev.c | 18 +++++++++---------
>  1 file changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
> index 10b2090f3e5e..1c322caecf7f 100644
> --- a/drivers/watchdog/watchdog_dev.c
> +++ b/drivers/watchdog/watchdog_dev.c
> @@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
> 	if (IS_ERR_OR_NULL(watchdog_kworker))
> 		return -ENODEV;
> 
> +	device_initialize(&wd_data->dev);
> +	wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
> +	wd_data->dev.class = &watchdog_class;
> +	wd_data->dev.parent = wdd->parent;
> +	wd_data->dev.groups = wdd->groups;
> +	wd_data->dev.release = watchdog_core_data_release;
> +	dev_set_drvdata(&wd_data->dev, wdd);
> +	dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
> +
> 	kthread_init_work(&wd_data->work, watchdog_ping_work);
> 	hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
> 	wd_data->timer.function = watchdog_timer_expired;
> @@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
> 		}
> 	}
> 
> -	device_initialize(&wd_data->dev);
> -	wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
> -	wd_data->dev.class = &watchdog_class;
> -	wd_data->dev.parent = wdd->parent;
> -	wd_data->dev.groups = wdd->groups;
> -	wd_data->dev.release = watchdog_core_data_release;
> -	dev_set_drvdata(&wd_data->dev, wdd);
> -	dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
> -
> 	/* Fill in the data structures */
> 	cdev_init(&wd_data->cdev, &watchdog_fops);
> 
> --
> 2.14.0
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3] watchdog: initialize device before misc_register
@ 2020-07-16 14:06 Guenter Roeck
  0 siblings, 0 replies; 7+ messages in thread
From: Guenter Roeck @ 2020-07-16 14:06 UTC (permalink / raw)
  To: krzysztof.sobota; +Cc: wim, linux-watchdog, linux-kernel, alexander.sverdlin

On Thu, Jul 16, 2020 at 01:32:12PM +0200, krzysztof.sobota@nokia.com wrote:
> When watchdog device is being registered, it calls misc_register that
> makes watchdog available for systemd to open. This is a data race
> scenario, because when device is open it may still have device struct
> not initialized - this in turn causes a crash. This patch moves
> device initialization before misc_register call and it solves the
> problem printed below.
> 
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
> kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is being called.
> Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
> CPU: 3 PID: 1 Comm: systemd Tainted: G           O      4.19.113-g2579778-fsm4_k2 #1
> Hardware name: Keystone
> [<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
> [<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
> [<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
> [<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
> [<c0221fd8>] (warn_slowpath_fmt) from [<c07fd394>] (kobject_get+0x50/0x54)
> [<c07fd394>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
> [<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
> [<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
> [<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
> [<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
> [<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
> [<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
> [<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
> [<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
> Exception stack(0xd2ceffa8 to 0xd2cefff0)
> ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000
> ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78
> ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
> ---[ end trace 7b16eb105513974f ]---
> 
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
> refcount_t: increment on 0; use-after-free.
> Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
> CPU: 3 PID: 1 Comm: systemd Tainted: G        W  O      4.19.113-g2579778-fsm4_k2 #1
> Hardware name: Keystone
> [<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c)
> [<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8)
> [<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114)
> [<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74)
> [<c0221fd8>] (warn_slowpath_fmt) from [<c07fd368>] (kobject_get+0x24/0x54)
> [<c07fd368>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24)
> [<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0)
> [<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c)
> [<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8)
> [<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc)
> [<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148)
> [<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec)
> [<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4)
> [<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28)
> Exception stack(0xd2ceffa8 to 0xd2cefff0)
> ffa0:                   b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000
> ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78
> ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6
> ---[ end trace 7b16eb1055139750 ]---
> 
> Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev")
> Reviewed-by: Guenter Roeck <linux@roeck-us.net>
> Signed-off-by: Krzysztof Sobota <krzysztof.sobota@nokia.com>
> ---
> v1 -> v2:
> * removed Change-Id tag
> * added Review-by tag
> v2 -> v3
> * convert spaces to tabs
> * convert (hopefully) mail to plaintext

Doesn't look like it.

Applying: watchdog: initialize device before misc_register
error: corrupt patch at line 17
Patch failed at 0001 watchdog: initialize device before misc_register
Use 'git am --show-current-patch' to see the failed patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Guenter

> ---
>  drivers/watchdog/watchdog_dev.c | 18 +++++++++---------
>  1 file changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
> index 10b2090f3e5e..1c322caecf7f 100644
> --- a/drivers/watchdog/watchdog_dev.c
> +++ b/drivers/watchdog/watchdog_dev.c
> @@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
> 	if (IS_ERR_OR_NULL(watchdog_kworker))
> 		return -ENODEV;
> 
> +	device_initialize(&wd_data->dev);
> +	wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
> +	wd_data->dev.class = &watchdog_class;
> +	wd_data->dev.parent = wdd->parent;
> +	wd_data->dev.groups = wdd->groups;
> +	wd_data->dev.release = watchdog_core_data_release;
> +	dev_set_drvdata(&wd_data->dev, wdd);
> +	dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
> +
> 	kthread_init_work(&wd_data->work, watchdog_ping_work);
> 	hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
> 	wd_data->timer.function = watchdog_timer_expired;
> @@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
> 		}
> 	}
> 
> -	device_initialize(&wd_data->dev);
> -	wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
> -	wd_data->dev.class = &watchdog_class;
> -	wd_data->dev.parent = wdd->parent;
> -	wd_data->dev.groups = wdd->groups;
> -	wd_data->dev.release = watchdog_core_data_release;
> -	dev_set_drvdata(&wd_data->dev, wdd);
> -	dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
> -
> 	/* Fill in the data structures */
> 	cdev_init(&wd_data->cdev, &watchdog_fops);
> 
> --
> 2.14.0
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-15 13:57 [PATCH] watchdog: initialize device before misc_register krzysztof.sobota
2020-07-15 15:09 ` Guenter Roeck
2020-07-16  8:31   ` [PATCH v2] " krzysztof.sobota
2020-07-16 11:32     ` [PATCH v3] " krzysztof.sobota
2020-07-16 11:48       ` Alexander Sverdlin
2020-07-16 14:00       ` Guenter Roeck
2020-07-16 14:06 Guenter Roeck

Linux-Watchdog Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-watchdog/0 linux-watchdog/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-watchdog linux-watchdog/ https://lore.kernel.org/linux-watchdog \
		linux-watchdog@vger.kernel.org
	public-inbox-index linux-watchdog

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-watchdog


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git