[PATCH] watchdog: initialize device before misc_register
From: Krzysztof Sobota
Date: Wed, 15 Jul 2020 13:13:42 +0200
Subject: [PATCH] watchdog: initialize device before misc_register
When watchdog device is being registered, it calls misc_register that
makes watchdog available for systemd to open. This is a data race
scenario, because when device is open it may still have device struct
not initialized - this in turn causes a crash. This patch moves
device initialization before misc_register call and it solves the
problem printed below.
[ cut here ]
WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is
being called.
Modules linked in: k2_reset_status(O) davinci_wdt(+)
sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O)
fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+)
evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge
stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G O
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[] (unwind_backtrace) from [] (show_stack+0x18/0x1c)
[] (show_stack) from [] (dump_stack+0xb4/0xe8)
[] (dump_stack) from [] (__warn+0xfc/0x114)
[] (__warn) from [] (warn_slowpath_fmt+0x50/0x74)
[] (warn_slowpath_fmt) from [] (kobject_get+0x50/0x54)
[] (kobject_get) from [] (get_device+0x1c/0x24)
[] (get_device) from [] (watchdog_open+0x90/0xf0)
[] (watchdog_open) from [] (misc_open+0x130/0x17c)
[] (misc_open) from [] (chrdev_open+0xec/0x1a8)
[] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc)
[] (do_dentry_open) from [] (path_openat+0x330/0x1148)
[] (path_openat) from [] (do_filp_open+0x78/0xec)
[] (do_filp_open) from [] (do_sys_open+0x130/0x1f4)
[] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0: b6f69968 ff9c b6ebd210 000a0001
ffc0: b6f69968 0142 fffd 00b65530
bed7bb78
ffe0: 0142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb105513974f ]---
[ cut here ]
WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
refcount_t: increment on 0; use-after-free.
Modules linked in: k2_reset_status(O) davinci_wdt(+)
sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O)
fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+)
evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge
stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G W O
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[] (unwind_backtrace) from [] (show_stack+0x18/0x1c)
[] (show_stack) from [] (dump_stack+0xb4/0xe8)
[] (dump_stack) from [] (__warn+0xfc/0x114)
[] (__warn) from [] (warn_slowpath_fmt+0x50/0x74)
[] (warn_slowpath_fmt) from [] (kobject_get+0x24/0x54)
[] (kobject_get) from [] (get_device+0x1c/0x24)
[] (get_device) from [] (watchdog_open+0x90/0xf0)
[] (watchdog_open) from [] (misc_open+0x130/0x17c)
[] (misc_open) from [] (chrdev_open+0xec/0x1a8)
[] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc)
[] (do_dentry_open) from [] (path_openat+0x330/0x1148)
[] (path_openat) from [] (do_filp_open+0x78/0xec)
[] (do_filp_open) from [] (do_sys_open+0x130/0x1f4)
[] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0: b6f69968 ff9c b6ebd210 000a0001
ffc0: b6f69968 0142 fffd 00b65530
bed7bb78
ffe0: 0142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb1055139750 ]---
Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of
watchdog_core_data and cdev")
Signed-off-by: Krzysztof Sobota
Change-Id: I3b85f615d67ab5b8dc6c5c2dc42efd236d502d09
---
drivers/watchdog/watchdog_dev.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/watchdog/watchdog_dev.c
b/drivers/watchdog/watchdog_dev.c
index 10b2090f3e5e..1c322caecf7f 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct
watchdog_device *wdd)
if (IS_ERR_OR_NULL(watchdog_kworker))
return -ENODEV;
+ device_initialize(&wd_data->dev);
+ wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
+ wd_data->dev.class = &watchdog_class;
+ wd_data->dev.parent = wdd->parent;
+ wd_data->dev.groups = wdd->groups;
+ wd_data->dev.release = watchdog_core_data_release;
+ dev_set_drvdata(&wd_data->dev, wdd);
+ dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
+
kthread_init_work(&wd_data->work, watchdog_ping_work);
hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
wd_data->timer.function = watchdog_timer_expired;
@@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct
watchdog_device *wdd)
}
}
- de
[PATCH v2] watchdog: initialize device before misc_register
watchdog: initialize device before misc_register
When watchdog device is being registered, it calls misc_register that
makes watchdog available for systemd to open. This is a data race
scenario, because when device is open it may still have device struct
not initialized - this in turn causes a crash. This patch moves
device initialization before misc_register call and it solves the
problem printed below.
[ cut here ]
WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is
being called.
Modules linked in: k2_reset_status(O) davinci_wdt(+)
sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O)
fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+)
evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge
stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G O
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[] (unwind_backtrace) from [] (show_stack+0x18/0x1c)
[] (show_stack) from [] (dump_stack+0xb4/0xe8)
[] (dump_stack) from [] (__warn+0xfc/0x114)
[] (__warn) from [] (warn_slowpath_fmt+0x50/0x74)
[] (warn_slowpath_fmt) from [] (kobject_get+0x50/0x54)
[] (kobject_get) from [] (get_device+0x1c/0x24)
[] (get_device) from [] (watchdog_open+0x90/0xf0)
[] (watchdog_open) from [] (misc_open+0x130/0x17c)
[] (misc_open) from [] (chrdev_open+0xec/0x1a8)
[] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc)
[] (do_dentry_open) from [] (path_openat+0x330/0x1148)
[] (path_openat) from [] (do_filp_open+0x78/0xec)
[] (do_filp_open) from [] (do_sys_open+0x130/0x1f4)
[] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0: b6f69968 ff9c b6ebd210 000a0001
ffc0: b6f69968 0142 fffd 00b65530
bed7bb78
ffe0: 0142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb105513974f ]---
[ cut here ]
WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
refcount_t: increment on 0; use-after-free.
Modules linked in: k2_reset_status(O) davinci_wdt(+)
sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O)
fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+)
evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge
stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G W O
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[] (unwind_backtrace) from [] (show_stack+0x18/0x1c)
[] (show_stack) from [] (dump_stack+0xb4/0xe8)
[] (dump_stack) from [] (__warn+0xfc/0x114)
[] (__warn) from [] (warn_slowpath_fmt+0x50/0x74)
[] (warn_slowpath_fmt) from [] (kobject_get+0x24/0x54)
[] (kobject_get) from [] (get_device+0x1c/0x24)
[] (get_device) from [] (watchdog_open+0x90/0xf0)
[] (watchdog_open) from [] (misc_open+0x130/0x17c)
[] (misc_open) from [] (chrdev_open+0xec/0x1a8)
[] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc)
[] (do_dentry_open) from [] (path_openat+0x330/0x1148)
[] (path_openat) from [] (do_filp_open+0x78/0xec)
[] (do_filp_open) from [] (do_sys_open+0x130/0x1f4)
[] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0: b6f69968 ff9c b6ebd210 000a0001
ffc0: b6f69968 0142 fffd 00b65530
bed7bb78
ffe0: 0142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb1055139750 ]---
Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of
watchdog_core_data and cdev")
Reviewed-by: Guenter Roeck
Signed-off-by: Krzysztof Sobota
---
v1 -> v2:
* removed Change-Id tag
* added Review-by tag
---
drivers/watchdog/watchdog_dev.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/watchdog/watchdog_dev.c
b/drivers/watchdog/watchdog_dev.c
index 10b2090f3e5e..1c322caecf7f 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct
watchdog_device *wdd)
if (IS_ERR_OR_NULL(watchdog_kworker))
return -ENODEV;
+ device_initialize(&wd_data->dev);
+ wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
+ wd_data->dev.class = &watchdog_class;
+ wd_data->dev.parent = wdd->parent;
+ wd_data->dev.groups = wdd->groups;
+ wd_data->dev.release = watchdog_core_data_release;
+ dev_set_drvdata(&wd_data->dev, wdd);
+ dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
+
kthread_init_work(&wd_data->work, watchdog_ping_work);
hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
wd_data->timer.function = watchdog_timer_expired;
@@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct
watchdog_device *wdd)
}
}
- device_initialize(&wd_data->dev);
- wd_da
Re: [PATCH v3] watchdog: initialize device before misc_register
When watchdog device is being registered, it calls misc_register that
makes watchdog available for systemd to open. This is a data race
scenario, because when device is open it may still have device struct
not initialized - this in turn causes a crash. This patch moves
device initialization before misc_register call and it solves the
problem printed below.
[ cut here ]
WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54
kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is being
called.
Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O)
fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O)
slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O)
xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: G O
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[] (unwind_backtrace) from [] (show_stack+0x18/0x1c)
[] (show_stack) from [] (dump_stack+0xb4/0xe8)
[] (dump_stack) from [] (__warn+0xfc/0x114)
[] (__warn) from [] (warn_slowpath_fmt+0x50/0x74)
[] (warn_slowpath_fmt) from [] (kobject_get+0x50/0x54)
[] (kobject_get) from [] (get_device+0x1c/0x24)
[] (get_device) from [] (watchdog_open+0x90/0xf0)
[] (watchdog_open) from [] (misc_open+0x130/0x17c)
[] (misc_open) from [] (chrdev_open+0xec/0x1a8)
[] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc)
[] (do_dentry_open) from [] (path_openat+0x330/0x1148)
[] (path_openat) from [] (do_filp_open+0x78/0xec)
[] (do_filp_open) from [] (do_sys_open+0x130/0x1f4)
[] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0: b6f69968 ff9c b6ebd210 000a0001
ffc0: b6f69968 0142 fffd 00b65530 bed7bb78
ffe0: 0142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb105513974f ]---
[ cut here ]
WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54
refcount_t: increment on 0; use-after-free.
Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O)
fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O)
slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O)
xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6
CPU: 3 PID: 1 Comm: systemd Tainted: GW O
4.19.113-g2579778-fsm4_k2 #1
Hardware name: Keystone
[] (unwind_backtrace) from [] (show_stack+0x18/0x1c)
[] (show_stack) from [] (dump_stack+0xb4/0xe8)
[] (dump_stack) from [] (__warn+0xfc/0x114)
[] (__warn) from [] (warn_slowpath_fmt+0x50/0x74)
[] (warn_slowpath_fmt) from [] (kobject_get+0x24/0x54)
[] (kobject_get) from [] (get_device+0x1c/0x24)
[] (get_device) from [] (watchdog_open+0x90/0xf0)
[] (watchdog_open) from [] (misc_open+0x130/0x17c)
[] (misc_open) from [] (chrdev_open+0xec/0x1a8)
[] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc)
[] (do_dentry_open) from [] (path_openat+0x330/0x1148)
[] (path_openat) from [] (do_filp_open+0x78/0xec)
[] (do_filp_open) from [] (do_sys_open+0x130/0x1f4)
[] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28)
Exception stack(0xd2ceffa8 to 0xd2cefff0)
ffa0: b6f69968 ff9c b6ebd210 000a0001
ffc0: b6f69968 0142 fffd 00b65530 bed7bb78
ffe0: 0142 bed7ba70 b6cc2503 b6cc41d6
---[ end trace 7b16eb1055139750 ]---
Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of
watchdog_core_data and cdev")
Reviewed-by: Guenter Roeck
Signed-off-by: Krzysztof Sobota
---
v1 -> v2:
* removed Change-Id tag
* added Review-by tag
v2 -> v3
* convert spaces to tabs
* convert (hopefully) mail to plaintext
---
drivers/watchdog/watchdog_dev.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
index 10b2090f3e5e..1c322caecf7f 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct watchdog_device
*wdd)
if (IS_ERR_OR_NULL(watchdog_kworker))
return -ENODEV;
+ device_initialize(&wd_data->dev);
+ wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
+ wd_data->dev.class = &watchdog_class;
+ wd_data->dev.parent = wdd->parent;
+ wd_data->dev.groups = wdd->groups;
+ wd_data->dev.release = watchdog_core_data_release;
+ dev_set_drvdata(&wd_data->dev, wdd);
+ dev_set_name(&wd_data->dev, "watchdog%d", wdd->id);
+
kthread_init_work(&wd_data->work, watchdog_ping_work);
hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
wd_data->timer.function = watchdog_timer_expired;
@@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct watchdog_device
*wdd)
}
}
- device_initialize(&wd_data->d
