ddf2b78913
[ Upstream commit cb36e29bb0e4b0c33c3d5866a0a4aebace4c99b7 ] When watchdog device is being registered, it calls misc_register that makes watchdog available for systemd to open. This is a data race scenario, because when device is open it may still have device struct not initialized - this in turn causes a crash. This patch moves device initialization before misc_register call and it solves the problem printed below. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54 kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is being called. Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6 CPU: 3 PID: 1 Comm: systemd Tainted: G O 4.19.113-g2579778-fsm4_k2 #1 Hardware name: Keystone [<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c) [<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8) [<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114) [<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74) [<c0221fd8>] (warn_slowpath_fmt) from [<c07fd394>] (kobject_get+0x50/0x54) [<c07fd394>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24) [<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0) [<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c) [<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8) [<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc) [<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148) [<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec) [<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4) [<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28) Exception stack(0xd2ceffa8 to 0xd2cefff0) ffa0: b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000 ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78 ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6 ---[ end trace 7b16eb105513974f ]--- ------------[ cut here ]------------ WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54 refcount_t: increment on 0; use-after-free. Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6 CPU: 3 PID: 1 Comm: systemd Tainted: G W O 4.19.113-g2579778-fsm4_k2 #1 Hardware name: Keystone [<c02126c4>] (unwind_backtrace) from [<c020da94>] (show_stack+0x18/0x1c) [<c020da94>] (show_stack) from [<c07f87d8>] (dump_stack+0xb4/0xe8) [<c07f87d8>] (dump_stack) from [<c0221f70>] (__warn+0xfc/0x114) [<c0221f70>] (__warn) from [<c0221fd8>] (warn_slowpath_fmt+0x50/0x74) [<c0221fd8>] (warn_slowpath_fmt) from [<c07fd368>] (kobject_get+0x24/0x54) [<c07fd368>] (kobject_get) from [<c0602ce8>] (get_device+0x1c/0x24) [<c0602ce8>] (get_device) from [<c06961e0>] (watchdog_open+0x90/0xf0) [<c06961e0>] (watchdog_open) from [<c06001dc>] (misc_open+0x130/0x17c) [<c06001dc>] (misc_open) from [<c0388228>] (chrdev_open+0xec/0x1a8) [<c0388228>] (chrdev_open) from [<c037fa98>] (do_dentry_open+0x204/0x3cc) [<c037fa98>] (do_dentry_open) from [<c0391e2c>] (path_openat+0x330/0x1148) [<c0391e2c>] (path_openat) from [<c0394518>] (do_filp_open+0x78/0xec) [<c0394518>] (do_filp_open) from [<c0381100>] (do_sys_open+0x130/0x1f4) [<c0381100>] (do_sys_open) from [<c0201000>] (ret_fast_syscall+0x0/0x28) Exception stack(0xd2ceffa8 to 0xd2cefff0) ffa0: b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000 ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78 ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6 ---[ end trace 7b16eb1055139750 ]--- Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev") Reviewed-by: Guenter Roeck <linux@roeck-us.net> Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com> Signed-off-by: Krzysztof Sobota <krzysztof.sobota@nokia.com> Link: https://lore.kernel.org/r/20200717103109.14660-1-krzysztof.sobota@nokia.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|---|---|---|
| .. | ||
| acquirewdt.c | ||
| advantechwdt.c | ||
| alim1535_wdt.c | ||
| alim7101_wdt.c | ||
| ar7_wdt.c | ||
| asm9260_wdt.c | ||
| aspeed_wdt.c | ||
| at91rm9200_wdt.c | ||
| at91sam9_wdt.c | ||
| at91sam9_wdt.h | ||
| ath79_wdt.c | ||
| atlas7_wdt.c | ||
| bcm47xx_wdt.c | ||
| bcm63xx_wdt.c | ||
| bcm2835_wdt.c | ||
| bcm7038_wdt.c | ||
| bcm_kona_wdt.c | ||
| booke_wdt.c | ||
| cadence_wdt.c | ||
| coh901327_wdt.c | ||
| cpu5wdt.c | ||
| cpwd.c | ||
| da9052_wdt.c | ||
| da9055_wdt.c | ||
| da9062_wdt.c | ||
| da9063_wdt.c | ||
| davinci_wdt.c | ||
| diag288_wdt.c | ||
| digicolor_wdt.c | ||
| dw_wdt.c | ||
| ebc-c384_wdt.c | ||
| ep93xx_wdt.c | ||
| eurotechwdt.c | ||
| f71808e_wdt.c | ||
| ftwdt010_wdt.c | ||
| gef_wdt.c | ||
| geodewdt.c | ||
| gpio_wdt.c | ||
| hpwdt.c | ||
| i6300esb.c | ||
| ib700wdt.c | ||
| ibmasr.c | ||
| ie6xx_wdt.c | ||
| imgpdc_wdt.c | ||
| imx2_wdt.c | ||
| indydog.c | ||
| intel_scu_watchdog.c | ||
| intel_scu_watchdog.h | ||
| intel-mid_wdt.c | ||
| iop_wdt.c | ||
| it87_wdt.c | ||
| it8712f_wdt.c | ||
| iTCO_vendor_support.c | ||
| iTCO_vendor.h | ||
| iTCO_wdt.c | ||
| ixp4xx_wdt.c | ||
| jz4740_wdt.c | ||
| Kconfig | ||
| kempld_wdt.c | ||
| ks8695_wdt.c | ||
| lantiq_wdt.c | ||
| loongson1_wdt.c | ||
| lpc18xx_wdt.c | ||
| m54xx_wdt.c | ||
| machzwd.c | ||
| Makefile | ||
| max63xx_wdt.c | ||
| max77620_wdt.c | ||
| mei_wdt.c | ||
| mena21_wdt.c | ||
| menf21bmc_wdt.c | ||
| menz69_wdt.c | ||
| meson_gxbb_wdt.c | ||
| meson_wdt.c | ||
| mixcomwd.c | ||
| moxart_wdt.c | ||
| mpc8xxx_wdt.c | ||
| mt7621_wdt.c | ||
| mtk_wdt.c | ||
| mtx-1_wdt.c | ||
| mv64x60_wdt.c | ||
| ni903x_wdt.c | ||
| nic7018_wdt.c | ||
| npcm_wdt.c | ||
| nuc900_wdt.c | ||
| nv_tco.c | ||
| nv_tco.h | ||
| octeon-wdt-main.c | ||
| octeon-wdt-nmi.S | ||
| of_xilinx_wdt.c | ||
| omap_wdt.c | ||
| omap_wdt.h | ||
| orion_wdt.c | ||
| pc87413_wdt.c | ||
| pcwd_pci.c | ||
| pcwd_usb.c | ||
| pcwd.c | ||
| pic32-dmt.c | ||
| pic32-wdt.c | ||
| pika_wdt.c | ||
| pnx833x_wdt.c | ||
| pnx4008_wdt.c | ||
| pretimeout_noop.c | ||
| pretimeout_panic.c | ||
| qcom-wdt.c | ||
| rave-sp-wdt.c | ||
| rc32434_wdt.c | ||
| rdc321x_wdt.c | ||
| renesas_wdt.c | ||
| retu_wdt.c | ||
| riowd.c | ||
| rn5t618_wdt.c | ||
| rt2880_wdt.c | ||
| rtd119x_wdt.c | ||
| rza_wdt.c | ||
| s3c2410_wdt.c | ||
| sa1100_wdt.c | ||
| sama5d4_wdt.c | ||
| sb_wdog.c | ||
| sbc60xxwdt.c | ||
| sbc7240_wdt.c | ||
| sbc8360.c | ||
| sbc_epx_c3.c | ||
| sbc_fitpc2_wdt.c | ||
| sbsa_gwdt.c | ||
| sc520_wdt.c | ||
| sc1200wdt.c | ||
| sch311x_wdt.c | ||
| scx200_wdt.c | ||
| shwdt.c | ||
| sirfsoc_wdt.c | ||
| smsc37b787_wdt.c | ||
| softdog.c | ||
| sp805_wdt.c | ||
| sp5100_tco.c | ||
| sp5100_tco.h | ||
| sprd_wdt.c | ||
| st_lpc_wdt.c | ||
| stm32_iwdg.c | ||
| stmp3xxx_rtc_wdt.c | ||
| sun4v_wdt.c | ||
| sunxi_wdt.c | ||
| tangox_wdt.c | ||
| tegra_wdt.c | ||
| ts72xx_wdt.c | ||
| ts4800_wdt.c | ||
| twl4030_wdt.c | ||
| txx9wdt.c | ||
| uniphier_wdt.c | ||
| ux500_wdt.c | ||
| via_wdt.c | ||
| w83627hf_wdt.c | ||
| w83877f_wdt.c | ||
| w83977f_wdt.c | ||
| wafer5823wdt.c | ||
| watchdog_core.c | ||
| watchdog_core.h | ||
| watchdog_dev.c | ||
| watchdog_pretimeout.c | ||
| watchdog_pretimeout.h | ||
| wd501p.h | ||
| wdat_wdt.c | ||
| wdrtas.c | ||
| wdt285.c | ||
| wdt977.c | ||
| wdt_pci.c | ||
| wdt.c | ||
| wm831x_wdt.c | ||
| wm8350_wdt.c | ||
| xen_wdt.c | ||
| ziirave_wdt.c | ||
| zx2967_wdt.c | ||