Received: by 10.213.65.68 with SMTP id h4csp263170imn; Fri, 23 Mar 2018 04:13:18 -0700 (PDT) X-Google-Smtp-Source: AG47ELtt143jmZAMLWpblCuJB9+93VuTA3xNaG4cUC97JBOR5cfqRjZmvsNk/NT2X13TEVjy84ui X-Received: by 2002:a17:902:5204:: with SMTP id z4-v6mr29042605plh.385.1521803598428; Fri, 23 Mar 2018 04:13:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521803598; cv=none; d=google.com; s=arc-20160816; b=S/wO5+B8XwK5bxv2v77WhHfAKgMVzDghliYUko5qCn/qC58amA6CEGkixU6NCrWcC1 5IfZbO2fFlrOxeX5JfEsdt4Hht/CAfzcFUj+JyTHoLB5dlQsGyeievlF6xRX+vWaF/nZ o9OE5ES3DkcT/Cx8wPMcNIiprF5WqYlwvztsH40a6LmPY4FkL51mixS3FSvJjb1JwYfq 39I2kxgI48uWlFjrVqHOt1ZZq8HJvcB2Prz+RB/2PqmYhSH2gEy1GXaGOp4nAlJgyfGO LUoUAhYyoKs/HCKVVGIeiZyyq/QGVe03sh4Mueb3/IERHjkzO2Bnh9wq3zFWES4CePhb OLgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=LBNGmD2wtcwqJwmd6QQucdmN0fk2VowgceNGuF5sldM=; b=HqWCrYoXgjdjrdL6zIOpLCoCne3sWBW+NU64lcZ8uc6BxrDZIXsighEM1TGaJLJkl8 9iJr08dMdSuGHpS+M0HrrDTDGyD0zV6H3G9wHFSrwo4m99SYlis8JCMmB/CiQCqbR99T IJ1W5i2+dxnkAE3EAZRVTJMRsXbN812xp4HSUbZdeSQfTiH/mttbW+Lx9FZga3ecrLa6 RLUxsAKZ0HCmQR9Yz5cph9FSM3oSMxRXuYFjs8FiOjFB8ZiYC9LeT2LA8YL4MDEsuvXv SoN07BLHmyQE80Dw2Oud/j/UlgFD89W9ttOlfQV5BdptSjDTpCNqZ/BglupXrcQY7+2D 2xyQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 38-v6si8417564pld.47.2018.03.23.04.13.03; Fri, 23 Mar 2018 04:13:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755789AbeCWLL6 (ORCPT + 99 others); Fri, 23 Mar 2018 07:11:58 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:43616 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932836AbeCWKK4 (ORCPT ); Fri, 23 Mar 2018 06:10:56 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id CA6D741C; Fri, 23 Mar 2018 10:10:55 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Guenter Roeck , Wim Van Sebroeck , Sasha Levin Subject: [PATCH 4.9 146/177] watchdog: Fix potential kref imbalance when opening watchdog Date: Fri, 23 Mar 2018 10:54:34 +0100 Message-Id: <20180323094211.635592178@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180323094205.090519271@linuxfoundation.org> References: <20180323094205.090519271@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Guenter Roeck [ Upstream commit 4bcd615fad6adddc68b058d498b30a9e0e0db77a ] If a watchdog driver's open function sets WDOG_HW_RUNNING with the expectation that the watchdog can not be stopped, but then stops the watchdog anyway in its stop function, kref_get() wil not be called in watchdog_open(). If the watchdog then stops on close, WDOG_HW_RUNNING will be cleared and kref_put() will be called, causing a kref imbalance. As result the character device data structure will be released, which in turn will cause the system to crash on the next call to watchdog_open(). Fixes: ee142889e32f5 ("watchdog: Introduce WDOG_HW_RUNNING flag") Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/watchdog/watchdog_dev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/watchdog/watchdog_dev.c +++ b/drivers/watchdog/watchdog_dev.c @@ -760,6 +760,7 @@ static int watchdog_open(struct inode *i { struct watchdog_core_data *wd_data; struct watchdog_device *wdd; + bool hw_running; int err; /* Get the corresponding watchdog device */ @@ -779,7 +780,8 @@ static int watchdog_open(struct inode *i * If the /dev/watchdog device is open, we don't want the module * to be unloaded. */ - if (!watchdog_hw_running(wdd) && !try_module_get(wdd->ops->owner)) { + hw_running = watchdog_hw_running(wdd); + if (!hw_running && !try_module_get(wdd->ops->owner)) { err = -EBUSY; goto out_clear; } @@ -790,7 +792,7 @@ static int watchdog_open(struct inode *i file->private_data = wd_data; - if (!watchdog_hw_running(wdd)) + if (!hw_running) kref_get(&wd_data->kref); /* dev/watchdog is a virtual (and thus non-seekable) filesystem */