Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1241207ybh; Thu, 16 Jul 2020 07:04:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzdk/j9ud1uTURow41jt9MIbaJ2kYkJBQ0MZx/wD+fX8Td7khMw3YwomnMSXzAleHwTAyIs X-Received: by 2002:a17:907:728a:: with SMTP id dt10mr3784107ejc.150.1594908276421; Thu, 16 Jul 2020 07:04:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594908276; cv=none; d=google.com; s=arc-20160816; b=yhgC8RtTAgNkYa+QY6TriRnmci5LV3wvwTZx6Yf0+Rrm/8GNgX2GKzKSTOUu7gZheF IZw/g51MaiPGv2wvheXngeQvTaWsMZlHQVvf3B24iu3ubun0r2Juy/zEHB6YluOzPu0f RPh1WvJ9wNfIWgF3CGi69xBEWboc4w4KKuwtT+S+vDVCtNeAEHWkiU6iAJEjwH/JQGNH e+bzuxgMpe23lDxy9nkwIZ4JVxNNhX5lnwI0iYY1AfadYUHqnRjS4FNOWr9VL6AvreIe e8SieFUuGRkDRnR+HBTPRhyutajeLYpYJ5ANqmtqq9GPE4+asUVFOQsFdIrz64N/eAOL I4Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=ZXwipsxzhMLk2JJvPXEXMGOn+vKEGM/eqHRemYcvCrg=; b=fbjLqXFm7frKf+fHtdmMLvnJzwl75PwkpDuZDLITuuIhaBxkGOsG5/dgJVpqIw5nkG oG2X6X89GLW1NfFoBjStiQRasN6bAoIxH2uv+/TSz3+CLQq4EH1Ckfhw9hAitlkmunjz Dn7/tVD+m3qZiFXbpyl/V26LJ/3BugwovPPhEaA4e9hmPG40uE9XS/V6dTZFZ3Lauw4g OvNuelGVlWaf48nv2pJi0yI6p2WDjEu36If/fkdC4NnJywCN8D3DDr8mdTeYlfNqgD6U m6YhkDQsxykKEN2ij5jFszII8B34ukswMja4ZBdh2doEwWVGKn/tMKtrUcCn8IR6BroQ +Lbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=IjNgN8K1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h4si3252308eje.121.2020.07.16.07.04.12; Thu, 16 Jul 2020 07:04:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=IjNgN8K1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728983AbgGPOA5 (ORCPT + 99 others); Thu, 16 Jul 2020 10:00:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728963AbgGPOA4 (ORCPT ); Thu, 16 Jul 2020 10:00:56 -0400 Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22496C061755; Thu, 16 Jul 2020 07:00:56 -0700 (PDT) Received: by mail-pj1-x1043.google.com with SMTP id o22so4722674pjw.2; Thu, 16 Jul 2020 07:00:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ZXwipsxzhMLk2JJvPXEXMGOn+vKEGM/eqHRemYcvCrg=; b=IjNgN8K1TicGwm+foK+8A2I3d8vTB3uyfkdOCPkkmW0MvFVv6JDomDlTOHv98xDMnz OzNwiKS0C8vfhj+cWHnK0SHUZ3Ty/l+YIKLnUI5HalHIcuSHBPuLwiQ+xPb36V0o5tLD FjqgrVrCzfjSJtKEB2w9VRFYNMXrwz5GH1UNqNPT/IoeCQjCUJggANB10qzc6VVvJPMD ERepX3Idy4c7Pv+TS+ELf3AkzPlTb2xeSOBA44cBscKS6ry24rIxDy5/wMs37nmNWkoy /2kCOrThbI6fURVWswRR7X6rJj2h8Pq8md2hmcJHJzhAJdHme+o5Gfht5IrIlsgfab9G CQWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=ZXwipsxzhMLk2JJvPXEXMGOn+vKEGM/eqHRemYcvCrg=; b=qscqr7M6mAdXAjMuv7EtOWWDChQ6oKyawMhQPdmYUSi7Pk10RDD+1wXO7W+AP7W7Tl i62mJkfQeQfzJXXeAusB+KLlZ+Qvpvu01/rm95XBnuxrsvSMwqnCdks8miykQquzEKnz TpitG+/6sakB1FQI3pDGONGE/zZFzn1leKlR06Yebyw38MxhriixnValLT/WuCgiVuno +VGo6oaJMLyxlEs3P/4Xh/H4XeQtZL6MLKdKT8qz6BRr6mEAyLuKUN+qnLx+NiUhVat0 LNU6gpeyDfbB0G0zwnCRzoOUDXned+G+y0gEGhGhKSBg/onSnA9HJPU9fCTR74LlrlFG jasw== X-Gm-Message-State: AOAM531p6aFQ8jO8eB1ziSnUWhl0SQdeIPNseOFcwKnY0WdTbKfwWOWr IZwMZinnYwlpPMfJ2SCzWq9pzyCG X-Received: by 2002:a17:90a:21c3:: with SMTP id q61mr5077345pjc.207.1594908055533; Thu, 16 Jul 2020 07:00:55 -0700 (PDT) Received: from localhost ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c]) by smtp.gmail.com with ESMTPSA id n9sm234117pjo.53.2020.07.16.07.00.53 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 16 Jul 2020 07:00:54 -0700 (PDT) Date: Thu, 16 Jul 2020 07:00:53 -0700 From: Guenter Roeck To: "krzysztof.sobota@nokia.com" Cc: wim@linux-watchdog.org, linux-watchdog@vger.kernel.org, linux-kernel@vger.kernel.org, alexander.sverdlin@nokia.com Subject: Re: [PATCH v3] watchdog: initialize device before misc_register Message-ID: <20200716140053.GA258176@roeck-us.net> References: <55fa2e05-9a99-b205-2dad-b797786af22a@nokia.com> <1f20e45d-aba5-6226-27f2-cb6438cc224e@nokia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1f20e45d-aba5-6226-27f2-cb6438cc224e@nokia.com> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org PLEASE PLEASE PLEASE _never_ send a new version of a patch as reply to a previous one. All this ensures it that it won't find its way into patchwork, which I and others use to track patches. This means such patches will likely get lost. Guenter On Thu, Jul 16, 2020 at 01:32:12PM +0200, krzysztof.sobota@nokia.com wrote: > When watchdog device is being registered, it calls misc_register that > makes watchdog available for systemd to open. This is a data race > scenario, because when device is open it may still have device struct > not initialized - this in turn causes a crash. This patch moves > device initialization before misc_register call and it solves the > problem printed below. > > ------------[ cut here ]------------ > WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54 > kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is being called. > Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6 > CPU: 3 PID: 1 Comm: systemd Tainted: G O 4.19.113-g2579778-fsm4_k2 #1 > Hardware name: Keystone > [] (unwind_backtrace) from [] (show_stack+0x18/0x1c) > [] (show_stack) from [] (dump_stack+0xb4/0xe8) > [] (dump_stack) from [] (__warn+0xfc/0x114) > [] (__warn) from [] (warn_slowpath_fmt+0x50/0x74) > [] (warn_slowpath_fmt) from [] (kobject_get+0x50/0x54) > [] (kobject_get) from [] (get_device+0x1c/0x24) > [] (get_device) from [] (watchdog_open+0x90/0xf0) > [] (watchdog_open) from [] (misc_open+0x130/0x17c) > [] (misc_open) from [] (chrdev_open+0xec/0x1a8) > [] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc) > [] (do_dentry_open) from [] (path_openat+0x330/0x1148) > [] (path_openat) from [] (do_filp_open+0x78/0xec) > [] (do_filp_open) from [] (do_sys_open+0x130/0x1f4) > [] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28) > Exception stack(0xd2ceffa8 to 0xd2cefff0) > ffa0: b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000 > ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78 > ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6 > ---[ end trace 7b16eb105513974f ]--- > > ------------[ cut here ]------------ > WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54 > refcount_t: increment on 0; use-after-free. > Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6 > CPU: 3 PID: 1 Comm: systemd Tainted: G W O 4.19.113-g2579778-fsm4_k2 #1 > Hardware name: Keystone > [] (unwind_backtrace) from [] (show_stack+0x18/0x1c) > [] (show_stack) from [] (dump_stack+0xb4/0xe8) > [] (dump_stack) from [] (__warn+0xfc/0x114) > [] (__warn) from [] (warn_slowpath_fmt+0x50/0x74) > [] (warn_slowpath_fmt) from [] (kobject_get+0x24/0x54) > [] (kobject_get) from [] (get_device+0x1c/0x24) > [] (get_device) from [] (watchdog_open+0x90/0xf0) > [] (watchdog_open) from [] (misc_open+0x130/0x17c) > [] (misc_open) from [] (chrdev_open+0xec/0x1a8) > [] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc) > [] (do_dentry_open) from [] (path_openat+0x330/0x1148) > [] (path_openat) from [] (do_filp_open+0x78/0xec) > [] (do_filp_open) from [] (do_sys_open+0x130/0x1f4) > [] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28) > Exception stack(0xd2ceffa8 to 0xd2cefff0) > ffa0: b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000 > ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78 > ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6 > ---[ end trace 7b16eb1055139750 ]--- > > Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev") > Reviewed-by: Guenter Roeck > Signed-off-by: Krzysztof Sobota > --- > v1 -> v2: > * removed Change-Id tag > * added Review-by tag > v2 -> v3 > * convert spaces to tabs > * convert (hopefully) mail to plaintext > --- > drivers/watchdog/watchdog_dev.c | 18 +++++++++--------- > 1 file changed, 9 insertions(+), 9 deletions(-) > > diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c > index 10b2090f3e5e..1c322caecf7f 100644 > --- a/drivers/watchdog/watchdog_dev.c > +++ b/drivers/watchdog/watchdog_dev.c > @@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) > if (IS_ERR_OR_NULL(watchdog_kworker)) > return -ENODEV; > > + device_initialize(&wd_data->dev); > + wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id); > + wd_data->dev.class = &watchdog_class; > + wd_data->dev.parent = wdd->parent; > + wd_data->dev.groups = wdd->groups; > + wd_data->dev.release = watchdog_core_data_release; > + dev_set_drvdata(&wd_data->dev, wdd); > + dev_set_name(&wd_data->dev, "watchdog%d", wdd->id); > + > kthread_init_work(&wd_data->work, watchdog_ping_work); > hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); > wd_data->timer.function = watchdog_timer_expired; > @@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) > } > } > > - device_initialize(&wd_data->dev); > - wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id); > - wd_data->dev.class = &watchdog_class; > - wd_data->dev.parent = wdd->parent; > - wd_data->dev.groups = wdd->groups; > - wd_data->dev.release = watchdog_core_data_release; > - dev_set_drvdata(&wd_data->dev, wdd); > - dev_set_name(&wd_data->dev, "watchdog%d", wdd->id); > - > /* Fill in the data structures */ > cdev_init(&wd_data->cdev, &watchdog_fops); > > -- > 2.14.0 >