[PATCH 115/115] watchdog: Fix race condition in registration code

From: Luis Henriques
Date: Mon May 20 2013 - 06:54:45 EST

Next message: Luis Henriques: "[PATCH 109/115] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow"
Previous message: Luis Henriques: "[PATCH 110/115] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex"
In reply to: Luis Henriques: "[PATCH 110/115] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex"
Next in thread: Luis Henriques: "[PATCH 109/115] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.5.7.13 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@xxxxxxxxxxxx>

commit 60403f7a4d9368d187f79cba5e4672d01df37574 upstream.

A race condition exists when registering the first watchdog device.
Sequence of events:

- watchdog_register_device calls watchdog_dev_register
- watchdog_dev_register creates the watchdog misc device by calling
misc_register.
At that time, the matching character device (/dev/watchdog0) does not yet
exist, and old_wdd is not set either.
- Userspace gets an event and opens /dev/watchdog
- watchdog_open is called and sets wdd = old_wdd, which is still NULL,
and tries to dereference it. This causes the kernel to panic.

Seen with systemd trying to open /dev/watchdog immediately after
it was created.

Reported-by: Arkadiusz Miskiewicz <arekm@xxxxxxxx>
Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
Tested-by: Arkadiusz Miskiewicz <arekm@xxxxxxxx>
Signed-off-by: Wim Van Sebroeck <wim@xxxxxxxxx>
Signed-off-by: Luis Henriques <luis.henriques@xxxxxxxxxxxxx>
---
drivers/watchdog/watchdog_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
index ef8edec..05a5310 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -524,6 +524,7 @@ int watchdog_dev_register(struct watchdog_device *watchdog)
int err, devno;

if (watchdog->id == 0) {
+ old_wdd = watchdog;
watchdog_miscdev.parent = watchdog->parent;
err = misc_register(&watchdog_miscdev);
if (err != 0) {
@@ -532,9 +533,9 @@ int watchdog_dev_register(struct watchdog_device *watchdog)
if (err == -EBUSY)
pr_err("%s: a legacy watchdog module is probably present.\n",
watchdog->info->identity);
+ old_wdd = NULL;
return err;
}
- old_wdd = watchdog;
}

/* Fill in the data structures */
--
1.8.1.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Luis Henriques: "[PATCH 109/115] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow"
Previous message: Luis Henriques: "[PATCH 110/115] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex"
In reply to: Luis Henriques: "[PATCH 110/115] ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex"
Next in thread: Luis Henriques: "[PATCH 109/115] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]