Re: [PATCH v1] rtc: m41t80: clean up watchdog on probe failure

[Alexandre Mergnat]

On Mon, 01 Jun 2026 15:46:15 -0400, Yuho Choi <dbgh9129@xxxxxxxxx> wrote:
> diff --git a/drivers/rtc/rtc-m41t80.c b/drivers/rtc/rtc-m41t80.c
> index b26afef37d9c..f4a30320c6ed 100644
> --- a/drivers/rtc/rtc-m41t80.c
> +++ b/drivers/rtc/rtc-m41t80.c
> @@ -1009,9 +1009,17 @@ static int m41t80_probe(struct i2c_client *client)
>  
>  	rc = devm_rtc_register_device(m41t80_data->rtc);
>  	if (rc)
> -		return rc;
> +		goto err_wdt;

IMHO the right fix is to move the watchdog to the watchdog core.

The leak comes from the watchdog being built on three non-devres
save_client. A probe failure strands all three, after which the watchdog
dereferences freed driver state (wdt_ping() reads
i2c_get_clientdata(save_client), i.e. the devres-freed m41t80_data).

Built on the watchdog core (CONFIG_WATCHDOG_CORE), none of that
machinery is needed:

- devm_watchdog_register_device() unregisters automatically on any probe
  failure and on unbind.
- watchdog_stop_on_reboot() replaces the reboot notifier.
- watchdog_set/get_drvdata() replaces the global save_client, closing
  the use-after-free surface itself.
- m41t80_remove() does nothing but watchdog teardown today, so it goes
  away too.

This is exactly what was done for the sibling driver rtc-ds1374, which
carried the same legacy pattern: d3de4beb14a8 ("rtc: ds1374: wdt: Use
watchdog core for watchdog part"), net -135 lines, adding "select
WATCHDOG_CORE" in Kconfig. It is a usable template.

primitives: a misc device, a reboot notifier, and the global

primitives: a misc device, a reboot notifier, and the global

-- 
Alexandre Mergnat <amergnat@xxxxxxxxxxxx>