diff options
authorGuenter Roeck <linux@roeck-us.net>2013-04-05 21:22:43 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-05-19 11:38:40 -0700
commit5901e0b54b6bc78f731924a1f38826ce9e9d6fc6 (patch)
parent59df3520db0cd2d5e35e4d79c03bd32d91812276 (diff)
watchdog: Fix race condition in registration code
commit 60403f7a4d9368d187f79cba5e4672d01df37574 upstream. A race condition exists when registering the first watchdog device. Sequence of events: - watchdog_register_device calls watchdog_dev_register - watchdog_dev_register creates the watchdog misc device by calling misc_register. At that time, the matching character device (/dev/watchdog0) does not yet exist, and old_wdd is not set either. - Userspace gets an event and opens /dev/watchdog - watchdog_open is called and sets wdd = old_wdd, which is still NULL, and tries to dereference it. This causes the kernel to panic. Seen with systemd trying to open /dev/watchdog immediately after it was created. Reported-by: Arkadiusz Miskiewicz <arekm@maven.pl> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Arkadiusz Miskiewicz <arekm@maven.pl> Signed-off-by: Wim Van Sebroeck <wim@iguana.be> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
index 08b48bbf9f4..faf4e189fe4 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -523,6 +523,7 @@ int watchdog_dev_register(struct watchdog_device *watchdog)
int err, devno;
if (watchdog->id == 0) {
+ old_wdd = watchdog;
watchdog_miscdev.parent = watchdog->parent;
err = misc_register(&watchdog_miscdev);
if (err != 0) {
@@ -531,9 +532,9 @@ int watchdog_dev_register(struct watchdog_device *watchdog)
if (err == -EBUSY)
pr_err("%s: a legacy watchdog module is probably present.\n",
+ old_wdd = NULL;
return err;
- old_wdd = watchdog;
/* Fill in the data structures */