watchdog: Fix race condition in registration code

A race condition exists when registering the first watchdog device.
Sequence of events:

- watchdog_register_device calls watchdog_dev_register
- watchdog_dev_register creates the watchdog misc device by calling
  misc_register.
  At that time, the matching character device (/dev/watchdog0) does not yet
  exist, and old_wdd is not set either.
- Userspace gets an event and opens /dev/watchdog
- watchdog_open is called and sets wdd = old_wdd, which is still NULL,
  and tries to dereference it. This causes the kernel to panic.

Seen with systemd trying to open /dev/watchdog immediately after
it was created.

Reported-by: Arkadiusz Miskiewicz <arekm@maven.pl>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Arkadiusz Miskiewicz <arekm@maven.pl>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>

1 files changed, 2 insertions, 1 deletions

diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
index 08b48bbf9f4b..faf4e189fe42 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -523,6 +523,7 @@ int watchdog_dev_register(struct watchdog_device *watchdog)
         int err, devno;
 
         if (watchdog->id == 0) {
+                old_wdd = watchdog;
                 watchdog_miscdev.parent = watchdog->parent;
                 err = misc_register(&watchdog_miscdev);
                 if (err != 0) {
@@ -531,9 +532,9 @@ int watchdog_dev_register(struct watchdog_device *watchdog)
                         if (err == -EBUSY)
                                 pr_err("%s: a legacy watchdog module is probably present.\n",
                                         watchdog->info->identity);
+                        old_wdd = NULL;
                         return err;
                 }
-                old_wdd = watchdog;
         }
 
         /* Fill in the data structures */