From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: linux-watchdog@vger.kernel.org
Subject: Re: [PATCHv2 3/3] watchdog: sama5d4: fix NULL deref in irq handler
Date: Mon, 08 Jun 2026 20:20:59 +0000 [thread overview]
Message-ID: <20260608202059.B2E651F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608200933.18669-4-rosenp@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The shared interrupt handler `sama5d4_wdt_irq_handler` unconditionally returns `IRQ_HANDLED`, defeating the generic IRQ subsystem's spurious interrupt detection and potentially leading to a system lockup.
--
commit b6b6fa431a5a5f7d84f57281a56bc7bf32bb62cb
Author: Rosen Penev <rosenp@gmail.com>
watchdog: sama5d4: fix NULL deref in irq handler
This commit moves platform_set_drvdata() before devm_request_irq() to ensure
the interrupt handler can safely dereference the driver data. This prevents a
possible NULL dereference if an interrupt on the shared System IRQ line fires
early.
> diff --git a/drivers/watchdog/sama5d4_wdt.c b/drivers/watchdog/sama5d4_wdt.c
> index 704b786cc2ec6..dcf5b8ac9e0d2 100644
> --- a/drivers/watchdog/sama5d4_wdt.c
> +++ b/drivers/watchdog/sama5d4_wdt.c
> @@ -268,6 +268,7 @@ static int sama5d4_wdt_probe(struct platform_device *pdev)
> : AT91_WDT_WDDIS;
>
> watchdog_set_drvdata(wdd, wdt);
> + platform_set_drvdata(pdev, wdt);
[Severity: High]
This is a pre-existing issue, but does sama5d4_wdt_irq_handler() defeat the
generic IRQ subsystem's spurious interrupt detection by unconditionally
returning IRQ_HANDLED?
The driver requests a shared interrupt line using the IRQF_SHARED flag. If
the status register check indicates the watchdog did not generate the
interrupt, the handler bypasses the emergency restart logic but still
returns IRQ_HANDLED:
drivers/watchdog/sama5d4_wdt.c:sama5d4_wdt_irq_handler() {
...
if (reg) {
pr_crit("Atmel Watchdog Software Reset\n");
emergency_restart();
pr_crit("Reboot didn't succeed\n");
}
return IRQ_HANDLED;
}
Should this return IRQ_NONE when it did not service the interrupt to avoid
falsely claiming unhandled interrupts?
>
> regs = devm_platform_ioremap_resource(pdev, 0);
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608200933.18669-4-rosenp@gmail.com?part=1
next prev parent reply other threads:[~2026-06-08 20:20 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 20:09 [PATCHv2 0/3] watchdog: sama5d4: fix IRQ and timeout bugs, use platform_get_irq_optional Rosen Penev
2026-06-08 20:09 ` [PATCHv2 1/3] watchdog: sama5d4: fix shared IRQ and hardcoded timeout issues Rosen Penev
2026-06-08 20:22 ` sashiko-bot
2026-06-08 22:35 ` Guenter Roeck
2026-06-08 20:09 ` [PATCHv2 2/3] watchdog: sama5d4: use platform_get_irq_optional() Rosen Penev
2026-06-08 20:16 ` sashiko-bot
2026-06-08 22:44 ` Guenter Roeck
2026-06-08 20:09 ` [PATCHv2 3/3] watchdog: sama5d4: fix NULL deref in irq handler Rosen Penev
2026-06-08 20:20 ` sashiko-bot [this message]
2026-06-08 20:38 ` [PATCHv2 0/3] watchdog: sama5d4: fix IRQ and timeout bugs, use platform_get_irq_optional Nicolas Ferre
2026-06-08 20:42 ` Rosen Penev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608202059.B2E651F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-watchdog@vger.kernel.org \
--cc=rosenp@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.