From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: linux-watchdog@vger.kernel.org
Subject: Re: [PATCH] watchdog: core: assign parent with devm registration
Date: Sun, 24 May 2026 03:11:44 +0000 [thread overview]
Message-ID: <20260524031144.858CF1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260524022332.179202-1-rosenp@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Modifying the caller-provided `struct watchdog_device` by implicitly setting `wdd->parent = dev` causes a dangling pointer and use-after-free vulnerability for drivers using statically or globally allocated watchdog devices.
--
commit cdc03b5b413f4bd1a9d27c7f13f33dd6b209e2ba
Author: Rosen Penev <rosenp@gmail.com>
watchdog: core: assign parent with devm registration
This commit modifies devm_watchdog_register_device() to automatically assign
the devres device as the parent of the watchdog_device if one was not
explicitly provided. This aims to reduce boilerplate in drivers using devres.
> diff --git a/drivers/watchdog/watchdog_core.c b/drivers/watchdog/watchdog_core.c
> --- a/drivers/watchdog/watchdog_core.c
> +++ b/drivers/watchdog/watchdog_core.c
> @@ -440,6 +440,13 @@ int devm_watchdog_register_device(struct device *dev,
> if (!rcwdd)
> return -ENOMEM;
>
> + /*
> + * We are passing the devres device here so if the user did not pass
> + * another parent, it's this one.
> + */
> + if (!wdd->parent)
> + wdd->parent = dev;
[Severity: High]
If a driver passes a statically allocated struct watchdog_device (such as
pic32-wdt or pic32-dmt) and does not explicitly initialize the parent field,
the first probe will modify the global structure to point to the newly
allocated struct device.
If the platform device is subsequently removed (for example, via a device tree
overlay removal), the struct device is freed, but the global wdd->parent
pointer remains dirty and points to the freed memory.
Upon a subsequent re-probe, the if (!wdd->parent) check evaluates to false,
skipping the update.
Could this cause a use-after-free when the core passes the stale, freed
pointer to watchdog_register_device() and eventually
device_create_with_groups() during sysfs node creation?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260524022332.179202-1-rosenp@gmail.com?part=1
next prev parent reply other threads:[~2026-05-24 3:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-24 2:23 [PATCH] watchdog: core: assign parent with devm registration Rosen Penev
2026-05-24 3:11 ` sashiko-bot [this message]
2026-05-24 15:22 ` Guenter Roeck
2026-05-27 16:25 ` Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260524031144.858CF1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-watchdog@vger.kernel.org \
--cc=rosenp@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox