Re: [PATCH] watchdog: wdt_pci: Fix shared IRQ storm and complete system lockup

Linux Watchdog driver development
 help / color / mirror / Atom feed

From: Guenter Roeck <linux@roeck-us.net>
To: w15303746062 <w15303746062@163.com>
Cc: wim@linux-watchdog.org, linux-watchdog@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Mingyu Wang <25181214217@stu.xidian.edu.cn>
Subject: Re: [PATCH] watchdog: wdt_pci: Fix shared IRQ storm and complete system lockup
Date: Sun, 10 May 2026 20:00:47 -0700	[thread overview]
Message-ID: <5acea672-0550-478e-8f49-e5e43c72d7e2@roeck-us.net> (raw)
In-Reply-To: <1fc8bb5a.1346.19e14a548fb.Coremail.w15303746062@163.com>

Hi,

On 5/10/26 18:27, w15303746062 wrote:
> 
> 
> 
> From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
> 
> Hi Guenter,
> 
> Thank you for your prompt response and review.
> 
> To answer your questions directly and transparently:
> 
> 1. Is this an actual observed problem?
> Yes, it is a real, observed problem. However, it was observed in a virtualized fuzzing environment (QEMU + Syzkaller) rather than on physical legacy hardware.
> 
> 2. How was it triggered?
> In our QEMU setup, PCI IRQ lines are heavily shared. The fuzzer loaded the `wdt_pci` driver while simultaneously fuzzing other devices on the same shared IRQ line (e.g., the i2c-i801 controller). When the other device triggered a heavy interrupt load, `wdtpci_interrupt()` caught them. Since it bypassed the IRQ ownership check, it blindly claimed the interrupts and caused a massive printk storm (spamming "wdt_pci: Reset in 5ms" and "status 114").
> 
> This overwhelmed the CPU in hard IRQ context, defeated the spurious IRQ detector, and resulted in a 145-second Hung Task panic. Here is a brief snippet of the observed log:
> 
> [  375.485491] wdt_pci: Reset in 5ms
> [  375.487467] wdt_pci: status 114
> [  375.489171] wdt_pci: Reset in 5ms
> ...
> [  375.484244] systemd-journald[4771]: /dev/kmsg buffer overrun, some messages lost.
> [  519.189528] INFO: task syz.2.507 blocked for more than 145 seconds.
> 
> 3. Did I confirm the register bit?
> Yes, the assertion that `WDC_SR_IRQ` is active low relies directly on the hardware definition documented in the driver's own source code at line 66:
> `#define WDC_SR_IRQ      128 /* Active low */ /* X   X   X  */`
> 
> I completely understand your perspective. This is legacy hardware from the 1990s, and it is extremely unlikely to be used in production today. My intention was solely to report a reproducible Local DoS vector found by the fuzzer, as `IRQF_SHARED` handlers are strictly required to verify their interrupt source.
> 
> If you feel that patching this outdated driver adds unnecessary churn and consumes maintainers' time, please feel free to drop this patch. Alternatively, if the hardware is truly obsolete, perhaps the driver should be marked as BROKEN or removed entirely. I leave that entirely to your expert judgment.
> 

I don't see that watchdog supported in qemu. Is this a downstream version
of qemu, or am I missing something ?

Thanks,
Guenter

next prev parent reply	other threads:[~2026-05-11  3:00 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-09 12:16 [PATCH] watchdog: wdt_pci: Fix shared IRQ storm and complete system lockup w15303746062
2026-05-09 13:52 ` Guenter Roeck
2026-05-11  1:27   ` w15303746062
2026-05-11  3:00     ` Guenter Roeck [this message]
2026-05-11  3:08       ` w15303746062
2026-05-11  4:39         ` Guenter Roeck
2026-05-11  4:52           ` w15303746062

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5acea672-0550-478e-8f49-e5e43c72d7e2@roeck-us.net \
    --to=linux@roeck-us.net \
    --cc=25181214217@stu.xidian.edu.cn \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-watchdog@vger.kernel.org \
    --cc=w15303746062@163.com \
    --cc=wim@linux-watchdog.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox