[PATCH 2/2] driver core: platform: avoid use-after-free on pdev->name

["Théo Lebrun" <theo.lebrun@bootlin.com>]

The issue is with this:

	int of_device_add(struct platform_device *ofdev)
	{
		// ...
		ofdev->name = dev_name(&ofdev->dev);
		// ...
	}

We store the current device name pointer. If the device name changes
through a `dev_set_name(dev, "foo")` call:
 - old device name is freed: kfree(dev->name);
 - new device name is allocated: kmalloc(...);
 - notice pdev->name is still the old device name, ie a freed pointer.

OF is at fault here, taking the pointer to the device name in
of_device_add().

The new PLATFORM_DEVICE_FLAG_FREE_NAME flag tells platform devices if
they own their pdev->name pointer and if it requires a kfree() call.

Considerations:

 - The generic case in platform_device_register_full() is not faulty
   because it allocates memory for storing the name adjacent to the
   `struct platform_device` alloc; see platform_device_alloc():

	struct platform_object *pa;
	pa = kzalloc(sizeof(*pa) + strlen(name) + 1, GFP_KERNEL);

   We cannot rely on this codepath in all cases because OF wants to
   change the name after the platform device creation.

 - kfree_const() cannot solve the issue: either we allocated pdev->name
   separately or it is part of the platform_object allocation.
   pdev->name is never coming from read-only data.

 - It is important to duplicate! pdev->name must not change to make sure
   the platform_match() return value is stable over time. If we updated
   pdev->name alongside dev->name, once a device probes and changes its
   name then the platform_match() return value would change.

 - In of_device_add(), we make sure to kstrdup() the new name before
   freeing the old one; if alloc fails, we leave the device as-is.

Fixes: eca3930163ba ("of: Merge of_platform_bus_type with platform_bus_type")
Cc: <stable@vger.kernel.org>
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
---
 drivers/base/platform.c         |  2 ++
 drivers/of/platform.c           | 12 +++++++++++-
 include/linux/platform_device.h |  1 +
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/base/platform.c b/drivers/base/platform.c
index e2284482c7ba7c12fe2ab3c715e7d1daa3f65021..3548714d6ba408abc6c7ab0f3e7496c6e27ba060 100644
--- a/drivers/base/platform.c
+++ b/drivers/base/platform.c
@@ -563,6 +563,8 @@ static void platform_device_release(struct device *dev)
 	kfree(pa->pdev.mfd_cell);
 	kfree(pa->pdev.resource);
 	kfree(pa->pdev.driver_override);
+	if (pa->pdev.flags & PLATFORM_DEVICE_FLAG_FREE_NAME)
+		kfree(pa->pdev.name);
 	kfree(pa);
 }
 
diff --git a/drivers/of/platform.c b/drivers/of/platform.c
index c6d8afb284e88061eb6fb0ba02e429cec702664c..ef6f341fd9b77a9e0ed6969c3f322b9bc91d0e8d 100644
--- a/drivers/of/platform.c
+++ b/drivers/of/platform.c
@@ -44,11 +44,21 @@ EXPORT_SYMBOL(of_find_device_by_node);
 
 int of_device_add(struct platform_device *ofdev)
 {
+	char *new_name;
+
 	BUG_ON(ofdev->dev.of_node == NULL);
 
+	new_name = kstrdup(dev_name(&ofdev->dev), GFP_KERNEL);
+	if (!new_name)
+		return -ENOMEM;
+
+	if (ofdev->flags & PLATFORM_DEVICE_FLAG_FREE_NAME)
+		kfree(ofdev->name);
+
 	/* name and id have to be set so that the platform bus doesn't get
 	 * confused on matching */
-	ofdev->name = dev_name(&ofdev->dev);
+	ofdev->name = new_name;
+	ofdev->flags |= PLATFORM_DEVICE_FLAG_FREE_NAME;
 	ofdev->id = PLATFORM_DEVID_NONE;
 
 	/*
diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h
index d842b21ba3791f974fa62f52bd160ef5820261c1..203016afc3899ffa05f38b9d4ce3bfc02d5b75ef 100644
--- a/include/linux/platform_device.h
+++ b/include/linux/platform_device.h
@@ -25,6 +25,7 @@ struct platform_device {
 	int		id;
 	u8		flags;
 #define PLATFORM_DEVICE_FLAG_ID_AUTO	BIT(0)
+#define PLATFORM_DEVICE_FLAG_FREE_NAME	BIT(1)
 	struct device	dev;
 	u64		platform_dma_mask;
 	struct device_dma_parameters dma_parms;

-- 
2.48.1