The issue is with this:
int of_device_add(struct platform_device *ofdev) { // ... ofdev->name = dev_name(&ofdev->dev); // ... }
We store the current device name pointer. If the device name changes through a `dev_set_name(dev, "foo")` call: - old device name is freed: kfree(dev->name); - new device name is allocated: kmalloc(...); - notice pdev->name is still the old device name, ie a freed pointer.
OF is at fault here, taking the pointer to the device name in of_device_add().
The new PLATFORM_DEVICE_FLAG_FREE_NAME flag tells platform devices if they own their pdev->name pointer and if it requires a kfree() call.
Considerations:
- The generic case in platform_device_register_full() is not faulty because it allocates memory for storing the name adjacent to the `struct platform_device` alloc; see platform_device_alloc():
struct platform_object *pa; pa = kzalloc(sizeof(*pa) + strlen(name) + 1, GFP_KERNEL);
We cannot rely on this codepath in all cases because OF wants to change the name after the platform device creation.
- kfree_const() cannot solve the issue: either we allocated pdev->name separately or it is part of the platform_object allocation. pdev->name is never coming from read-only data.
- It is important to duplicate! pdev->name must not change to make sure the platform_match() return value is stable over time. If we updated pdev->name alongside dev->name, once a device probes and changes its name then the platform_match() return value would change.
- In of_device_add(), we make sure to kstrdup() the new name before freeing the old one; if alloc fails, we leave the device as-is.
Fixes: eca3930163ba ("of: Merge of_platform_bus_type with platform_bus_type") Cc: stable@vger.kernel.org Signed-off-by: Théo Lebrun theo.lebrun@bootlin.com --- drivers/base/platform.c | 2 ++ drivers/of/platform.c | 12 +++++++++++- include/linux/platform_device.h | 1 + 3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/base/platform.c b/drivers/base/platform.c index e2284482c7ba7c12fe2ab3c715e7d1daa3f65021..3548714d6ba408abc6c7ab0f3e7496c6e27ba060 100644 --- a/drivers/base/platform.c +++ b/drivers/base/platform.c @@ -563,6 +563,8 @@ static void platform_device_release(struct device *dev) kfree(pa->pdev.mfd_cell); kfree(pa->pdev.resource); kfree(pa->pdev.driver_override); + if (pa->pdev.flags & PLATFORM_DEVICE_FLAG_FREE_NAME) + kfree(pa->pdev.name); kfree(pa); }
diff --git a/drivers/of/platform.c b/drivers/of/platform.c index c6d8afb284e88061eb6fb0ba02e429cec702664c..ef6f341fd9b77a9e0ed6969c3f322b9bc91d0e8d 100644 --- a/drivers/of/platform.c +++ b/drivers/of/platform.c @@ -44,11 +44,21 @@ EXPORT_SYMBOL(of_find_device_by_node);
int of_device_add(struct platform_device *ofdev) { + char *new_name; + BUG_ON(ofdev->dev.of_node == NULL);
+ new_name = kstrdup(dev_name(&ofdev->dev), GFP_KERNEL); + if (!new_name) + return -ENOMEM; + + if (ofdev->flags & PLATFORM_DEVICE_FLAG_FREE_NAME) + kfree(ofdev->name); + /* name and id have to be set so that the platform bus doesn't get * confused on matching */ - ofdev->name = dev_name(&ofdev->dev); + ofdev->name = new_name; + ofdev->flags |= PLATFORM_DEVICE_FLAG_FREE_NAME; ofdev->id = PLATFORM_DEVID_NONE;
/* diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h index d842b21ba3791f974fa62f52bd160ef5820261c1..203016afc3899ffa05f38b9d4ce3bfc02d5b75ef 100644 --- a/include/linux/platform_device.h +++ b/include/linux/platform_device.h @@ -25,6 +25,7 @@ struct platform_device { int id; u8 flags; #define PLATFORM_DEVICE_FLAG_ID_AUTO BIT(0) +#define PLATFORM_DEVICE_FLAG_FREE_NAME BIT(1) struct device dev; u64 platform_dma_mask; struct device_dma_parameters dma_parms;