From patchwork Tue Feb 18 11:00:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Th=C3=A9o_Lebrun?= X-Patchwork-Id: 13979534 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 567EC1A841C; Tue, 18 Feb 2025 11:00:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739876426; cv=none; b=TdEtoxwhMCyg+iV+PwDwM9WOww+6NyYYFRHBRVv5YOIVBXiy0cR3m989Cz2a41WcRQ+9u5MtfLwpR1CW0iintmWZ4P8aRALphDkawN2eFtok5bUx95d58q4h3yWIWmYqbadrKKIhvUoZ+a9gWCCgzoPRmLDLT5SvhSMN0D9QMn0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739876426; c=relaxed/simple; bh=5zpTewL8k5Mh1szdJy9h1f0I9ZKhu9gJ/l6OlWAeSA0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Y/zEuY7VtPvi8WvYlyDuQ09tVU5eNZ/j4zX9o4VJEJR8F9WAsPC2o7+HAI8Zfy4mtlMonoZ7M3oA+pSzEzZkKurSgUjaYb2gx4Gq/kenFruGe4CbmZ/uSjzlzENUXZTj400hHwi81xVJKPBGH0Z9ggmPWvNqGWk9b+NjC75+sDA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com; spf=pass smtp.mailfrom=bootlin.com; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b=T32YcB5r; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bootlin.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b="T32YcB5r" Received: by mail.gandi.net (Postfix) with ESMTPSA id 2AAB744283; Tue, 18 Feb 2025 11:00:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1739876416; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bFpl79XooWwtz03EVMtL/4iwpR/E64DldF23S6kQkdM=; b=T32YcB5rlbGCUUPmhbBi1mhieqCJO1doFatTNuVykeiuVz6rGGO12XaTU6zqX/QaVXq8C+ GV9SJtiI4wtFtXKI6ibintgbuRD7nf2I9Xdzs4arg++6A4BTxKg6N9yfiCWg5YAcwYtK+b 6YVBmrMxnCaIYQldaJKDECYfLeuMou2aRmmxBIt2jMQecarGfHJQtjlIZuFPi962tjdBsp jZI+v+KGbkTdffygXb6D8AX/obICZY0HgB+9YTIlRFvokOrcFaDzDwQxHll+qvPiU5e9VV BbdH3+dP1nZyVgMaHfTnmrcdcQ+pe2KCwnJyU+/ul16W/6bVZ1toQpFG6R524g== From: =?utf-8?q?Th=C3=A9o_Lebrun?= Date: Tue, 18 Feb 2025 12:00:12 +0100 Subject: [PATCH 1/2] driver core: platform: turn pdev->id_auto into pdev->flags Precedence: bulk X-Mailing-List: linux-sound@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20250218-pdev-uaf-v1-1-5ea1a0d3aba0@bootlin.com> References: <20250218-pdev-uaf-v1-0-5ea1a0d3aba0@bootlin.com> In-Reply-To: <20250218-pdev-uaf-v1-0-5ea1a0d3aba0@bootlin.com> To: Greg Kroah-Hartman , "Rafael J. Wysocki" , Danilo Krummrich , Rob Herring , Saravana Kannan , "David S. Miller" , Grant Likely Cc: linux-kernel@vger.kernel.org, devicetree@vger.kernel.org, Liam Girdwood , Mark Brown , Jaroslav Kysela , Takashi Iwai , Binbin Zhou , linux-sound@vger.kernel.org, Vladimir Kondratiev , =?utf-8?q?Gr=C3=A9?= =?utf-8?q?gory_Clement?= , Thomas Petazzoni , Tawfik Bayouk , =?utf-8?q?Th=C3=A9o_Lebrun?= , stable@vger.kernel.org X-Mailer: b4 0.14.2 X-GND-State: clean X-GND-Score: -100 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdeiudduvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephfffufggtgfgkfhfjgfvvefosehtkeertdertdejnecuhfhrohhmpefvhhorohcunfgvsghruhhnuceothhhvghordhlvggsrhhunhessghoohhtlhhinhdrtghomheqnecuggftrfgrthhtvghrnhepleevhfekueefvdekgfehhffgudekjeelgfdthedtiedvtdetteegvdeileeiuefhnecukfhppedvrgdtudemtggsudegmeehheeimeejrgdttdemieeigegsmehftdhffhemfhgvuddtmeelvghfugenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedvrgdtudemtggsudegmeehheeimeejrgdttdemieeigegsmehftdhffhemfhgvuddtmeelvghfugdphhgvlhhopegludelvddrudeikedruddtrdeliegnpdhmrghilhhfrhhomhepthhhvghordhlvggsrhhunhessghoohhtlhhinhdrtghomhdpnhgspghrtghpthhtohepvddupdhrtghpthhtohepghhrvghgkhhhsehlihhnuhigfhhouhhnuggrthhiohhnrdhorhhgpdhrtghpthhtohepuggrkhhrsehkvghrnhgvlhdrohhrghdprhgtphhtthhopeguvghvihgtvghtrhgvvgesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehli hhnuhigqdhsohhunhgusehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtohepuggrvhgvmhesuggrvhgvmhhlohhfthdrnhgvthdprhgtphhtthhopeiihhhouhgsihhnsghinheslhhoohhnghhsohhnrdgtnhdprhgtphhtthhopehlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehthhgvohdrlhgvsghruhhnsegsohhothhlihhnrdgtohhm X-GND-Sasl: theo.lebrun@bootlin.com struct platform_device->id_auto is the only boolean stored inside the structure. Remove it and add an u8 flags field. The goal is to allow more flags (without using more memory). Cc: Signed-off-by: Théo Lebrun --- drivers/base/platform.c | 6 +++--- include/linux/platform_device.h | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/base/platform.c b/drivers/base/platform.c index 6f2a33722c5203ac196a6e36e153648d0fe6c6d4..e2284482c7ba7c12fe2ab3c715e7d1daa3f65021 100644 --- a/drivers/base/platform.c +++ b/drivers/base/platform.c @@ -682,7 +682,7 @@ int platform_device_add(struct platform_device *pdev) if (ret < 0) return ret; pdev->id = ret; - pdev->id_auto = true; + pdev->flags |= PLATFORM_DEVICE_FLAG_ID_AUTO; dev_set_name(dev, "%s.%d.auto", pdev->name, pdev->id); break; } @@ -720,7 +720,7 @@ int platform_device_add(struct platform_device *pdev) return 0; failed: - if (pdev->id_auto) { + if (pdev->flags & PLATFORM_DEVICE_FLAG_ID_AUTO) { ida_free(&platform_devid_ida, pdev->id); pdev->id = PLATFORM_DEVID_AUTO; } @@ -750,7 +750,7 @@ void platform_device_del(struct platform_device *pdev) if (!IS_ERR_OR_NULL(pdev)) { device_del(&pdev->dev); - if (pdev->id_auto) { + if (pdev->flags & PLATFORM_DEVICE_FLAG_ID_AUTO) { ida_free(&platform_devid_ida, pdev->id); pdev->id = PLATFORM_DEVID_AUTO; } diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h index 074754c23d330c9a099e20eecfeb6cbd5025e04f..d842b21ba3791f974fa62f52bd160ef5820261c1 100644 --- a/include/linux/platform_device.h +++ b/include/linux/platform_device.h @@ -23,7 +23,8 @@ struct platform_device_id; struct platform_device { const char *name; int id; - bool id_auto; + u8 flags; +#define PLATFORM_DEVICE_FLAG_ID_AUTO BIT(0) struct device dev; u64 platform_dma_mask; struct device_dma_parameters dma_parms; From patchwork Tue Feb 18 11:00:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Th=C3=A9o_Lebrun?= X-Patchwork-Id: 13979535 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A0BD234987; Tue, 18 Feb 2025 11:00:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739876428; cv=none; b=Tr0pCLe5aDiKCsqoza9pzXl7BrjQw25Vj+bwJb7xxozdDZx0v94KmsM7QGWx/gTwOqycV0YHXocSMPli0sodj3ajiQysfRmYi8xc8mqGaNxoueFUIkbcyR5vXIyjFs+ZSKqTAGQLC7Zq45MjKtcov28bU7fO5IyW5LtTn/zHtNY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739876428; c=relaxed/simple; bh=18UqQUnfWxPFzrfW52abmx+X/vjz3e8/GrGdCva8woY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=UWWCllgYK/ZkPFNxFiJ/IKDnRZI9CFOMxOZvwjFUGEkTImWVw90ezZ1jqjDsTlytdfAH9GTjkQ4zHFk7qT79OhfxuowZmnpJwthcltUG/crCCLFwdCXehF9zd9BL/SjddqcyDHdg+3BGYOgVuTcOdaGHglXYkKU+uhXkbNbavDM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com; spf=pass smtp.mailfrom=bootlin.com; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b=WdjqSWal; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bootlin.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b="WdjqSWal" Received: by mail.gandi.net (Postfix) with ESMTPSA id 083BF4427A; Tue, 18 Feb 2025 11:00:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1739876417; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ezOVk0Z1kc4cZQkyFk+U3tiggWL6VOIY8xHUunjQ3Sc=; b=WdjqSWalyguIP4azpLTk8IVxnK/WFUd6RZq9cEEVHMjzqA4+vK8u89/tb/aty+WSFkIZ+C p0xYzREqGf9btP8agFd039X52tuuvP86PYqlvesaGM5A1ptEkJJ7xu79kfT94XtKAIovuD UPimBftdBNpMmaaxWQ2ymRByjEZJyNUnHiyRQScpXlyH8MXZF11SCRpx3GF/xHCs8k3lT4 JKb/MosnulC942bZs2AnqEmfC9MDccDiu7YmujBN2/GI7wum0DiyM0AQnjOAF/xAEVgwIm obtVCfJIiD9nuxhzGgLH0j/n+bfjjock0QbZMgIQVQhFwcdBj+agnVAff+V27w== From: =?utf-8?q?Th=C3=A9o_Lebrun?= Date: Tue, 18 Feb 2025 12:00:13 +0100 Subject: [PATCH 2/2] driver core: platform: avoid use-after-free on pdev->name Precedence: bulk X-Mailing-List: linux-sound@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20250218-pdev-uaf-v1-2-5ea1a0d3aba0@bootlin.com> References: <20250218-pdev-uaf-v1-0-5ea1a0d3aba0@bootlin.com> In-Reply-To: <20250218-pdev-uaf-v1-0-5ea1a0d3aba0@bootlin.com> To: Greg Kroah-Hartman , "Rafael J. Wysocki" , Danilo Krummrich , Rob Herring , Saravana Kannan , "David S. Miller" , Grant Likely Cc: linux-kernel@vger.kernel.org, devicetree@vger.kernel.org, Liam Girdwood , Mark Brown , Jaroslav Kysela , Takashi Iwai , Binbin Zhou , linux-sound@vger.kernel.org, Vladimir Kondratiev , =?utf-8?q?Gr=C3=A9?= =?utf-8?q?gory_Clement?= , Thomas Petazzoni , Tawfik Bayouk , =?utf-8?q?Th=C3=A9o_Lebrun?= , stable@vger.kernel.org X-Mailer: b4 0.14.2 X-GND-State: clean X-GND-Score: -100 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdeiudduvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephfffufggtgfgkfhfjgfvvefosehtkeertdertdejnecuhfhrohhmpefvhhorohcunfgvsghruhhnuceothhhvghordhlvggsrhhunhessghoohhtlhhinhdrtghomheqnecuggftrfgrthhtvghrnhepleevhfekueefvdekgfehhffgudekjeelgfdthedtiedvtdetteegvdeileeiuefhnecukfhppedvrgdtudemtggsudegmeehheeimeejrgdttdemieeigegsmehftdhffhemfhgvuddtmeelvghfugenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedvrgdtudemtggsudegmeehheeimeejrgdttdemieeigegsmehftdhffhemfhgvuddtmeelvghfugdphhgvlhhopegludelvddrudeikedruddtrdeliegnpdhmrghilhhfrhhomhepthhhvghordhlvggsrhhunhessghoohhtlhhinhdrtghomhdpnhgspghrtghpthhtohepvddupdhrtghpthhtohepghhrvghgkhhhsehlihhnuhigfhhouhhnuggrthhiohhnrdhorhhgpdhrtghpthhtohepuggrkhhrsehkvghrnhgvlhdrohhrghdprhgtphhtthhopeguvghvihgtvghtrhgvvgesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehli hhnuhigqdhsohhunhgusehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtohepuggrvhgvmhesuggrvhgvmhhlohhfthdrnhgvthdprhgtphhtthhopeiihhhouhgsihhnsghinheslhhoohhnghhsohhnrdgtnhdprhgtphhtthhopehlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehthhgvohdrlhgvsghruhhnsegsohhothhlihhnrdgtohhm X-GND-Sasl: theo.lebrun@bootlin.com The issue is with this: int of_device_add(struct platform_device *ofdev) { // ... ofdev->name = dev_name(&ofdev->dev); // ... } We store the current device name pointer. If the device name changes through a `dev_set_name(dev, "foo")` call: - old device name is freed: kfree(dev->name); - new device name is allocated: kmalloc(...); - notice pdev->name is still the old device name, ie a freed pointer. OF is at fault here, taking the pointer to the device name in of_device_add(). The new PLATFORM_DEVICE_FLAG_FREE_NAME flag tells platform devices if they own their pdev->name pointer and if it requires a kfree() call. Considerations: - The generic case in platform_device_register_full() is not faulty because it allocates memory for storing the name adjacent to the `struct platform_device` alloc; see platform_device_alloc(): struct platform_object *pa; pa = kzalloc(sizeof(*pa) + strlen(name) + 1, GFP_KERNEL); We cannot rely on this codepath in all cases because OF wants to change the name after the platform device creation. - kfree_const() cannot solve the issue: either we allocated pdev->name separately or it is part of the platform_object allocation. pdev->name is never coming from read-only data. - It is important to duplicate! pdev->name must not change to make sure the platform_match() return value is stable over time. If we updated pdev->name alongside dev->name, once a device probes and changes its name then the platform_match() return value would change. - In of_device_add(), we make sure to kstrdup() the new name before freeing the old one; if alloc fails, we leave the device as-is. Fixes: eca3930163ba ("of: Merge of_platform_bus_type with platform_bus_type") Cc: Signed-off-by: Théo Lebrun --- drivers/base/platform.c | 2 ++ drivers/of/platform.c | 12 +++++++++++- include/linux/platform_device.h | 1 + 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/base/platform.c b/drivers/base/platform.c index e2284482c7ba7c12fe2ab3c715e7d1daa3f65021..3548714d6ba408abc6c7ab0f3e7496c6e27ba060 100644 --- a/drivers/base/platform.c +++ b/drivers/base/platform.c @@ -563,6 +563,8 @@ static void platform_device_release(struct device *dev) kfree(pa->pdev.mfd_cell); kfree(pa->pdev.resource); kfree(pa->pdev.driver_override); + if (pa->pdev.flags & PLATFORM_DEVICE_FLAG_FREE_NAME) + kfree(pa->pdev.name); kfree(pa); } diff --git a/drivers/of/platform.c b/drivers/of/platform.c index c6d8afb284e88061eb6fb0ba02e429cec702664c..ef6f341fd9b77a9e0ed6969c3f322b9bc91d0e8d 100644 --- a/drivers/of/platform.c +++ b/drivers/of/platform.c @@ -44,11 +44,21 @@ EXPORT_SYMBOL(of_find_device_by_node); int of_device_add(struct platform_device *ofdev) { + char *new_name; + BUG_ON(ofdev->dev.of_node == NULL); + new_name = kstrdup(dev_name(&ofdev->dev), GFP_KERNEL); + if (!new_name) + return -ENOMEM; + + if (ofdev->flags & PLATFORM_DEVICE_FLAG_FREE_NAME) + kfree(ofdev->name); + /* name and id have to be set so that the platform bus doesn't get * confused on matching */ - ofdev->name = dev_name(&ofdev->dev); + ofdev->name = new_name; + ofdev->flags |= PLATFORM_DEVICE_FLAG_FREE_NAME; ofdev->id = PLATFORM_DEVID_NONE; /* diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h index d842b21ba3791f974fa62f52bd160ef5820261c1..203016afc3899ffa05f38b9d4ce3bfc02d5b75ef 100644 --- a/include/linux/platform_device.h +++ b/include/linux/platform_device.h @@ -25,6 +25,7 @@ struct platform_device { int id; u8 flags; #define PLATFORM_DEVICE_FLAG_ID_AUTO BIT(0) +#define PLATFORM_DEVICE_FLAG_FREE_NAME BIT(1) struct device dev; u64 platform_dma_mask; struct device_dma_parameters dma_parms;