of: fix memory leak related to safe_name()

Fix a memory leak resulting from memory allocation in safe_name().
This patch fixes all call sites of safe_name().

Mathieu Malaterre reported the memory leak on boot:

On my PowerMac device-tree would generate a duplicate name:

[    0.023043] device-tree: Duplicate name in PowerPC,G4@0, renamed to "l2-cache#1"

in this case a newly allocated name is generated by `safe_name`. However
in this case it is never deallocated.

The bug was found using kmemleak reported as:

unreferenced object 0xdf532e60 (size 32):
  comm "swapper", pid 1, jiffies 4294892300 (age 1993.532s)
  hex dump (first 32 bytes):
    6c 32 2d 63 61 63 68 65 23 31 00 dd e4 dd 1e c2  l2-cache#1......
    ec d4 ba ce 04 ec cc de 8e 85 e9 ca c4 ec cc 9e  ................
  backtrace:
    [<c02d3350>] kvasprintf+0x64/0xc8
    [<c02d3400>] kasprintf+0x4c/0x5c
    [<c0453814>] safe_name.isra.1+0x80/0xc4
    [<c04545d8>] __of_attach_node_sysfs+0x6c/0x11c
    [<c075f21c>] of_core_init+0x8c/0xf8
    [<c0729594>] kernel_init_freeable+0xd4/0x208
    [<c00047e8>] kernel_init+0x24/0x11c
    [<c00158ec>] ret_from_kernel_thread+0x5c/0x64

Link: https://bugzilla.kernel.org/show_bug.cgi?id=120331

Signed-off-by: Frank Rowand <frank.rowand@am.sony.com>
Reported-by: mathieu.malaterre@gmail.com
Tested-by: Mathieu Malaterre <mathieu.malaterre@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring <robh@kernel.org>

3 files changed, 25 insertions, 10 deletions

diff --git a/drivers/of/base.c b/drivers/of/base.c
index ebf84e3b56d5..8bb3d1adf1b0 100644
--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -112,6 +112,7 @@ static ssize_t of_node_property_read(struct file *filp, struct kobject *kobj,
         return memory_read_from_buffer(buf, count, &offset, pp->value, pp->length);
 }
 
+/* always return newly allocated name, caller must free after use */
 static const char *safe_name(struct kobject *kobj, const char *orig_name)
 {
         const char *name = orig_name;
@@ -126,9 +127,12 @@ static const char *safe_name(struct kobject *kobj, const char *orig_name)
                 name = kasprintf(GFP_KERNEL, "%s#%i", orig_name, ++i);
         }
 
-        if (name != orig_name)
+        if (name == orig_name) {
+                name = kstrdup(orig_name, GFP_KERNEL);
+        } else {
                 pr_warn("device-tree: Duplicate name in %s, renamed to \"%s\"\n",
                         kobject_name(kobj), name);
+        }
         return name;
 }
 
@@ -159,6 +163,7 @@ int __of_add_property_sysfs(struct device_node *np, struct property *pp)
 int __of_attach_node_sysfs(struct device_node *np)
 {
         const char *name;
+        struct kobject *parent;
         struct property *pp;
         int rc;
 
@@ -171,15 +176,16 @@ int __of_attach_node_sysfs(struct device_node *np)
         np->kobj.kset = of_kset;
         if (!np->parent) {
                 /* Nodes without parents are new top level trees */
-                rc = kobject_add(&np->kobj, NULL, "%s",
-                                 safe_name(&of_kset->kobj, "base"));
+                name = safe_name(&of_kset->kobj, "base");
+                parent = NULL;
         } else {
                 name = safe_name(&np->parent->kobj, kbasename(np->full_name));
-                if (!name || !name[0])
-                        return -EINVAL;
-
-                rc = kobject_add(&np->kobj, &np->parent->kobj, "%s", name);
+                parent = &np->parent->kobj;
         }
+        if (!name)
+                return -ENOMEM;
+        rc = kobject_add(&np->kobj, parent, "%s", name);
+        kfree(name);
         if (rc)
                 return rc;
 
@@ -1815,6 +1821,12 @@ int __of_remove_property(struct device_node *np, struct property *prop)
         return 0;
 }
 
+void __of_sysfs_remove_bin_file(struct device_node *np, struct property *prop)
+{
+        sysfs_remove_bin_file(&np->kobj, &prop->attr);
+        kfree(prop->attr.attr.name);
+}
+
 void __of_remove_property_sysfs(struct device_node *np, struct property *prop)
 {
         if (!IS_ENABLED(CONFIG_SYSFS))
@@ -1822,7 +1834,7 @@ void __of_remove_property_sysfs(struct device_node *np, struct property *prop)
 
         /* at early boot, bail here and defer setup to of_init() */
         if (of_kset && of_node_is_attached(np))
-                sysfs_remove_bin_file(&np->kobj, &prop->attr);
+                __of_sysfs_remove_bin_file(np, prop);
 }
 
 /**
@@ -1895,7 +1907,7 @@ void __of_update_property_sysfs(struct device_node *np, struct property *newprop
                 return;
 
         if (oldprop)
-                sysfs_remove_bin_file(&np->kobj, &oldprop->attr);
+                __of_sysfs_remove_bin_file(np, oldprop);
         __of_add_property_sysfs(np, newprop);
 }
 
diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c
index 3033fa3250dc..a2015599ed7e 100644
--- a/drivers/of/dynamic.c
+++ b/drivers/of/dynamic.c
@@ -55,7 +55,7 @@ void __of_detach_node_sysfs(struct device_node *np)
         /* only remove properties if on sysfs */
         if (of_node_is_attached(np)) {
                 for_each_property_of_node(np, pp)
-                        sysfs_remove_bin_file(&np->kobj, &pp->attr);
+                        __of_sysfs_remove_bin_file(np, pp);
                 kobject_del(&np->kobj);
         }
 
diff --git a/drivers/of/of_private.h b/drivers/of/of_private.h
index 829469faeb23..18bbb4517e25 100644
--- a/drivers/of/of_private.h
+++ b/drivers/of/of_private.h
@@ -83,6 +83,9 @@ extern int __of_attach_node_sysfs(struct device_node *np);
 extern void __of_detach_node(struct device_node *np);
 extern void __of_detach_node_sysfs(struct device_node *np);
 
+extern void __of_sysfs_remove_bin_file(struct device_node *np,
+                                       struct property *prop);
+
 /* iterators for transactions, used for overlays */
 /* forward iterator */
 #define for_each_transaction_entry(_oft, _te) \