Unverified Commit 9110056f authored by Kurt Borja's avatar Kurt Borja Committed by Ilpo Järvinen
Browse files

platform/x86: think-lmi: Fix kobject cleanup 



In tlmi_analyze(), allocated structs with an embedded kobject are freed
in error paths after the they were already initialized.

Fix this by first by avoiding the initialization of kobjects in
tlmi_analyze() and then by correctly cleaning them up in
tlmi_release_attr() using their kset's kobject list.

Fixes: a40cd7ef ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
Fixes: 30e78435 ("platform/x86: think-lmi: Split kobject_init() and kobject_add() calls")
Cc: stable@vger.kernel.org
Reviewed-by: default avatarMark Pearson <mpearson-lenovo@squebb.ca>
Reviewed-by: default avatarIlpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: default avatarKurt Borja <kuurtb@gmail.com>
Link: https://lore.kernel.org/r/20250630-lmi-fix-v3-2-ce4f81c9c481@gmail.com


Signed-off-by: default avatarIlpo Järvinen <ilpo.jarvinen@linux.intel.com>
parent 8dab34ca

drivers/platform/x86/think-lmi.c

+19 −16
Original line number Diff line number Diff line
@@ -1380,13 +1380,13 @@ static struct kobj_attribute debug_cmd = __ATTR_WO(debug_cmd); 
/* ---- Initialisation --------------------------------------------------------- */

static void tlmi_release_attr(void)

{

	struct kobject *pos, *n;

	int i;



	/* Attribute structures */

	for (i = 0; i < TLMI_SETTINGS_COUNT; i++) {

		if (tlmi_priv.setting[i]) {

			sysfs_remove_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group);

			kobject_put(&tlmi_priv.setting[i]->kobj);

		}

	}

	sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr);
@@ -1395,6 +1395,9 @@ static void tlmi_release_attr(void) 
	if (tlmi_priv.can_debug_cmd && debug_support)

		sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr);



	list_for_each_entry_safe(pos, n, &tlmi_priv.attribute_kset->list, entry)

		kobject_put(pos);



	kset_unregister(tlmi_priv.attribute_kset);



	/* Free up any saved signatures */
@@ -1403,19 +1406,17 @@ static void tlmi_release_attr(void) 


	/* Authentication structures */

	sysfs_remove_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group);

	kobject_put(&tlmi_priv.pwd_admin->kobj);

	sysfs_remove_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group);

	kobject_put(&tlmi_priv.pwd_power->kobj);



	if (tlmi_priv.opcode_support) {

		sysfs_remove_group(&tlmi_priv.pwd_system->kobj, &auth_attr_group);

		kobject_put(&tlmi_priv.pwd_system->kobj);

		sysfs_remove_group(&tlmi_priv.pwd_hdd->kobj, &auth_attr_group);

		kobject_put(&tlmi_priv.pwd_hdd->kobj);

		sysfs_remove_group(&tlmi_priv.pwd_nvme->kobj, &auth_attr_group);

		kobject_put(&tlmi_priv.pwd_nvme->kobj);

	}



	list_for_each_entry_safe(pos, n, &tlmi_priv.authentication_kset->list, entry)

		kobject_put(pos);



	kset_unregister(tlmi_priv.authentication_kset);

}
@@ -1479,8 +1480,8 @@ static int tlmi_sysfs_init(void) 


		/* Build attribute */

		tlmi_priv.setting[i]->kobj.kset = tlmi_priv.attribute_kset;

		ret = kobject_add(&tlmi_priv.setting[i]->kobj, NULL,

				  "%s", tlmi_priv.setting[i]->display_name);

		ret = kobject_init_and_add(&tlmi_priv.setting[i]->kobj, &tlmi_attr_setting_ktype,

					   NULL, "%s", tlmi_priv.setting[i]->display_name);

		if (ret)

			goto fail_create_attr;
@@ -1505,7 +1506,8 @@ static int tlmi_sysfs_init(void) 


	/* Create authentication entries */

	tlmi_priv.pwd_admin->kobj.kset = tlmi_priv.authentication_kset;

	ret = kobject_add(&tlmi_priv.pwd_admin->kobj, NULL, "%s", "Admin");

	ret = kobject_init_and_add(&tlmi_priv.pwd_admin->kobj, &tlmi_pwd_setting_ktype,

				   NULL, "%s", "Admin");

	if (ret)

		goto fail_create_attr;
@@ -1514,7 +1516,8 @@ static int tlmi_sysfs_init(void) 
		goto fail_create_attr;



	tlmi_priv.pwd_power->kobj.kset = tlmi_priv.authentication_kset;

	ret = kobject_add(&tlmi_priv.pwd_power->kobj, NULL, "%s", "Power-on");

	ret = kobject_init_and_add(&tlmi_priv.pwd_power->kobj, &tlmi_pwd_setting_ktype,

				   NULL, "%s", "Power-on");

	if (ret)

		goto fail_create_attr;
@@ -1524,7 +1527,8 @@ static int tlmi_sysfs_init(void) 


	if (tlmi_priv.opcode_support) {

		tlmi_priv.pwd_system->kobj.kset = tlmi_priv.authentication_kset;

		ret = kobject_add(&tlmi_priv.pwd_system->kobj, NULL, "%s", "System");

		ret = kobject_init_and_add(&tlmi_priv.pwd_system->kobj, &tlmi_pwd_setting_ktype,

					   NULL, "%s", "System");

		if (ret)

			goto fail_create_attr;
@@ -1533,7 +1537,8 @@ static int tlmi_sysfs_init(void) 
			goto fail_create_attr;



		tlmi_priv.pwd_hdd->kobj.kset = tlmi_priv.authentication_kset;

		ret = kobject_add(&tlmi_priv.pwd_hdd->kobj, NULL, "%s", "HDD");

		ret = kobject_init_and_add(&tlmi_priv.pwd_hdd->kobj, &tlmi_pwd_setting_ktype,

					   NULL, "%s", "HDD");

		if (ret)

			goto fail_create_attr;
@@ -1542,7 +1547,8 @@ static int tlmi_sysfs_init(void) 
			goto fail_create_attr;



		tlmi_priv.pwd_nvme->kobj.kset = tlmi_priv.authentication_kset;

		ret = kobject_add(&tlmi_priv.pwd_nvme->kobj, NULL, "%s", "NVMe");

		ret = kobject_init_and_add(&tlmi_priv.pwd_nvme->kobj, &tlmi_pwd_setting_ktype,

					   NULL, "%s", "NVMe");

		if (ret)

			goto fail_create_attr;
@@ -1579,8 +1585,6 @@ static struct tlmi_pwd_setting *tlmi_create_auth(const char *pwd_type, 
	new_pwd->maxlen = tlmi_priv.pwdcfg.core.max_length;

	new_pwd->index = 0;



	kobject_init(&new_pwd->kobj, &tlmi_pwd_setting_ktype);



	return new_pwd;

}
@@ -1685,7 +1689,6 @@ static int tlmi_analyze(struct wmi_device *wdev) 
		if (setting->possible_values)

			strreplace(setting->possible_values, ',', ';');



		kobject_init(&setting->kobj, &tlmi_attr_setting_ktype);

		tlmi_priv.setting[i] = setting;

		kfree(item);

	}