[PATCH] powerpc/powernv: allocate sensor group names to fit the OF node name

[Pengpeng Hou]

opal_sensor_groups_init() stores each sensor-group name in a fixed
char[20] field and formats it with "%pOFn" or "%pOFn%d".

The node name comes from firmware and is not bounded to fit in 20 bytes,
so formatting the fully qualified group name can write past the end of
the embedded buffer.

Allocate the group name string to fit the formatted result instead of
storing it in a fixed-size array.

Fixes: bf9571550f52 ("powerpc/powernv: Add support to clear sensor groups data")
Cc: stable@xxxxxxxxxxxxxxx

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
 arch/powerpc/platforms/powernv/opal-sensor-groups.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/arch/powerpc/platforms/powernv/opal-sensor-groups.c b/arch/powerpc/platforms/powernv/opal-sensor-groups.c
index 87fd6d7769e9..f940c223f1b5 100644
--- a/arch/powerpc/platforms/powernv/opal-sensor-groups.c
+++ b/arch/powerpc/platforms/powernv/opal-sensor-groups.c
@@ -23,7 +23,7 @@ struct sg_attr {
 };
 
 static struct sensor_group {
-	char name[20];
+	char *name;
 	struct attribute_group sg;
 	struct sg_attr *sgattrs;
 } *sgs;
@@ -207,9 +207,12 @@ void __init opal_sensor_groups_init(void)
 		}
 
 		if (!of_property_read_u32(node, "ibm,chip-id", &chipid))
-			sprintf(sgs[i].name, "%pOFn%d", node, chipid);
+			sgs[i].name = kasprintf(GFP_KERNEL, "%pOFn%d",
+						node, chipid);
 		else
-			sprintf(sgs[i].name, "%pOFn", node);
+			sgs[i].name = kasprintf(GFP_KERNEL, "%pOFn", node);
+		if (!sgs[i].name)
+			goto out_sgs_sgattrs;
 
 		sgs[i].sg.name = sgs[i].name;
 		if (add_attr_group(ops, len, &sgs[i], sgid)) {
@@ -225,6 +228,7 @@ void __init opal_sensor_groups_init(void)
 
 out_sgs_sgattrs:
 	while (--i >= 0) {
+		kfree(sgs[i].name);
 		kfree(sgs[i].sgattrs);
 		kfree(sgs[i].sg.attrs);
 	}
-- 
2.50.1 (Apple Git-155)