Message ID | 20230306160016.4459-12-tzimmermann@suse.de (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | fbdev: Fix memory leak in option parsing | expand |
Hi Thomas, Thanks for your patch! On Mon, Mar 6, 2023 at 5:00 PM Thomas Zimmermann <tzimmermann@suse.de> wrote: > Assume that the driver does not own the option string or its substrings > and hence duplicate the option string for the video mode. The driver only > parses the option string once as part of module initialization, so use > a static buffer to store the duplicated mode option. Linux automatically > frees the memory upon releasing the module. Are you sure about that? All of this code is inside "#ifndef MODULE". In the aty128fb case, the function is not marked __init. Enabling these 3 drivers adds 3x256 bytes of static buffer, more if you enable more fbdev drivers. > Done in preparation of switching the driver to struct option_iter and > constifying the option string. > > Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> > --- a/drivers/video/fbdev/aty/aty128fb.c > +++ b/drivers/video/fbdev/aty/aty128fb.c > @@ -1723,7 +1723,17 @@ static int aty128fb_setup(char *options) > continue; > } > #endif /* CONFIG_PPC_PMAC */ > - mode_option = this_opt; > + { > + static char mode_option_buf[256]; > + int ret; > + > + ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt); > + if (WARN(ret < 0, "aty128: ignoring invalid option, ret=%d\n", ret)) > + continue; > + if (WARN(ret >= sizeof(mode_option_buf), "aty128fb: option too long\n")) > + continue; > + mode_option = mode_option_buf; > + } > } > return 0; > } eturn 0; > } Gr{oetje,eeting}s, Geert
Hi Am 06.03.23 um 17:13 schrieb Geert Uytterhoeven: > Hi Thomas, > > Thanks for your patch! > > On Mon, Mar 6, 2023 at 5:00 PM Thomas Zimmermann <tzimmermann@suse.de> wrote: >> Assume that the driver does not own the option string or its substrings >> and hence duplicate the option string for the video mode. The driver only >> parses the option string once as part of module initialization, so use >> a static buffer to store the duplicated mode option. Linux automatically >> frees the memory upon releasing the module. > > Are you sure about that? > All of this code is inside "#ifndef MODULE". > In the aty128fb case, the function is not marked __init. > Enabling these 3 drivers adds 3x256 bytes of static buffer, more > if you enable more fbdev drivers. Right. Please see my reply to [00/99]. > >> Done in preparation of switching the driver to struct option_iter and >> constifying the option string. >> >> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> > >> --- a/drivers/video/fbdev/aty/aty128fb.c >> +++ b/drivers/video/fbdev/aty/aty128fb.c >> @@ -1723,7 +1723,17 @@ static int aty128fb_setup(char *options) >> continue; >> } >> #endif /* CONFIG_PPC_PMAC */ >> - mode_option = this_opt; >> + { >> + static char mode_option_buf[256]; >> + int ret; >> + >> + ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt); >> + if (WARN(ret < 0, "aty128: ignoring invalid option, ret=%d\n", ret)) >> + continue; >> + if (WARN(ret >= sizeof(mode_option_buf), "aty128fb: option too long\n")) >> + continue; >> + mode_option = mode_option_buf; >> + } >> } >> return 0; >> } > eturn 0; >> } > > Gr{oetje,eeting}s, > > Geert >
diff --git a/drivers/video/fbdev/aty/aty128fb.c b/drivers/video/fbdev/aty/aty128fb.c index 36a9ac05a340..3c08904a107f 100644 --- a/drivers/video/fbdev/aty/aty128fb.c +++ b/drivers/video/fbdev/aty/aty128fb.c @@ -1723,7 +1723,17 @@ static int aty128fb_setup(char *options) continue; } #endif /* CONFIG_PPC_PMAC */ - mode_option = this_opt; + { + static char mode_option_buf[256]; + int ret; + + ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt); + if (WARN(ret < 0, "aty128: ignoring invalid option, ret=%d\n", ret)) + continue; + if (WARN(ret >= sizeof(mode_option_buf), "aty128fb: option too long\n")) + continue; + mode_option = mode_option_buf; + } } return 0; } diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c index b02e4e645035..5e6e83472c30 100644 --- a/drivers/video/fbdev/aty/atyfb_base.c +++ b/drivers/video/fbdev/aty/atyfb_base.c @@ -3896,8 +3896,17 @@ static int __init atyfb_setup(char *options) } } #endif - else - mode = this_opt; + else { + static char mode_option_buf[256]; + int ret; + + ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt); + if (WARN(ret < 0, "atyfb: ignoring invalid option, ret=%d\n", ret)) + continue; + if (WARN(ret >= sizeof(mode_option_buf), "atyfb: option too long\n")) + continue; + mode = mode_option_buf; + } } return 0; } diff --git a/drivers/video/fbdev/aty/radeon_base.c b/drivers/video/fbdev/aty/radeon_base.c index 657064227de8..b885a7cc2424 100644 --- a/drivers/video/fbdev/aty/radeon_base.c +++ b/drivers/video/fbdev/aty/radeon_base.c @@ -2596,8 +2596,17 @@ static int __init radeonfb_setup (char *options) } else if (!strncmp(this_opt, "ignore_devlist", 14)) { ignore_devlist = 1; #endif - } else - mode_option = this_opt; + } else { + static char mode_option_buf[256]; + int ret; + + ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt); + if (WARN(ret < 0, "radeonfb: ignoring invalid option, ret=%d\n", ret)) + continue; + if (WARN(ret >= sizeof(mode_option_buf), "radeonfb: option too long\n")) + continue; + mode_option = mode_option_buf; + } } return 0; }
Assume that the driver does not own the option string or its substrings and hence duplicate the option string for the video mode. The driver only parses the option string once as part of module initialization, so use a static buffer to store the duplicated mode option. Linux automatically frees the memory upon releasing the module. Done in preparation of switching the driver to struct option_iter and constifying the option string. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> --- drivers/video/fbdev/aty/aty128fb.c | 12 +++++++++++- drivers/video/fbdev/aty/atyfb_base.c | 13 +++++++++++-- drivers/video/fbdev/aty/radeon_base.c | 13 +++++++++++-- 3 files changed, 33 insertions(+), 5 deletions(-)