[11/99] fbdev/aty: Duplicate video-mode option string

Message ID 20230306160016.4459-12-tzimmermann@suse.de
State New
Headers
Series fbdev: Fix memory leak in option parsing |

Commit Message

Thomas Zimmermann March 6, 2023, 3:58 p.m. UTC
  Assume that the driver does not own the option string or its substrings
and hence duplicate the option string for the video mode. The driver only
parses the option string once as part of module initialization, so use
a static buffer to store the duplicated mode option. Linux automatically
frees the memory upon releasing the module.

Done in preparation of switching the driver to struct option_iter and
constifying the option string.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
---
 drivers/video/fbdev/aty/aty128fb.c    | 12 +++++++++++-
 drivers/video/fbdev/aty/atyfb_base.c  | 13 +++++++++++--
 drivers/video/fbdev/aty/radeon_base.c | 13 +++++++++++--
 3 files changed, 33 insertions(+), 5 deletions(-)
  

Comments

Geert Uytterhoeven March 6, 2023, 4:13 p.m. UTC | #1
Hi Thomas,

Thanks for your patch!

On Mon, Mar 6, 2023 at 5:00 PM Thomas Zimmermann <tzimmermann@suse.de> wrote:
> Assume that the driver does not own the option string or its substrings
> and hence duplicate the option string for the video mode. The driver only
> parses the option string once as part of module initialization, so use
> a static buffer to store the duplicated mode option. Linux automatically
> frees the memory upon releasing the module.

Are you sure about that?
All of this code is inside "#ifndef MODULE".
In the aty128fb case, the function is not marked __init.
Enabling these 3 drivers adds 3x256 bytes of static buffer, more
if you enable more fbdev drivers.

> Done in preparation of switching the driver to struct option_iter and
> constifying the option string.
>
> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>

> --- a/drivers/video/fbdev/aty/aty128fb.c
> +++ b/drivers/video/fbdev/aty/aty128fb.c
> @@ -1723,7 +1723,17 @@ static int aty128fb_setup(char *options)
>                         continue;
>                 }
>  #endif /* CONFIG_PPC_PMAC */
> -               mode_option = this_opt;
> +               {
> +                       static char mode_option_buf[256];
> +                       int ret;
> +
> +                       ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt);
> +                       if (WARN(ret < 0, "aty128: ignoring invalid option, ret=%d\n", ret))
> +                               continue;
> +                       if (WARN(ret >= sizeof(mode_option_buf), "aty128fb: option too long\n"))
> +                               continue;
> +                       mode_option = mode_option_buf;
> +               }
>         }
>         return 0;
>  }
eturn 0;
>  }

Gr{oetje,eeting}s,

                        Geert
  
Thomas Zimmermann March 7, 2023, 8:24 a.m. UTC | #2
Hi

Am 06.03.23 um 17:13 schrieb Geert Uytterhoeven:
> Hi Thomas,
> 
> Thanks for your patch!
> 
> On Mon, Mar 6, 2023 at 5:00 PM Thomas Zimmermann <tzimmermann@suse.de> wrote:
>> Assume that the driver does not own the option string or its substrings
>> and hence duplicate the option string for the video mode. The driver only
>> parses the option string once as part of module initialization, so use
>> a static buffer to store the duplicated mode option. Linux automatically
>> frees the memory upon releasing the module.
> 
> Are you sure about that?
> All of this code is inside "#ifndef MODULE".
> In the aty128fb case, the function is not marked __init.
> Enabling these 3 drivers adds 3x256 bytes of static buffer, more
> if you enable more fbdev drivers.

Right. Please see my reply to [00/99].

> 
>> Done in preparation of switching the driver to struct option_iter and
>> constifying the option string.
>>
>> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
> 
>> --- a/drivers/video/fbdev/aty/aty128fb.c
>> +++ b/drivers/video/fbdev/aty/aty128fb.c
>> @@ -1723,7 +1723,17 @@ static int aty128fb_setup(char *options)
>>                          continue;
>>                  }
>>   #endif /* CONFIG_PPC_PMAC */
>> -               mode_option = this_opt;
>> +               {
>> +                       static char mode_option_buf[256];
>> +                       int ret;
>> +
>> +                       ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt);
>> +                       if (WARN(ret < 0, "aty128: ignoring invalid option, ret=%d\n", ret))
>> +                               continue;
>> +                       if (WARN(ret >= sizeof(mode_option_buf), "aty128fb: option too long\n"))
>> +                               continue;
>> +                       mode_option = mode_option_buf;
>> +               }
>>          }
>>          return 0;
>>   }
> eturn 0;
>>   }
> 
> Gr{oetje,eeting}s,
> 
>                          Geert
> 

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev
  

Patch

diff --git a/drivers/video/fbdev/aty/aty128fb.c b/drivers/video/fbdev/aty/aty128fb.c
index 36a9ac05a340..3c08904a107f 100644
--- a/drivers/video/fbdev/aty/aty128fb.c
+++ b/drivers/video/fbdev/aty/aty128fb.c
@@ -1723,7 +1723,17 @@  static int aty128fb_setup(char *options)
 			continue;
 		}
 #endif /* CONFIG_PPC_PMAC */
-		mode_option = this_opt;
+		{
+			static char mode_option_buf[256];
+			int ret;
+
+			ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt);
+			if (WARN(ret < 0, "aty128: ignoring invalid option, ret=%d\n", ret))
+				continue;
+			if (WARN(ret >= sizeof(mode_option_buf), "aty128fb: option too long\n"))
+				continue;
+			mode_option = mode_option_buf;
+		}
 	}
 	return 0;
 }
diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
index b02e4e645035..5e6e83472c30 100644
--- a/drivers/video/fbdev/aty/atyfb_base.c
+++ b/drivers/video/fbdev/aty/atyfb_base.c
@@ -3896,8 +3896,17 @@  static int __init atyfb_setup(char *options)
 			}
 		}
 #endif
-		else
-			mode = this_opt;
+		else {
+			static char mode_option_buf[256];
+			int ret;
+
+			ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt);
+			if (WARN(ret < 0, "atyfb: ignoring invalid option, ret=%d\n", ret))
+				continue;
+			if (WARN(ret >= sizeof(mode_option_buf), "atyfb: option too long\n"))
+				continue;
+			mode = mode_option_buf;
+		}
 	}
 	return 0;
 }
diff --git a/drivers/video/fbdev/aty/radeon_base.c b/drivers/video/fbdev/aty/radeon_base.c
index 657064227de8..b885a7cc2424 100644
--- a/drivers/video/fbdev/aty/radeon_base.c
+++ b/drivers/video/fbdev/aty/radeon_base.c
@@ -2596,8 +2596,17 @@  static int __init radeonfb_setup (char *options)
 		} else if (!strncmp(this_opt, "ignore_devlist", 14)) {
 			ignore_devlist = 1;
 #endif
-		} else
-			mode_option = this_opt;
+		} else {
+			static char mode_option_buf[256];
+			int ret;
+
+			ret = snprintf(mode_option_buf, sizeof(mode_option_buf), "%s", this_opt);
+			if (WARN(ret < 0, "radeonfb: ignoring invalid option, ret=%d\n", ret))
+				continue;
+			if (WARN(ret >= sizeof(mode_option_buf), "radeonfb: option too long\n"))
+				continue;
+			mode_option = mode_option_buf;
+		}
 	}
 	return 0;
 }