fbdev: fbcon: release buffer when fbcon_do_set_font() failed

Tetsuo Handa · hdeller · commit 3c3bfb8586f8 · 2022-12-14T20:01:51.000+01:00
syzbot is reporting memory leak at fbcon_do_set_font() [1], for commit a5a9230 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") missed that the buffer might be newly allocated by fbcon_set_font(). Link: https://syzkaller.appspot.com/bug?extid=25bdb7b1703639abd498 [1] Reported-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com> Fixes: a5a9230 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") CC: stable@vger.kernel.org # 5.15+ Signed-off-by: Helge Deller <deller@gmx.de>
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
@@ -2450,7 +2450,8 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,
 
 	if (userfont) {
 		p->userfont = old_userfont;
-		REFCOUNT(data)--;
+		if (--REFCOUNT(data) == 0)
+			kfree(data - FONT_EXTRA_WORDS * sizeof(int));
 	}
 
 	vc->vc_font.width = old_width;

Original file line number	Diff line number	Diff line change
`@@ -2450,7 +2450,8 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,`
`2450`	`2450`
`2451`	`2451`	`if (userfont) {`
`2452`	`2452`	`p->userfont = old_userfont;`
`2453`		`- REFCOUNT(data)--;`
	`2453`	`+ if (--REFCOUNT(data) == 0)`
	`2454`	`+ kfree(data - FONT_EXTRA_WORDS * sizeof(int));`
`2454`	`2455`	`}`
`2455`	`2456`
`2456`	`2457`	`vc->vc_font.width = old_width;`