diff mbox series

fbdev: fbcon: release buffer when fbcon_do_set_font() failed

Message ID d37c0147-3605-a876-9b85-16bcbc05eaa6@I-love.SAKURA.ne.jp
State New
Headers show
Series fbdev: fbcon: release buffer when fbcon_do_set_font() failed | expand

Commit Message

Tetsuo Handa Dec. 5, 2022, 10:10 p.m. UTC
syzbot is reporting memory leak at fbcon_do_set_font() [1], for
commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when
vc_resize() failed") missed that the buffer might be newly allocated
by fbcon_set_font().

Link: https://syzkaller.appspot.com/bug?extid=25bdb7b1703639abd498 [1]
Reported-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com>
Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
---
 drivers/video/fbdev/core/fbcon.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Helge Deller Dec. 10, 2022, 4:18 p.m. UTC | #1
On 12/5/22 23:10, Tetsuo Handa wrote:
> syzbot is reporting memory leak at fbcon_do_set_font() [1], for
> commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when
> vc_resize() failed") missed that the buffer might be newly allocated
> by fbcon_set_font().
>
> Link: https://syzkaller.appspot.com/bug?extid=25bdb7b1703639abd498 [1]
> Reported-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Tested-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com>
> Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")

applied.
Thanks!

Helge

> ---
>   drivers/video/fbdev/core/fbcon.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 098b62f7b701..8363f3b2b452 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2450,7 +2450,8 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,
>
>   	if (userfont) {
>   		p->userfont = old_userfont;
> -		REFCOUNT(data)--;
> +		if (--REFCOUNT(data) == 0)
> +			kfree(data - FONT_EXTRA_WORDS * sizeof(int));
>   	}
>
>   	vc->vc_font.width = old_width;
diff mbox series

Patch

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 098b62f7b701..8363f3b2b452 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2450,7 +2450,8 @@  static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,
 
 	if (userfont) {
 		p->userfont = old_userfont;
-		REFCOUNT(data)--;
+		if (--REFCOUNT(data) == 0)
+			kfree(data - FONT_EXTRA_WORDS * sizeof(int));
 	}
 
 	vc->vc_font.width = old_width;