Message ID | d37c0147-3605-a876-9b85-16bcbc05eaa6@I-love.SAKURA.ne.jp (mailing list archive) |
---|---|
State | Accepted, archived |
Headers | show |
Series | fbdev: fbcon: release buffer when fbcon_do_set_font() failed | expand |
On 12/5/22 23:10, Tetsuo Handa wrote: > syzbot is reporting memory leak at fbcon_do_set_font() [1], for > commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when > vc_resize() failed") missed that the buffer might be newly allocated > by fbcon_set_font(). > > Link: https://syzkaller.appspot.com/bug?extid=25bdb7b1703639abd498 [1] > Reported-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > Tested-by: syzbot <syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com> > Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") applied. Thanks! Helge > --- > drivers/video/fbdev/core/fbcon.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c > index 098b62f7b701..8363f3b2b452 100644 > --- a/drivers/video/fbdev/core/fbcon.c > +++ b/drivers/video/fbdev/core/fbcon.c > @@ -2450,7 +2450,8 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount, > > if (userfont) { > p->userfont = old_userfont; > - REFCOUNT(data)--; > + if (--REFCOUNT(data) == 0) > + kfree(data - FONT_EXTRA_WORDS * sizeof(int)); > } > > vc->vc_font.width = old_width;
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 098b62f7b701..8363f3b2b452 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2450,7 +2450,8 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount, if (userfont) { p->userfont = old_userfont; - REFCOUNT(data)--; + if (--REFCOUNT(data) == 0) + kfree(data - FONT_EXTRA_WORDS * sizeof(int)); } vc->vc_font.width = old_width;