syzkaller reported a memleak: https://syzkaller.appspot.com/bug?id=7cc8bce62e201c60e36ef0133dab7f6b8afbc62...
BUG: memory leak unreferenced object 0xffff888111648000 (size 18448): backtrace: [<ffffffff8250c359>] kmalloc [<ffffffff8250c359>] fbcon_set_font+0x1a9/0x470 [<ffffffff8262cd59>] con_font_set [<ffffffff8262cd59>] con_font_op+0x3a9/0x600 ...
It's because when fbcon_do_set_font() fails in fbcon_set_font(), it return error directly and doesn't free allocated memory 'new_data'.
Reported-by: syzbot+25bdb7b1703639abd498@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Chen Zhongjin chenzhongjin@huawei.com --- drivers/video/fbdev/core/fbcon.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index c0143d38df83..edb01d200b5b 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2480,7 +2480,7 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, int w = font->width; int h = font->height; int size; - int i, csum; + int i, csum, ret; u8 *new_data, *data = font->data; int pitch = PITCH(font->width);
@@ -2539,7 +2539,11 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, break; } } - return fbcon_do_set_font(vc, font->width, font->height, charcount, new_data, 1); + + ret = fbcon_do_set_font(vc, font->width, font->height, charcount, new_data, 1); + if (ret && i > last_fb_vc) + kfree(new_data - FONT_EXTRA_WORDS * sizeof(int)); + return ret; }
static int fbcon_set_def_font(struct vc_data *vc, struct console_font *font, char *name)