This is a note to let you know that I've just added the patch titled fbdev: fbcon: release buffer when fbcon_do_set_font() failed to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 3c3bfb8586f848317ceba5d777e11204ba3e5758 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Date: Tue, 6 Dec 2022 07:10:31 +0900 Subject: fbdev: fbcon: release buffer when fbcon_do_set_font() failed From: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> commit 3c3bfb8586f848317ceba5d777e11204ba3e5758 upstream. syzbot is reporting memory leak at fbcon_do_set_font() [1], for commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") missed that the buffer might be newly allocated by fbcon_set_font(). Link: https://syzkaller.appspot.com/bug?extid=25bdb7b1703639abd498 [1] Reported-by: syzbot <syzbot+25bdb7b1703639abd498@xxxxxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Tested-by: syzbot <syzbot+25bdb7b1703639abd498@xxxxxxxxxxxxxxxxxxxxxxxxx> Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") CC: stable@xxxxxxxxxxxxxxx # 5.15+ Signed-off-by: Helge Deller <deller@xxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/video/fbdev/core/fbcon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2462,7 +2462,8 @@ err_out: if (userfont) { p->userfont = old_userfont; - REFCOUNT(data)--; + if (--REFCOUNT(data) == 0) + kfree(data - FONT_EXTRA_WORDS * sizeof(int)); } vc->vc_font.width = old_width; Patches currently in stable-queue which might be from penguin-kernel@xxxxxxxxxxxxxxxxxxx are queue-5.15/fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch queue-5.15/reiserfs-add-missing-calls-to-reiserfs_security_free.patch