Re:[PATCH 7.0] fbdev: fbcon: fix memory leak in error path of fbcon_do_set_font()

[w15303746062 <w15303746062@163.com>]

Hi Helge, Simona, and all,

A gentle ping on this patch.

Since this issue was inherently resolved in the mainline tree via a recent refactor, this specific fix is intended only for the 7.0 and older stable branches where the legacy userfont logic is still present and vulnerable to this memory leak.

Could the fbdev maintainers please take a look and provide an Acked-by? This will allow the stable team to safely pick it up for the older trees.

(+Cc stable@vger.kernel.org)

Best regards,
Mingyu

At 2026-05-25 16:27:41, w15303746062@163.com wrote:
>From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
>
>[ Note: This issue was discovered on the 7.0 kernel. While the current
>  mainline has already been refactored to use `font_data_t` (which 
>  inadvertently resolved this bug), this vulnerability still actively 
>  affects the 7.0 branch and older stable trees that rely on the legacy 
>  userfont logic. This patch provides a targeted fix for these stable 
>  branches. ]
>
>When fbcon_do_set_font() fails (e.g., due to a vc_resize() failure under
>fault injection), it jumps to the `err_out` label to roll back the
>console state.
>
>However, the restoration of the previous font state (`p->userfont =
>old_userfont`) is erroneously placed inside the `if (userfont)` block.
>If the failed operation was attempting to set the default builtin font
>(`userfont == 0`), the restoration is completely skipped.
>
>This causes a state machine corruption where `p->userfont` remains `0`
>while `p->fontdata` still points to the previously allocated user font
>memory. Later, when the console is destroyed (e.g., via VT_DISALLOCATE),
>fbcon_free_font() fails to free this memory because its `if (p->userfont)`
>check fails, resulting in a memory leak caught by kmemleak:
>
>  unreferenced object 0xffff888127ea0000 (size 33296):
>    comm "syz.0.8726", pid 33224, jiffies 4297754643
>    hex dump (first 32 bytes):
>      a6 e4 f9 dd 00 00 00 00 00 82 00 00 01 00 00 00  ................
>      d2 09 6c bf 52 8a 7d d4 ef 1d 59 16 51 86 32 bf  ..l.R.}...Y.Q.2.
>    backtrace (crc 4a0a57dd):
>      ___kmalloc_large_node+0xe7/0x180 mm/slub.c:5214
>      __kmalloc_large_node_noprof+0x29/0x130 mm/slub.c:5232
>      __do_kmalloc_node mm/slub.c:5248 [inline]
>      __kmalloc_noprof+0x5fc/0x7c0 mm/slub.c:5272
>      kmalloc_noprof include/linux/slab.h:954 [inline]
>      fbcon_set_font+0x431/0xa60 drivers/video/fbdev/core/fbcon.c:2525
>      con_font_set drivers/tty/vt/vt.c:4918 [inline]
>      con_font_op+0x94d/0xe80 drivers/tty/vt/vt.c:4958
>      vt_k_ioctl drivers/tty/vt/vt_ioctl.c:472 [inline]
>      vt_ioctl+0x63c/0x2ee0 drivers/tty/vt/vt_ioctl.c:743
>
>Fix this by moving the `p->userfont = old_userfont` assignment outside
>the `if (userfont)` block so that the terminal state is unconditionally
>and correctly restored regardless of which font setting triggered the
>error.
>
>Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
>Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
>---
> drivers/video/fbdev/core/fbcon.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
>index 666261ae59d8..a38545dc8416 100644
>--- a/drivers/video/fbdev/core/fbcon.c
>+++ b/drivers/video/fbdev/core/fbcon.c
>@@ -2461,8 +2461,10 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,
> 	p->fontdata = old_data;
> 	vc->vc_font.data = old_data;
> 
>+	/* Unconditionally restore the previous userfont state */
>+	p->userfont = old_userfont;
>+
> 	if (userfont) {
>-		p->userfont = old_userfont;
> 		if (--REFCOUNT(data) == 0)
> 			kfree(data - FONT_EXTRA_WORDS * sizeof(int));
> 	}
>-- 
>2.34.1