In the Linux kernel, the following vulnerability has been resolved:

fbdev: Fix fbsetvar to prevent null-ptr-deref in fbvideomodeto_var

If fbaddvideomode() in fbsetvar() fails to allocate memory for fbvideomode, later it may lead to a null-ptr dereference in fbvideomodetovar(), as the fbinfo is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fbinfo->var.

================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fbvideomodetovar+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: displaytovar+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbconresize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resizescreen drivers/tty/vt/vt.c:1176 [inline] vcdoresize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbconmodechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbconupdatevcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 dofbioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fbioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfsioctl fs/ioctl.c:48 [inline] __dosysioctl fs/ioctl.c:753 [inline] __sesysioctl fs/ioctl.c:739 [inline] __x64sysioctl+0x19a/0x210 fs/ioctl.c:739 dosyscall64+0x33/0x40 arch/x86/entry/common.c:46

entrySYSCALL64afterhwframe+0x67/0xd1

The reason is that fbinfo->var is being modified in fbsetvar(), and then fbvideomodetovar() is called. If it fails to add the mode to fbinfo->modelist, fbsetvar() returns error, but does not restore the old value of fbinfo->var. Restore fb_info->var on failure the same way it is done earlier in the function.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.