CVE-2025-40323

In the Linux kernel, the following vulnerability has been resolved:

fbcon: Set fb_display[i]->mode to NULL when the mode is released

Recently, we discovered the following issue through syzkaller:

BUG: KASAN: slab-use-after-free in fbmodeisequal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: <TASK> dumpstacklvl+0xab/0xe0 printaddressdescription.constprop.0+0x2c/0x390 printreport+0xb9/0x280 kasanreport+0xb8/0xf0 fbmodeisequal+0x285/0x2f0 fbconmodedeleted+0x129/0x180 fbsetvar+0xe7f/0x11d0 dofbioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64sysioctl+0x193/0x210 dosyscall64+0x5f/0x9c0 entrySYSCALL64afterhwframe+0x76/0x7e

Based on experimentation and analysis, during framebuffer unregistration, only the memory of fbinfo->modelist is freed, without setting the corresponding fbdisplay[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fbdisplay[] array (via FBIOPUTCON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0.

Add a check in dounregisterframebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.