Dev news

Commit 2c1c805c65fb for kernel

commit 2c1c805c65fb7dc7524e20376d6987721e73a0b1
Author: Ian Bridges <icb@fastmail.org>
Date:   Thu Jun 25 23:50:48 2026 -0500

    fbdev: fix use-after-free in store_modes()

    store_modes() replaces a framebuffer's modelist with modes from userspace.
    On success it frees the old modelist with fb_destroy_modelist(). Two
    fields still point into that freed list.

    One pointer is fb_display[i].mode, the mode a console is using.
    fbcon_new_modelist() moves these pointers to the new list. It only does so
    for consoles still mapped to the framebuffer. An unmapped console is
    skipped and keeps its stale pointer. Unbinding fbcon, for example, sets
    con2fb_map[i] to -1 but leaves fb_display[i].mode set. An
    FBIOPUT_VSCREENINFO ioctl with FB_ACTIVATE_INV_MODE later reaches
    fbcon_mode_deleted(). That function reads the stale fb_display[i].mode
    through fb_mode_is_equal(). The read is a use-after-free.

    The other pointer is fb_info->mode, the current mode. It is set through
    the mode sysfs attribute. store_modes() does not update fb_info->mode, so
    it is left pointing into the freed list. show_mode(), the attribute's read
    handler, dereferences the stale fb_info->mode through mode_string(). The
    read is a use-after-free.

    Clear both pointers before freeing the list. Commit a1f305893074 ("fbcon:
    Set fb_display[i]->mode to NULL when the mode is released") added the
    helper fbcon_delete_modelist(). It clears every fb_display[i].mode that
    points into a given list. So far it is called only from the unregister
    path. Call it from store_modes() too, and set fb_info->mode to NULL.

    Reported-by: syzbot+81c7c6b52649fd07299d@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=81c7c6b52649fd07299d
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/all/ajjoDhAi2y4ArSlz@dev/
    Assisted-by: Claude:claude-opus-4-8
    Signed-off-by: Ian Bridges <icb@fastmail.org>
    Signed-off-by: Helge Deller <deller@gmx.de>

diff --git a/drivers/video/fbdev/core/fbsysfs.c b/drivers/video/fbdev/core/fbsysfs.c
index d9743ef35355..ea196603c7a8 100644
--- a/drivers/video/fbdev/core/fbsysfs.c
+++ b/drivers/video/fbdev/core/fbsysfs.c
@@ -10,6 +10,7 @@
 #include <linux/major.h>

 #include "fb_internal.h"
+#include "fbcon.h"

 static int activate(struct fb_info *fb_info, struct fb_var_screeninfo *var)
 {
@@ -108,8 +109,15 @@ static ssize_t store_modes(struct device *device,
 	if (fb_new_modelist(fb_info)) {
 		fb_destroy_modelist(&fb_info->modelist);
 		list_splice(&old_list, &fb_info->modelist);
-	} else
+	} else {
+		/*
+		 * fb_display[i].mode and fb_info->mode both point into the old
+		 * list. Clear them before it is freed.
+		 */
+		fbcon_delete_modelist(&old_list);
+		fb_info->mode = NULL;
 		fb_destroy_modelist(&old_list);
+	}

 	unlock_fb_info(fb_info);
 	console_unlock();