In the Linux kernel, the following vulnerability has been resolved:
fbmem: Do not delete the mode that is still in use
The execution of fbdeletevideomode() is not based on the result of the previous fbconmodedeleted(). As a result, the mode is directly deleted, regardless of whether it is still in use, which may cause UAF.
================================================================== BUG: KASAN: use-after-free in fbmodeis_equal+0x36e/0x5e0 \ drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962
CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Call Trace: _dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x137/0x1be lib/dumpstack.c:118 printaddressdescription+0x6c/0x640 mm/kasan/report.c:385 _kasanreport mm/kasan/report.c:545 [inline] kasanreport+0x13d/0x1e0 mm/kasan/report.c:562 fbmodeisequal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924 fbconmodedeleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746 fbsetvar+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975 dofbioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfsioctl fs/ioctl.c:48 [inline] _dosysioctl fs/ioctl.c:753 [inline] _sesysioctl+0xfb/0x170 fs/ioctl.c:739 dosyscall64+0x2d/0x70 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x44/0xa9
Freed by task 18960: kasansavestack mm/kasan/common.c:48 [inline] kasansettrack+0x3d/0x70 mm/kasan/common.c:56 kasansetfreeinfo+0x17/0x30 mm/kasan/generic.c:355 _kasanslabfree+0x108/0x140 mm/kasan/common.c:422 slabfreehook mm/slub.c:1541 [inline] slabfreefreelisthook+0xd6/0x1a0 mm/slub.c:1574 slabfree mm/slub.c:3139 [inline] kfree+0xca/0x3d0 mm/slub.c:4121 fbdeletevideomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104 fbsetvar+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978 dofbioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfsioctl fs/ioctl.c:48 [inline] _dosysioctl fs/ioctl.c:753 [inline] _sesysioctl+0xfb/0x170 fs/ioctl.c:739 dosyscall64+0x2d/0x70 arch/x86/entry/common.c:46 entrySYSCALL64after_hwframe+0x44/0xa9