From: Daniel Hodges <git@danielhodges.dev>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org,
Daniel Hodges <git@danielhodges.dev>,
syzbot+c3693b491545af43db87@syzkaller.appspotmail.com,
syzbot+03f79366754268a0f20c@syzkaller.appspotmail.com
Subject: [PATCH] vt: keyboard: add NULL check for vc_cons[fg_console].d in kbd_keycode and kbd_rawcode
Date: Sat, 7 Feb 2026 19:31:12 -0500 [thread overview]
Message-ID: <20260208003112.6040-1-git@danielhodges.dev> (raw)
kbd_keycode() and kbd_rawcode() dereference vc_cons[fg_console].d
without checking if it is NULL. The foreground console should normally
always be allocated, but there could be a time during console setup or
teardown where this pointer could be NULL, leading to a general
protection fault.
Syzkaller triggers this by injecting USB HID input events that reach
kbd_event() while the console state may not be fully consistent. The crash
manifests as a null-ptr-deref in __queue_work when put_queue() or
puts_queue() calls tty_flip_buffer_push() on the uninitialized vc port.
Add a NULL check for vc at the start of both kbd_rawcode() and
kbd_keycode() to bail out early if the foreground console is not allocated.
Reported-by: syzbot+c3693b491545af43db87@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c3693b491545af43db87
Reported-by: syzbot+03f79366754268a0f20c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=03f79366754268a0f20c
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
---
drivers/tty/vt/keyboard.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index a2116e135a82..975830013d24 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -1389,6 +1389,9 @@ static void kbd_rawcode(unsigned char data)
{
struct vc_data *vc = vc_cons[fg_console].d;
+ if (!vc)
+ return;
+
kbd = &kbd_table[vc->vc_num];
if (kbd->kbdmode == VC_RAW)
put_queue(vc, data);
@@ -1405,6 +1408,9 @@ static void kbd_keycode(unsigned int keycode, int down, bool hw_raw)
struct keyboard_notifier_param param = { .vc = vc, .value = keycode, .down = down };
int rc;
+ if (!vc)
+ return;
+
tty = vc->port.tty;
if (tty && (!tty->driver_data)) {
--
2.52.0
next reply other threads:[~2026-02-08 0:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-08 0:31 Daniel Hodges [this message]
2026-03-12 14:22 ` [PATCH] vt: keyboard: add NULL check for vc_cons[fg_console].d in kbd_keycode and kbd_rawcode Greg Kroah-Hartman
2026-03-13 18:54 ` Daniel Hodges
2026-03-30 15:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260208003112.6040-1-git@danielhodges.dev \
--to=git@danielhodges.dev \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=syzbot+03f79366754268a0f20c@syzkaller.appspotmail.com \
--cc=syzbot+c3693b491545af43db87@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.