From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Daniel Hodges <git@danielhodges.dev>
Cc: Jiri Slaby <jirislaby@kernel.org>,
linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org,
syzbot+c3693b491545af43db87@syzkaller.appspotmail.com,
syzbot+03f79366754268a0f20c@syzkaller.appspotmail.com
Subject: Re: [PATCH] vt: keyboard: add NULL check for vc_cons[fg_console].d in kbd_keycode and kbd_rawcode
Date: Thu, 12 Mar 2026 15:22:09 +0100 [thread overview]
Message-ID: <2026031236-unfold-repurpose-52e6@gregkh> (raw)
In-Reply-To: <20260208003112.6040-1-git@danielhodges.dev>
On Sat, Feb 07, 2026 at 07:31:12PM -0500, Daniel Hodges wrote:
> kbd_keycode() and kbd_rawcode() dereference vc_cons[fg_console].d
> without checking if it is NULL. The foreground console should normally
> always be allocated, but there could be a time during console setup or
> teardown where this pointer could be NULL, leading to a general
> protection fault.
>
> Syzkaller triggers this by injecting USB HID input events that reach
> kbd_event() while the console state may not be fully consistent. The crash
> manifests as a null-ptr-deref in __queue_work when put_queue() or
> puts_queue() calls tty_flip_buffer_push() on the uninitialized vc port.
>
> Add a NULL check for vc at the start of both kbd_rawcode() and
> kbd_keycode() to bail out early if the foreground console is not allocated.
>
> Reported-by: syzbot+c3693b491545af43db87@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c3693b491545af43db87
> Reported-by: syzbot+03f79366754268a0f20c@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=03f79366754268a0f20c
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Daniel Hodges <git@danielhodges.dev>
> ---
> drivers/tty/vt/keyboard.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
> index a2116e135a82..975830013d24 100644
> --- a/drivers/tty/vt/keyboard.c
> +++ b/drivers/tty/vt/keyboard.c
> @@ -1389,6 +1389,9 @@ static void kbd_rawcode(unsigned char data)
> {
> struct vc_data *vc = vc_cons[fg_console].d;
>
> + if (!vc)
> + return;
> +
What prevents vc from being NULL right after checking this?
> kbd = &kbd_table[vc->vc_num];
> if (kbd->kbdmode == VC_RAW)
> put_queue(vc, data);
> @@ -1405,6 +1408,9 @@ static void kbd_keycode(unsigned int keycode, int down, bool hw_raw)
> struct keyboard_notifier_param param = { .vc = vc, .value = keycode, .down = down };
> int rc;
>
> + if (!vc)
> + return;
Same here, where is the locking?
thanks,
greg k-h
next prev parent reply other threads:[~2026-03-12 14:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-08 0:31 [PATCH] vt: keyboard: add NULL check for vc_cons[fg_console].d in kbd_keycode and kbd_rawcode Daniel Hodges
2026-03-12 14:22 ` Greg Kroah-Hartman [this message]
2026-03-13 18:54 ` Daniel Hodges
2026-03-30 15:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026031236-unfold-repurpose-52e6@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=git@danielhodges.dev \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=syzbot+03f79366754268a0f20c@syzkaller.appspotmail.com \
--cc=syzbot+c3693b491545af43db87@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.