[PATCH] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write

Next message: Jim Mattson: "Re: [PATCH 0/2] KVM: nVMX: Fix ept=n bugs where KVM runs L2 with guest CR3"
Previous message: Vishnu Reddy: "Re: [PATCH v2 2/4] media: dt-bindings: qcom,qcm2290-venus: add Venus on SM6115"
Next in thread: Jiri Slaby: "Re: [PATCH] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yi Yang

Date: Thu Jun 04 2026 - 02:22:58 EST

A KASAN null-ptr-deref was observed in vcs_notifier():

BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}

The issue is a race condition in vcs_write(). When the console_lock is
temporarily dropped (to copy data from userspace), the vc_data pointer
obtained from vcs_vc() may become stale. After re-acquiring the lock,
vcs_vc() is called again to re-validate the pointer. If the vc has been
deallocated in the meantime, vcs_vc() returns NULL, and the while loop
breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
is still called with the now-NULL vc pointer, leading to a null pointer
dereference in the notifier chain (vcs_notifier dereferences param->vc).

Fix this by adding a NULL check for vc before calling vcs_scr_updated().

Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yi Yang <yiyang13@xxxxxxxxxx>
---
drivers/tty/vt/vc_screen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
index 4d2d46c95fef..7d40eacc21b3 100644
--- a/drivers/tty/vt/vc_screen.c
+++ b/drivers/tty/vt/vc_screen.c
@@ -686,7 +686,7 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
}
*ppos += written;
ret = written;
- if (written)
+ if (written && vc)
vcs_scr_updated(vc);

return ret;
--
2.25.1