Re: [PATCH] tty: vt: hold tty reference for keyboard callbacks

Next message: Uwe Kleine-K&#xF6;nig (The Capable Hub): "Re: [PATCH v3] serial: 8250_pci: Consistently define pci_device_ids using named initializers"
Previous message: Aboorva Devarajan: "Re: [PATCH 2/3] powerpc/powernv: fix preempt count leak in pnv_kexec_wait_secondaries_down"
In reply to: Morduan Zang: "[PATCH] tty: vt: hold tty reference for keyboard callbacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Slaby

Date: Wed Jun 03 2026 - 02:12:49 EST

On 02. 06. 26, 8:15, Morduan Zang wrote:

From: Zhan Jun <zhanjun@xxxxxxxxxxxxx>

syzbot reported a use-after-free in stop_tty() when the VT
keyboard path handles the hold key.

The keyboard event path reads vc->port.tty under kbd_event_lock,
but con_shutdown() clears the pointer under console_lock and the tty
can be released after the final close. The keyboard lock therefore
does not protect the tty lifetime.

Let the VT port own a tty reference by using tty_port_tty_set() when
installing and shutting down the console tty. Use tty_port_tty_get()
in the keyboard paths before dereferencing vc->port.tty and drop the
reference after the last use.

Reported-by: syzbot+2932e8970a6398db95c3@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/all/6a1dde0d.bd48a97d.14881d.0005.GAE@xxxxxxxxxx/
Signed-off-by: Zhan Jun <zhanjun@xxxxxxxxxxxxx>
---
drivers/tty/vt/keyboard.c | 17 ++++++++++++-----
drivers/tty/vt/vt.c | 4 ++--
2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index dfdea0842149..19f8df9706ee 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -509,9 +509,13 @@ static void fn_show_ptregs(struct vc_data *vc)
static void fn_hold(struct vc_data *vc)
{
- struct tty_struct *tty = vc->port.tty;
+ struct tty_struct *tty;
+
+ if (rep)
+ return;
- if (rep || !tty)
+ tty = tty_port_tty_get(&vc->port);

We have guards (tty_port_tty) and you should use those.

thanks,
--
js
suse labs