5.10-stable patches

added patches:
	input-rmi4-fix-bit-count-in-bitmap_copy.patch
	input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
	input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
	input-rmi4-fix-register-descriptor-address-calculation.patch
	input-rmi4-fix-type-overflow-in-register-counts.patch
	input-rmi4-iterative-irq-handler.patch
	media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
	vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch

diff --git a/queue-5.10/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-5.10/input-rmi4-fix-bit-count-in-bitmap_copy.patch
new file mode 100644 (file)
index 0000000..0177932
--- /dev/null
+++ b/queue-5.10/input-rmi4-fix-bit-count-in-bitmap_copy.patch
@@ -0,0 +1,47 @@
+From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:37 -0700
+Subject: Input: rmi4 - fix bit count in bitmap_copy()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream.
+
+bitmap_copy() takes number of bits, not bytes (or longs). Correct
+the bit count in rmi_driver_set_irq_bits() and
+rmi_driver_clear_irq_bits().
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc
+                                                       __func__);
+               goto error_unlock;
+       }
+-      bitmap_copy(data->current_irq_mask, data->new_irq_mask,
+-                  data->num_of_irq_regs);
+ 
++      bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
+       bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
+ 
+ error_unlock:
+@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str
+                                                       __func__);
+               goto error_unlock;
+       }
+-      bitmap_copy(data->current_irq_mask, data->new_irq_mask,
+-                  data->num_of_irq_regs);
++
++      bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count);
+ 
+ error_unlock:
+       mutex_unlock(&data->irq_mutex);

diff --git a/queue-5.10/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-5.10/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
new file mode 100644 (file)
index 0000000..4542767
--- /dev/null
+++ b/queue-5.10/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
@@ -0,0 +1,37 @@
+From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:35 -0700
+Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream.
+
+kfifo_put() returns 0 if the FIFO is full. In this case, we must
+free the memory allocated for the attention data to avoid a leak.
+
+Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device
+       attn_data.size = size;
+       attn_data.data = fifo_data;
+ 
+-      kfifo_put(&drvdata->attn_fifo, attn_data);
++      if (!kfifo_put(&drvdata->attn_fifo, attn_data)) {
++              dev_warn_ratelimited(&rmi_dev->dev,
++                                   "Failed to enqueue attention data, FIFO full\n");
++              kfree(fifo_data);
++      }
+ }
+ EXPORT_SYMBOL_GPL(rmi_set_attn_data);
+ 

diff --git a/queue-5.10/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-5.10/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
new file mode 100644 (file)
index 0000000..ab13f8e
--- /dev/null
+++ b/queue-5.10/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
@@ -0,0 +1,53 @@
+From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:34 -0700
+Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream.
+
+RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This
+may overflow num_subpackets in struct rmi_register_desc_item which is
+defined as a u8.
+
+Fix this by changing the type of num_subpackets to u16.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.h |    2 +-
+ drivers/input/rmi4/rmi_f12.c    |    7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.h
++++ b/drivers/input/rmi4/rmi_driver.h
+@@ -53,7 +53,7 @@ struct pdt_entry {
+ struct rmi_register_desc_item {
+       u16 reg;
+       unsigned long reg_size;
+-      u8 num_subpackets;
++      u16 num_subpackets;
+       unsigned long subpacket_map[BITS_TO_LONGS(
+                               RMI_REG_DESC_SUBPACKET_BITS)];
+ };
+--- a/drivers/input/rmi4/rmi_f12.c
++++ b/drivers/input/rmi4/rmi_f12.c
+@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func
+               f12->data1 = item;
+               f12->data1_offset = data_offset;
+               data_offset += item->reg_size;
++
++              if (item->num_subpackets > 255) {
++                      dev_err(&fn->dev, "Too many fingers declared: %d\n",
++                              item->num_subpackets);
++                      return -EINVAL;
++              }
++
+               sensor->nbr_fingers = item->num_subpackets;
+               sensor->report_abs = 1;
+               sensor->attn_size += item->reg_size;

diff --git a/queue-5.10/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-5.10/input-rmi4-fix-register-descriptor-address-calculation.patch
new file mode 100644 (file)
index 0000000..8c138b2
--- /dev/null
+++ b/queue-5.10/input-rmi4-fix-register-descriptor-address-calculation.patch
@@ -0,0 +1,40 @@
+From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:31 -0700
+Subject: Input: rmi4 - fix register descriptor address calculation
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream.
+
+When reading the register descriptor, the base address is incremented by
+1 to read the presence register block. However, after reading the
+presence register block, the address is incorrectly incremented by only
+1 byte (++addr) instead of the actual size of the presence block
+(size_presence_reg). This causes the subsequent structure block read to
+read from the wrong memory location if the presence block is larger than
+1 byte.
+
+Fix this by advancing the address by size_presence_reg.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de
+       ret = rmi_read_block(d, addr, buf, size_presence_reg);
+       if (ret)
+               return ret;
+-      ++addr;
++      addr += size_presence_reg;
+ 
+       if (buf[0] == 0) {
+               presense_offset = 3;

diff --git a/queue-5.10/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-5.10/input-rmi4-fix-type-overflow-in-register-counts.patch
new file mode 100644 (file)
index 0000000..0c40092
--- /dev/null
+++ b/queue-5.10/input-rmi4-fix-type-overflow-in-register-counts.patch
@@ -0,0 +1,39 @@
+From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:33 -0700
+Subject: Input: rmi4 - fix type overflow in register counts
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream.
+
+The number of registers in the RMI4 register descriptor is populated
+by counting the bits in the presence map using bitmap_weight(). Since
+the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS),
+storing this count in a u8 can overflow to 0 if all 256 bits are set.
+
+Change the num_registers field in struct rmi_register_descriptor
+from u8 to u16 to prevent potential integer overflow and ensure safe
+processing of devices reporting large descriptors.
+
+Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.h
++++ b/drivers/input/rmi4/rmi_driver.h
+@@ -65,7 +65,7 @@ struct rmi_register_desc_item {
+ struct rmi_register_descriptor {
+       unsigned long struct_size;
+       unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)];
+-      u8 num_registers;
++      u16 num_registers;
+       struct rmi_register_desc_item *registers;
+ };
+ 

diff --git a/queue-5.10/input-rmi4-iterative-irq-handler.patch b/queue-5.10/input-rmi4-iterative-irq-handler.patch
new file mode 100644 (file)
index 0000000..bed47cf
--- /dev/null
+++ b/queue-5.10/input-rmi4-iterative-irq-handler.patch
@@ -0,0 +1,66 @@
+From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 21:59:36 -0700
+Subject: Input: rmi4 - iterative IRQ handler
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream.
+
+The current IRQ handler uses recursion to drain the attention FIFO,
+which can lead to stack overflow on deep queues. Convert it to a
+loop.
+
+Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/rmi4/rmi_driver.c |   32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v
+       struct rmi4_attn_data attn_data = {0};
+       int ret, count;
+ 
+-      count = kfifo_get(&drvdata->attn_fifo, &attn_data);
+-      if (count) {
+-              *(drvdata->irq_status) = attn_data.irq_status;
+-              drvdata->attn_data = attn_data;
+-      }
++      do {
++              count = kfifo_get(&drvdata->attn_fifo, &attn_data);
++              if (count) {
++                      *drvdata->irq_status = attn_data.irq_status;
++                      drvdata->attn_data = attn_data;
++              }
+ 
+-      ret = rmi_process_interrupt_requests(rmi_dev);
+-      if (ret)
+-              rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
+-                      "Failed to process interrupt request: %d\n", ret);
++              ret = rmi_process_interrupt_requests(rmi_dev);
++              if (ret)
++                      rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
++                              "Failed to process interrupt request: %d\n",
++                              ret);
+ 
+-      if (count) {
+-              kfree(attn_data.data);
+-              drvdata->attn_data.data = NULL;
+-      }
+-
+-      if (!kfifo_is_empty(&drvdata->attn_fifo))
+-              return rmi_irq_fn(irq, dev_id);
++              if (count) {
++                      kfree(attn_data.data);
++                      drvdata->attn_data.data = NULL;
++              }
++      } while (!kfifo_is_empty(&drvdata->attn_fifo));
+ 
+       return IRQ_HANDLED;
+ }

diff --git a/queue-5.10/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch b/queue-5.10/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
new file mode 100644 (file)
index 0000000..d508767
--- /dev/null
+++ b/queue-5.10/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch
@@ -0,0 +1,81 @@
+From 7d8bf3d8f91073f4db347ed3aa6302b56107499c Mon Sep 17 00:00:00 2001
+From: Ruslan Valiyev <linuxoid@gmail.com>
+Date: Tue, 17 Mar 2026 17:05:44 +0000
+Subject: media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
+
+From: Ruslan Valiyev <linuxoid@gmail.com>
+
+commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream.
+
+syzbot reported a general protection fault in
+vidtv_psi_ts_psi_write_into [1].
+
+vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does
+not check for this before dereferencing the returned pointer to access
+the continuity counter. This leads to a general protection fault when
+accessing a near-NULL address.
+
+The root cause is that vidtv_mux_pid_ctx_init() does not check the
+return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs.
+If the allocation fails, the PID context is never created, but init
+returns success. The subsequent vidtv_mux_push_si() call then gets
+NULL from vidtv_mux_get_pid_ctx() and crashes.
+
+Fix both the root cause (add error check in vidtv_mux_pid_ctx_init
+for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for
+all vidtv_mux_get_pid_ctx() calls.
+
+[1]
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+Workqueue: events vidtv_mux_tick
+RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197
+Call Trace:
+ <TASK>
+ vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline]
+ vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231
+ vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196
+ vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408
+
+Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
+Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_mux.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c
+@@ -101,7 +101,8 @@ static int vidtv_mux_pid_ctx_init(struct
+       /* add a ctx for all PMT sections */
+       while (p) {
+               pid = vidtv_psi_get_pat_program_pid(p);
+-              vidtv_mux_create_pid_ctx_once(m, pid);
++              if (!vidtv_mux_create_pid_ctx_once(m, pid))
++                      goto free;
+               p = p->next;
+       }
+ 
+@@ -170,6 +171,9 @@ static u32 vidtv_mux_push_si(struct vidt
+       nit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_NIT_PID);
+       eit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_EIT_PID);
+ 
++      if (!pat_ctx || !sdt_ctx || !nit_ctx || !eit_ctx)
++              return 0;
++
+       pat_args.offset             = m->mux_buf_offset;
+       pat_args.continuity_counter = &pat_ctx->cc;
+ 
+@@ -186,6 +190,8 @@ static u32 vidtv_mux_push_si(struct vidt
+               }
+ 
+               pmt_ctx = vidtv_mux_get_pid_ctx(m, pmt_pid);
++              if (!pmt_ctx)
++                      continue;
+ 
+               pmt_args.offset             = m->mux_buf_offset;
+               pmt_args.pmt                = m->si.pmt_secs[i];

diff --git a/queue-5.10/series b/queue-5.10/series
index cb879e1db372253776195dd1773e0a2219b5060a..eb9c0388c0ed1b5c00636eb659aa5329e4e0fff0 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -24,3 +24,11 @@ i2c-stub-reject-i2c-block-transfers-with-invalid-length.patch
 net-qualcomm-rmnet-fix-endpoint-use-after-free-in-rmnet_dellink.patch
 agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch
 regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch
+input-rmi4-fix-register-descriptor-address-calculation.patch
+input-rmi4-fix-type-overflow-in-register-counts.patch
+input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch
+input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch
+input-rmi4-iterative-irq-handler.patch
+input-rmi4-fix-bit-count-in-bitmap_copy.patch
+vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
+media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch

diff --git a/queue-5.10/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch b/queue-5.10/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
new file mode 100644 (file)
index 0000000..6db9094
--- /dev/null
+++ b/queue-5.10/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch
@@ -0,0 +1,46 @@
+From a287620312dc6dcb9a093417a0e589bf30fcf38a Mon Sep 17 00:00:00 2001
+From: Yi Yang <yiyang13@huawei.com>
+Date: Thu, 4 Jun 2026 06:07:34 +0000
+Subject: vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
+
+From: Yi Yang <yiyang13@huawei.com>
+
+commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream.
+
+A KASAN null-ptr-deref was observed in vcs_notifier():
+
+BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
+Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}
+
+The issue is a race condition in vcs_write(). When the console_lock is
+temporarily dropped (to copy data from userspace), the vc_data pointer
+obtained from vcs_vc() may become stale. After re-acquiring the lock,
+vcs_vc() is called again to re-validate the pointer. If the vc has been
+deallocated in the meantime, vcs_vc() returns NULL, and the while loop
+breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
+is still called with the now-NULL vc pointer, leading to a null pointer
+dereference in the notifier chain (vcs_notifier dereferences param->vc).
+
+Fix this by adding a NULL check for vc before calling vcs_scr_updated().
+
+Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vc_screen.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -699,7 +699,7 @@ vcs_write(struct file *file, const char
+       }
+       *ppos += written;
+       ret = written;
+-      if (written)
++      if (written && vc)
+               vcs_scr_updated(vc);
+ 
+ unlock_out: