diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index 7526638b921..cf5cca72129 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -69,6 +69,7 @@ __FBSDID("$FreeBSD$");
 
 #include <fs/devfs/devfs.h>
 
+#include <machine/atomic.h>
 #include <machine/stdarg.h>
 
 static MALLOC_DEFINE(M_TTY, "tty", "tty device");
@@ -1482,8 +1483,12 @@ tty_signal_sessleader(struct tty *tp, int sig)
 	tp->t_flags &= ~TF_STOPPED;
 	tp->t_termios.c_lflag &= ~FLUSHO;
 
-	if (tp->t_session != NULL && tp->t_session->s_leader != NULL) {
-		p = tp->t_session->s_leader;
+	/*
+	 * Load s_leader exactly once to avoid TOCTOU races.
+	 * Note that we are not holding t_session's lock for the read.
+	 */
+	if (tp->t_session != NULL &&
+	    (p = atomic_load_ptr(&tp->t_session->s_leader)) != NULL) {
 		PROC_LOCK(p);
 		kern_psignal(p, sig);
 		PROC_UNLOCK(p);