lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2026020459-lisp-display-0506@gregkh>
Date: Wed, 4 Feb 2026 09:20:34 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Jiayuan Chen <jiayuan.chen@...ux.dev>
Cc: linux-serial@...r.kernel.org, Jiayuan Chen <jiayuan.chen@...pee.com>,
	Jiri Slaby <jirislaby@...nel.org>, Petr Mladek <pmladek@...e.com>,
	Marcos Paulo de Souza <mpdesouza@...e.com>,
	Krzysztof Kozlowski <krzysztof.kozlowski@....qualcomm.com>,
	"Dr. David Alan Gilbert" <linux@...blig.org>,
	Joseph Tilahun <jtilahun@...ranis.com>,
	Sjur Braendeland <sjur.brandeland@...ricsson.com>,
	"David S. Miller" <davem@...emloft.net>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] serial: core: fix infinite loop in handle_tx() for
 PORT_UNKNOWN

On Wed, Feb 04, 2026 at 03:43:20PM +0800, Jiayuan Chen wrote:
> From: Jiayuan Chen <jiayuan.chen@...pee.com>
> 
> uart_write_room() and uart_write() behave inconsistently when
> xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were
> never properly initialized):

How does this happen?  Why were they not initialized properly, what
drivers/hardware cause this?

> - uart_write_room() returns kfifo_avail() which can be > 0
> - uart_write() checks xmit_buf and returns 0 if NULL
> 
> This inconsistency causes an infinite loop in drivers that rely on
> tty_write_room() to determine if they can write:
> 
>   while (tty_write_room(tty) > 0) {
>       written = tty->ops->write(...);
>       // written is always 0, loop never exits
>   }
> 
> For example, caif_serial's handle_tx() enters an infinite loop when
> used with PORT_UNKNOWN serial ports, causing system hangs.
> 
> Fix by making uart_write_room() also check xmit_buf and return 0 if
> it's NULL, consistent with uart_write().
> 
> Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13
> 
> Fixes: 9b27105b4a44 ("net-caif-driver: add CAIF serial driver (ldisc)")

This really isn't a fix for that driver, but rather something else.

> Signed-off-by: Jiayuan Chen <jiayuan.chen@...pee.com>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@...ux.dev>

This doesn't make sense, signing off twice for the same person?

As you did this from your shopee.com account, that should be sufficient.

> ---
>  drivers/tty/serial/serial_core.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
> index 2805cad10511..0b2edf185cc7 100644
> --- a/drivers/tty/serial/serial_core.c
> +++ b/drivers/tty/serial/serial_core.c
> @@ -643,7 +643,10 @@ static unsigned int uart_write_room(struct tty_struct *tty)
>  	unsigned int ret;
>  
>  	port = uart_port_ref_lock(state, &flags);
> -	ret = kfifo_avail(&state->port.xmit_fifo);
> +	if (!state->port.xmit_buf)

This feels odd.  What ports have no transmit buffers?  And why would
this be the only check that is needed for such broken devices?

Maybe let's fix the root cause here, the driver that does not have a
transmit buffer at all?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ