From: Osama Abdelkader <osama.abdelkader@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Jiri Slaby" <jirislaby@kernel.org>,
"Andy Shevchenko" <andy.shevchenko@gmail.com>,
"Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>,
linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org,
syzbot+80806cf7508e92c7cc86@syzkaller.appspotmail.com
Subject: Re: [PATCH] tty: n_tty: fix KCSAN data-race in n_tty_flush_buffer / n_tty_lookahead_flow_ctrl
Date: Sat, 14 Mar 2026 00:16:49 +0100 [thread overview]
Message-ID: <abSa4VAXaMBEjVjD@osama> (raw)
In-Reply-To: <2026031211-scared-riches-6a52@gregkh>
On Thu, Mar 12, 2026 at 03:21:03PM +0100, Greg Kroah-Hartman wrote:
> On Wed, Feb 11, 2026 at 10:08:38PM +0100, Osama Abdelkader wrote:
> > n_tty_lookahead_flow_ctrl() accesses ldata->lookahead_count without
> > holding termios_rwsem, while reset_buffer_flags() in n_tty_flush_buffer()
> > resets it with exclusive termios_rwsem held. This causes a data race
> > reported by KCSAN when a PTY is closed while flush_to_ldisc is still
> > processing lookahead data.
>
> A data race of what exactly? lookahead_count?
yes, ldata->lookahead_count.
>
> > Fix by taking termios_rwsem (read) in n_tty_lookahead_flow_ctrl(),
> > consistent with __receive_buf() which also modifies lookahead_count
> > under the read lock.
>
> This feels wrong. I would like to see a LOT of testing and validation
> that this is correct before being able to take this patch. How was that
> done?
>
To clarify the reported race:
The race is on `ldata->lookahead_count` between:
1. `n_tty_lookahead_flow_ctrl()`, which does `lookahead_count += count`
from the `flush_to_ldisc()` workqueue path:
`flush_to_ldisc() -> lookahead_bufs() -> tty_port_default_lookahead_buf() -> n_tty_lookahead_flow_ctrl()`
2. `reset_buffer_flags()`, which does `lookahead_count = 0`
from `n_tty_flush_buffer()` under write `termios_rwsem`
(for example during PTY close / hangup).
`__receive_buf()` already accesses the same field under read `termios_rwsem`,
so this lookahead path was the remaining unlocked access to that state.
Because `n_tty_lookahead_flow_ctrl()` performs a read-modify-write (`+= count`),
`READ_ONCE()/WRITE_ONCE()` would still allow lost updates, so taking read
`termios_rwsem` there matches the existing writer-side protection.
I also ran the change with lockdep enabled and did not observe lockdep warnings
on PTY open/close stress.
> thanks,
>
> greg k-h
Thanks,
Osama
prev parent reply other threads:[~2026-03-13 23:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 21:08 [PATCH] tty: n_tty: fix KCSAN data-race in n_tty_flush_buffer / n_tty_lookahead_flow_ctrl Osama Abdelkader
2026-02-26 15:16 ` Osama Abdelkader
2026-03-06 7:51 ` Osama Abdelkader
2026-03-12 14:21 ` Greg Kroah-Hartman
2026-03-13 23:16 ` Osama Abdelkader [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abSa4VAXaMBEjVjD@osama \
--to=osama.abdelkader@gmail.com \
--cc=andy.shevchenko@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=syzbot+80806cf7508e92c7cc86@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.