* [PATCH] tty: n_tty: read termios under lock in poll
@ 2026-05-10 2:59 Cen Zhang
2026-05-10 16:23 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Cen Zhang @ 2026-05-10 2:59 UTC (permalink / raw)
To: gregkh, jirislaby; +Cc: linux-kernel, linux-serial, baijiaju1990, Cen Zhang
n_tty_poll() uses input_available_p() to decide whether buffered input
makes the tty readable. That helper reads termios state through
L_EXTPROC(), VMIN, and VTIME, but the poll path does not hold the read
side of tty->termios_rwsem.
tty_set_termios() updates tty->termios under the write side of the same
semaphore, including c_lflag and c_cc[]. n_tty_read() already takes the
read side before reading the same termios fields and before calling
input_available_p(). Protect the poll-side readiness checks the same way
so poll observes a coherent termios state when deciding whether to report
readable input.
Do not hold termios_rwsem across tty_buffer_flush_work(), matching the
read path which drops the semaphore before flushing pending receive work
and then checks input availability again after reacquiring it.
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
drivers/tty/n_tty.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index e6a0f5b40d0a..c8e1882782db 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2437,13 +2437,17 @@ static __poll_t n_tty_poll(struct tty_struct *tty, struct file *file,
poll_wait(file, &tty->read_wait, wait);
poll_wait(file, &tty->write_wait, wait);
- if (input_available_p(tty, 1))
- mask |= EPOLLIN | EPOLLRDNORM;
- else {
- tty_buffer_flush_work(tty->port);
+ scoped_guard(rwsem_read, &tty->termios_rwsem) {
if (input_available_p(tty, 1))
mask |= EPOLLIN | EPOLLRDNORM;
}
+ if (!(mask & (EPOLLIN | EPOLLRDNORM))) {
+ tty_buffer_flush_work(tty->port);
+ scoped_guard(rwsem_read, &tty->termios_rwsem) {
+ if (input_available_p(tty, 1))
+ mask |= EPOLLIN | EPOLLRDNORM;
+ }
+ }
if (tty->ctrl.packet && tty->link->ctrl.pktstatus)
mask |= EPOLLPRI | EPOLLIN | EPOLLRDNORM;
if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] tty: n_tty: read termios under lock in poll
2026-05-10 2:59 [PATCH] tty: n_tty: read termios under lock in poll Cen Zhang
@ 2026-05-10 16:23 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-05-10 16:23 UTC (permalink / raw)
To: Cen Zhang; +Cc: jirislaby, linux-kernel, linux-serial, baijiaju1990
On Sun, May 10, 2026 at 10:59:40AM +0800, Cen Zhang wrote:
> n_tty_poll() uses input_available_p() to decide whether buffered input
> makes the tty readable. That helper reads termios state through
> L_EXTPROC(), VMIN, and VTIME, but the poll path does not hold the read
> side of tty->termios_rwsem.
>
> tty_set_termios() updates tty->termios under the write side of the same
> semaphore, including c_lflag and c_cc[]. n_tty_read() already takes the
> read side before reading the same termios fields and before calling
> input_available_p(). Protect the poll-side readiness checks the same way
> so poll observes a coherent termios state when deciding whether to report
> readable input.
But why does that matter? If it changes right after you grab/release
the lock, the data will be stale as well. What userspace logic is
broken because of there not being a lock held here?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-10 16:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-10 2:59 [PATCH] tty: n_tty: read termios under lock in poll Cen Zhang
2026-05-10 16:23 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox