diff mbox series

n_tty: fix data race in n_tty_poll()

Message ID 20250510163828.21963-1-aha310510@gmail.com
State New
Headers show
Series n_tty: fix data race in n_tty_poll() | expand

Commit Message

Jeongjun Park May 10, 2025, 4:38 p.m. UTC 
I found data-race in my fuzzer:

==================================================================
BUG: KCSAN: data-race in n_tty_poll / tty_set_termios

read to 0xffff8880116b4d14 of 4 bytes by task 5443 on cpu 0:
 n_tty_poll+0xa4/0x4c0 drivers/tty/n_tty.c:2452
 tty_poll+0x8f/0x100 drivers/tty/tty_io.c:2208
 vfs_poll include/linux/poll.h:82 [inline]
 select_poll_one fs/select.c:480 [inline]
 do_select+0x95f/0x1030 fs/select.c:536
 core_sys_select+0x284/0x6d0 fs/select.c:677
....

write to 0xffff8880116b4d08 of 44 bytes by task 14547 on cpu 1:
 tty_set_termios+0xf9/0x500 drivers/tty/tty_ioctl.c:339
 set_termios.part.0+0x3bc/0x4d0 drivers/tty/tty_ioctl.c:520
 set_termios drivers/tty/tty_ioctl.c:454 [inline]
 tty_mode_ioctl+0x2db/0xa00 drivers/tty/tty_ioctl.c:807
 n_tty_ioctl_helper+0x4e/0x230 drivers/tty/tty_ioctl.c:986
 n_tty_ioctl+0x67/0x230 drivers/tty/n_tty.c:2509
....
==================================================================

In n_tty_poll() we are doing a read on tty->termios but we are missing
rwsem lock, which causes a concurrency problem. To fix this, we need to
add rwsem lock at the appropriate location.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 drivers/tty/n_tty.c | 4 ++++
 1 file changed, 4 insertions(+)

--

Comments

kernel test robot May 12, 2025, 6:21 a.m. UTC | #1 
Hello,

kernel test robot noticed "WARNING:possible_circular_locking_dependency_detected" on:

commit: 6145aac371f6e1aae92b20b04bf6f4e7b3c46657 ("[PATCH] n_tty: fix data race in n_tty_poll()")
url: https://github.com/intel-lab-lkp/linux/commits/Jeongjun-Park/n_tty-fix-data-race-in-n_tty_poll/20250511-004004
base: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git tty-testing
patch link: https://lore.kernel.org/all/20250510163828.21963-1-aha310510@gmail.com/
patch subject: [PATCH] n_tty: fix data race in n_tty_poll()

in testcase: boot

config: x86_64-randconfig-075-20250511
compiler: gcc-11
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202505121345.9f8944dc-lkp@intel.com


[   42.238614][  T205] WARNING: possible circular locking dependency detected
[   42.239002][  T205] 6.15.0-rc4-00081-g6145aac371f6 #1 Tainted: G                T
[   42.239551][  T205] ------------------------------------------------------
[   42.239965][  T205] bootlogd/205 is trying to acquire lock:
[ 42.240305][ T205] ffff88812c1d6428 ((work_completion)(&buf->work)){+.+.}-{0:0}, at: start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3922 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176) 
[   42.240960][  T205]
[   42.240960][  T205] but task is already holding lock:
[ 42.241424][ T205] ffff888185dc0ea8 (&tty->termios_rwsem){++++}-{4:4}, at: n_tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:2454) 
[   42.242126][  T205]
[   42.242126][  T205] which lock already depends on the new lock.
[   42.242126][  T205]
[   42.242789][  T205]
[   42.242789][  T205] the existing dependency chain (in reverse order) is:
[   42.243312][  T205]
[   42.243312][  T205] -> #2 (&tty->termios_rwsem){++++}-{4:4}:
[ 42.243783][ T205] validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3286 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3909) 
[ 42.244098][ T205] __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235) 
[ 42.244404][ T205] lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868) 
[ 42.244701][ T205] down_write (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/rwsem.c:1578) 
[ 42.244977][ T205] n_tty_flush_buffer (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:353) 
[ 42.245369][ T205] tty_buffer_flush (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/instrumented.h:96 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/atomic/atomic-instrumented.h:592 kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_buffer.c:243) 
[ 42.245806][ T205] tty_ldisc_flush (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_ldisc.c:389) 
[ 42.246122][ T205] tty_port_close_start (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_port.c:647) 
[ 42.246453][ T205] tty_port_close (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_port.c:698) 
[ 42.246742][ T205] tty_release (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_io.c:1748) 
[ 42.247038][ T205] __fput (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/file_table.c:466) 
[ 42.247308][ T205] fput_close_sync (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/file_table.c:568) 
[ 42.247741][ T205] __do_sys_close (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/open.c:1583) 
[ 42.248156][ T205] do_syscall_64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:63 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:94) 
[ 42.248453][ T205] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   42.248829][  T205]
[   42.248829][  T205] -> #1 (&buf->lock){+.+.}-{4:4}:
[ 42.249243][ T205] validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3286 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3909) 
[ 42.249545][ T205] __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235) 
[ 42.249834][ T205] lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868) 
[ 42.250121][ T205] __mutex_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/mutex.c:603 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/mutex.c:746) 
[ 42.250402][ T205] flush_to_ldisc (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_buffer.c:470) 
[ 42.250692][ T205] process_one_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3243) 
[ 42.250994][ T205] process_scheduled_works (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3319) 
[ 42.251317][ T205] worker_thread (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/list.h:373 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:946 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3401) 
[ 42.251601][ T205] kthread (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/kthread.c:464) 
[ 42.251859][ T205] ret_from_fork (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/kernel/process.c:159) 
[ 42.252137][ T205] ret_from_fork_asm (arch/x86/entry/entry_64.S:258) 
[   42.252430][  T205]
[   42.252430][  T205] -> #0 ((work_completion)(&buf->work)){+.+.}-{0:0}:
[ 42.252920][ T205] check_noncircular (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:2215) 
[ 42.253211][ T205] check_prev_add (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3167) 
[ 42.253512][ T205] validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3286 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3909) 
[ 42.253799][ T205] __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235) 
[ 42.254086][ T205] lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868) 
[ 42.254363][ T205] start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3923 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176) 
[ 42.254660][ T205] __flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4208) 
[ 42.254939][ T205] n_tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:2458) 
[ 42.255204][ T205] tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_io.c:2199) 
[ 42.255467][ T205] do_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/file.h:62 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/file.h:83 kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:469 kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:536) 
[ 42.255733][ T205] core_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:677) 
[ 42.256025][ T205] kern_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:719) 
[ 42.256299][ T205] __x64_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:722) 
[ 42.256586][ T205] do_syscall_64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:63 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:94) 
[ 42.256861][ T205] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   42.257211][  T205]
[   42.257211][  T205] other info that might help us debug this:
[   42.257211][  T205]
[   42.257768][  T205] Chain exists of:
[   42.257768][  T205]   (work_completion)(&buf->work) --> &buf->lock --> &tty->termios_rwsem
[   42.257768][  T205]
[   42.258538][  T205]  Possible unsafe locking scenario:
[   42.258538][  T205]
[   42.258942][  T205]        CPU0                    CPU1
[   42.259235][  T205]        ----                    ----
[   42.259528][  T205]   rlock(&tty->termios_rwsem);
[   42.259799][  T205]                                lock(&buf->lock);
[   42.260157][  T205]                                lock(&tty->termios_rwsem);
[   42.260556][  T205]   lock((work_completion)(&buf->work));
[   42.260867][  T205]
[   42.260867][  T205]  *** DEADLOCK ***
[   42.260867][  T205]
[   42.261306][  T205] 3 locks held by bootlogd/205:
[ 42.261585][ T205] #0: ffff888185dc0cb0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_ldisc.c:244) 
[ 42.262123][ T205] #1: ffff888185dc0ea8 (&tty->termios_rwsem){++++}-{4:4}, at: n_tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:2454) 
[ 42.262647][ T205] #2: ffffffff851e6d60 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/rcupdate.h:331) 
[   42.263222][  T205]
[   42.263222][  T205] stack backtrace:
[   42.263550][  T205] CPU: 0 UID: 0 PID: 205 Comm: bootlogd Tainted: G                T   6.15.0-rc4-00081-g6145aac371f6 #1 NONE
[   42.263560][  T205] Tainted: [T]=RANDSTRUCT
[   42.263562][  T205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   42.263567][  T205] Call Trace:
[   42.263572][  T205]  <TASK>
[ 42.263576][ T205] dump_stack_lvl (kbuild/obj/consumer/x86_64-randconfig-075-20250511/lib/dump_stack.c:122 (discriminator 4)) 
[ 42.263586][ T205] print_circular_bug (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:2082 (discriminator 1)) 
[ 42.263592][ T205] check_noncircular (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:2215) 
[ 42.263599][ T205] check_prev_add (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3167) 
[ 42.263604][ T205] ? local_clock_noinstr (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/sched/clock.c:301) 
[ 42.263610][ T205] validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3286 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3909) 
[ 42.263616][ T205] __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235) 
[ 42.263622][ T205] lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868) 
[ 42.263627][ T205] ? start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3922 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176) 
[ 42.263633][ T205] ? mark_held_locks (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4326) 
[ 42.263638][ T205] ? start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3922 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176) 
[ 42.263644][ T205] start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3923 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176) 
[ 42.263649][ T205] ? start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3922 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4176) 
[ 42.263655][ T205] ? tty_buffer_free (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_buffer.c:463) 
[ 42.263660][ T205] __flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4208) 
[ 42.263666][ T205] ? start_flush_work (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:4199) 
[ 42.263671][ T205] ? __rwsem_set_reader_owned (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/atomic64_64.h:20 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/atomic/atomic-arch-fallback.h:2629 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/atomic/atomic-long.h:79 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/atomic/atomic-instrumented.h:3224 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/rwsem.c:176) 
[ 42.263679][ T205] ? flush_workqueue_prep_pwqs (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/workqueue.c:3733) 
[ 42.263690][ T205] n_tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/n_tty.c:2458) 
[ 42.263696][ T205] tty_poll (kbuild/obj/consumer/x86_64-randconfig-075-20250511/drivers/tty/tty_io.c:2199) 
[ 42.263702][ T205] do_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/file.h:62 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/file.h:83 kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:469 kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:536) 
[ 42.263712][ T205] ? select_estimate_accuracy (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:484) 
[ 42.263717][ T205] ? validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3824 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3877) 
[ 42.263721][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3)) 
[ 42.263725][ T205] ? validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3824 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3877) 
[ 42.263729][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3)) 
[ 42.263733][ T205] ? __must_check_overflow (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/err.h:70) 
[ 42.263743][ T205] ? rcu_lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/rcupdate.h:341) 
[ 42.263749][ T205] ? rcu_lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/rcupdate.h:341) 
[ 42.263755][ T205] ? tracer_hardirqs_off (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/trace/trace_irqsoff.c:641) 
[ 42.263762][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3)) 
[ 42.263767][ T205] ? validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3824 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3877) 
[ 42.263771][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3)) 
[ 42.263776][ T205] ? validate_chain (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3824 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:3877) 
[ 42.263780][ T205] ? mark_lock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:4726 (discriminator 3)) 
[ 42.263785][ T205] ? __lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5235) 
[ 42.263790][ T205] ? lock_acquire (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:472 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5868) 
[ 42.263795][ T205] ? __might_fault (kbuild/obj/consumer/x86_64-randconfig-075-20250511/mm/memory.c:7151) 
[ 42.263804][ T205] ? __might_fault (kbuild/obj/consumer/x86_64-randconfig-075-20250511/mm/memory.c:7151) 
[ 42.263809][ T205] ? kvm_sched_clock_read (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/kernel/kvmclock.c:91) 
[ 42.263813][ T205] ? local_clock_noinstr (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/sched/clock.c:301) 
[ 42.263817][ T205] ? local_clock (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/preempt.h:85 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/sched/clock.c:316) 
[ 42.263825][ T205] ? __lock_release (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/lockdep.c:5542) 
[ 42.263829][ T205] ? __might_fault (kbuild/obj/consumer/x86_64-randconfig-075-20250511/mm/memory.c:7151) 
[ 42.263835][ T205] ? __asan_memset (kbuild/obj/consumer/x86_64-randconfig-075-20250511/mm/kasan/shadow.c:84) 
[ 42.263842][ T205] core_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:677) 
[ 42.263849][ T205] ? __x64_compat_sys_ppoll_time64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:623) 
[ 42.263854][ T205] ? _raw_spin_unlock_irqrestore (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:42 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:119 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:159 kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/spinlock_api_smp.h:151 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/locking/spinlock.c:194) 
[ 42.263864][ T205] ? ktime_get_ts64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/seqlock.h:226 (discriminator 1) kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/time/timekeeping.c:891 (discriminator 1)) 
[ 42.263871][ T205] ? timespec64_add_safe (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/time/time.c:854) 
[ 42.263878][ T205] ? nsec_to_clock_t (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/time/time.c:848) 
[ 42.263883][ T205] ? seqcount_lockdep_reader_access (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:42 (discriminator 1) kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:119 (discriminator 1) kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/include/asm/irqflags.h:159 (discriminator 1) kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/seqlock.h:74 (discriminator 1)) 
[ 42.263890][ T205] ? ktime_get_ts64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/time/timekeeping.c:896 (discriminator 4)) 
[ 42.263896][ T205] kern_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:719) 
[ 42.263901][ T205] ? core_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:702) 
[ 42.263906][ T205] ? tracer_hardirqs_on (kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/trace/trace_irqsoff.c:634) 
[ 42.263911][ T205] ? syscall_exit_to_user_mode (kbuild/obj/consumer/x86_64-randconfig-075-20250511/include/linux/entry-common.h:361 kbuild/obj/consumer/x86_64-randconfig-075-20250511/kernel/entry/common.c:220) 
[ 42.263917][ T205] __x64_sys_select (kbuild/obj/consumer/x86_64-randconfig-075-20250511/fs/select.c:722) 
[ 42.263922][ T205] do_syscall_64 (kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:63 kbuild/obj/consumer/x86_64-randconfig-075-20250511/arch/x86/entry/syscall_64.c:94) 
[ 42.263929][ T205] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   42.263934][  T205] RIP: 0033:0x7f0bac4a3e97
[ 42.263941][ T205] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 a9 a3 0c 00 49 89 ca 8b 00 85 c0 75 10 b8 17 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 61 c3 41 56 49 89 f6 41 55 4d 89 c5 41 54 49
All code


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250512/202505121345.9f8944dc-lkp@intel.com
diff mbox series

Patch

diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 6af3f3a0b531..36b41374e1bd 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2449,6 +2449,8 @@  static __poll_t n_tty_poll(struct tty_struct *tty, struct file *file,
 
 	poll_wait(file, &tty->read_wait, wait);
 	poll_wait(file, &tty->write_wait, wait);
+
+	down_read(&tty->termios_rwsem);
 	if (input_available_p(tty, 1))
 		mask |= EPOLLIN | EPOLLRDNORM;
 	else {
@@ -2456,6 +2458,8 @@  static __poll_t n_tty_poll(struct tty_struct *tty, struct file *file,
 		if (input_available_p(tty, 1))
 			mask |= EPOLLIN | EPOLLRDNORM;
 	}
+	up_read(&tty->termios_rwsem);
+
 	if (tty->ctrl.packet && tty->link->ctrl.pktstatus)
 		mask |= EPOLLPRI | EPOLLIN | EPOLLRDNORM;
 	if (test_bit(TTY_OTHER_CLOSED, &tty->flags))