Commit 455ce986 authored Feb 04, 2026 by Jiayuan Chen Committed by Greg Kroah-Hartman Mar 12, 2026

serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN

uart_write_room() and uart_write() behave inconsistently when
xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were
never properly initialized):

- uart_write_room() returns kfifo_avail() which can be > 0
- uart_write() checks xmit_buf and returns 0 if NULL

This inconsistency causes an infinite loop in drivers that rely on
tty_write_room() to determine if they can write:

  while (tty_write_room(tty) > 0) {
      written = tty->ops->write(...);
      // written is always 0, loop never exits
  }

For example, caif_serial's handle_tx() enters an infinite loop when
used with PORT_UNKNOWN serial ports, causing system hangs.

Fix by making uart_write_room() also check xmit_buf and return 0 if
it's NULL, consistent with uart_write().

Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13



Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260204074327.226165-1-jiayuan.chen@linux.dev


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent d54801cd

drivers/tty/serial/serial_core.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -643,6 +643,9 @@ static unsigned int uart_write_room(struct tty_struct *tty)
		unsigned int ret;

		port = uart_port_ref_lock(state, &flags);
		if (!state->port.xmit_buf)
		ret = 0;
		else
		ret = kfifo_avail(&state->port.xmit_fifo);
		uart_port_unlock_deref(port, flags);
		return ret;