From nobody Mon Apr 6 20:00:55 2026 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A89B3793DA; Wed, 18 Mar 2026 08:02:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773820983; cv=none; b=P5g6PQBiHSxcP7Vw1wH2xXUatuL9ba998DY+JSafcRAJ01ZC0PQtI94WfWEst73+BfW9U6sxJhxve6Q9rrsadxk43VI4XrzAwZZAxz2uiQR7KwXAB0zFLFAuy3297IR6CCdHzPr/h3pVWusahiAWdMZzlxjA2SjqDEhtIYeCEEI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773820983; c=relaxed/simple; bh=Y5f+l6UEH/AhfV6UtPUiBiq3AJNUmxK6/0vfQJq0u/o=; h=Date:From:To:Subject:Cc:In-Reply-To:References:MIME-Version: Message-ID:Content-Type; b=g8mh8coyZoTHIepjBdBErsJX8PWUJ8mh/aj+znQBOh83AYvj0ykT0APVBxMhnVEUP7rbbK+8hgiTXeR1kkzXYh4bgYrfOeoVR7f/imSUGssmyobnUjtV8mbt27CK28qHygKgAN9j+8mtSgDRUcon5aO9uhVCrJBYuuiBwqouKHs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=sO5WNff8; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=JvRmIYTh; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="sO5WNff8"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="JvRmIYTh" Date: Wed, 18 Mar 2026 08:02:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1773820976; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8coG0jknB/Du1W22YPnz8UaEzZHnynGJwBj3EwAG11c=; b=sO5WNff8kr7hTjKnRZ8npB0a0dyL6a4ZExbBQLcxDhR1wLC+CcCiT5kkdVsTaE9yzQKEei fxQ3P+51REszQvSYJwCoFLip4I0y6a6hiHZGjlWKvFHqNbQV2137e1LPtloOJHOVLk1uuJ dLLDgIqLqbu9yUM4CzHbxkFwzd5fiKjlPwspS2kvWQasBSq+A9BARdPHPNQIPOFaLai6oR 3wFG2/IVklni+odiCeHLiHyIR8QC2Xq2VgSCG33BPBOoUCbPNjSTmejx4xL+tsc2PBJ2FU So062GdNDtX9Xd223VOi1TJ7t+2W2AF2piN1y36ffZWzEyfEXh1f9Jyxud6Pfg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1773820976; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8coG0jknB/Du1W22YPnz8UaEzZHnynGJwBj3EwAG11c=; b=JvRmIYThIs+9GyKKOehE8eLf8t5R1A0CaEWq+/VpXkt/d6rjQtr9KX2zYkp4KhCTnd6H4B HJqcBRa/RMLrqfDg== From: "tip-bot2 for Andrei Vagin" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: locking/core] locking/rwsem: Fix logic error in rwsem_del_waiter() Cc: syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com, Andrei Vagin , "Peter Zijlstra (Intel)" , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20260314182607.3343346-1-avagin@google.com> References: <20260314182607.3343346-1-avagin@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <177382097549.1647592.8219974128268935080.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Precedence: bulk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The following commit has been merged into the locking/core branch of tip: Commit-ID: 68bcd8b6e0b10d902f7fc8bf3f08f335f5d1640e Gitweb: https://git.kernel.org/tip/68bcd8b6e0b10d902f7fc8bf3f08f335f= 5d1640e Author: Andrei Vagin AuthorDate: Sat, 14 Mar 2026 18:26:07=20 Committer: Peter Zijlstra CommitterDate: Mon, 16 Mar 2026 13:16:48 +01:00 locking/rwsem: Fix logic error in rwsem_del_waiter() Commit 1ea4b473504b ("locking/rwsem: Remove the list_head from struct rw_semaphore") introduced a logic error in rwsem_del_waiter(). The root cause of this issue is an inconsistency in the return values of __rwsem_del_waiter() and rwsem_del_waiter(). Specifically, __rwsem_del_waiter() returns true when the wait list becomes empty, whereas rwsem_del_waiter() is supposed to return true if the wait list is NOT empty. This caused a null pointer dereference in rwsem_mark_wake() because it was being called when sem->first_waiter was NULL. Fixes: 1ea4b473504b ("locking/rwsem: Remove the list_head from struct rw_se= maphore") Reported-by: syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com Signed-off-by: Andrei Vagin Signed-off-by: Peter Zijlstra (Intel) Tested-by: syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com Link: https://patch.msgid.link/20260314182607.3343346-1-avagin@google.com --- kernel/locking/rwsem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c index ba4cb74..bf64709 100644 --- a/kernel/locking/rwsem.c +++ b/kernel/locking/rwsem.c @@ -370,7 +370,7 @@ bool __rwsem_del_waiter(struct rw_semaphore *sem, struc= t rwsem_waiter *waiter) { if (list_empty(&waiter->list)) { sem->first_waiter =3D NULL; - return true; + return false; } =20 if (sem->first_waiter =3D=3D waiter) { @@ -379,7 +379,7 @@ bool __rwsem_del_waiter(struct rw_semaphore *sem, struc= t rwsem_waiter *waiter) } list_del(&waiter->list); =20 - return false; + return true; } =20 /*