From nobody Mon Apr 6 20:28:34 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACCF3261B8D for ; Wed, 18 Mar 2026 03:25:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773804306; cv=none; b=IEshjVwTlKtm6smjYVrC/DEJqcmfemAIGF1SpaHH30b0tqXiUp/q7mniWLq/k+6kj8AoGChXmYJ8gKSZ+bSpZE1wWou9gVJJZJu7hr1ItSQPoViv1ysZB1o6fMlUyKDMoJgtto+fplXtUU6HJuwb2K+7ZmstklFp+oFtYGhVxsA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773804306; c=relaxed/simple; bh=FlVQBUs+jy9IRGfZoMXGWDikqm9AD/Wd1UO0txk8JIs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Jnjho2BZg4XkC/advgfVkoebJq7XlzA4CN+5Owc3PdUHvSWGBU/mgnUa0eURxDDC336Iwwtt/+iiQtHBUGsRe2wYH9UJCXzVYdE4XnRRAReHoZmTOMBouEEQsE8FK8FrdGr+fhY+GYRFNRccsdBuXFp+2U/vYHDg+GdIT9wZz3I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=DGkCWPQi; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="DGkCWPQi" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773804303; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uvVl4b5Is/pykGaP2ERim9FNEqNTmkE0OKUL9GSmwPI=; b=DGkCWPQik/vKThssPAThBvASXmsiWcacFOLl6hxks4PWaiCyPwaVlUNMKBRg6FuloJsYD6 9Fp3xBH2adpaKDcNtRkmfucH5Y8HWz8xVLnVw/nF3aEAbdHbs2uf6TD9tiy3Fkydzh7GXW OPimhedeTwWxqCYBKalFHePP23sWrTs= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-537-q1Y_tjEMNruitEcDh2XMGQ-1; Tue, 17 Mar 2026 23:25:01 -0400 X-MC-Unique: q1Y_tjEMNruitEcDh2XMGQ-1 X-Mimecast-MFC-AGG-ID: q1Y_tjEMNruitEcDh2XMGQ_1773804300 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 231E61956062; Wed, 18 Mar 2026 03:25:00 +0000 (UTC) Received: from llong-thinkpadp16vgen1.westford.csb (unknown [10.22.80.24]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id BB7DF1955F19; Wed, 18 Mar 2026 03:24:56 +0000 (UTC) From: Waiman Long To: Peter Zijlstra , Ingo Molnar , Will Deacon , Boqun Feng , "Matthew Wilcox (Oracle)" , Andrei Vagin Cc: linux-kernel@vger.kernel.org, Waiman Long , syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com Subject: [PATCH] locking/rwsem: Fix improper return value of __rwsem_del_waiter() Date: Tue, 17 Mar 2026 23:24:47 -0400 Message-ID: <20260318032447.1360709-1-longman@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" Commit 1ea4b473504b ("locking/rwsem: Remove the list_head from struct rw_semaphore") introduces a new __rwsem_del_waiter() which return true if the wait list is going to be empty after deletion and false otherwise. However this return value is the exact oppsite of the value returned by rwsem_del_waiter() and __rwsem_del_waiter() is used as if its return value matches that of rwsem_del_waiter(). This caused a null pointer dereference in rwsem_mark_wake() because it was being called when sem->first_waiter was NULL. Andrei sent a patch [1] to reverse the polarity of the return value to match that of rwsem_del_waiter() which can fix this bug. To make it better, I believe we should either put the same return value comment at the top of __rwsem_del_waiter() to make this clear or don't return a value at all. This patch adopts the later approach by making __rwsem_del_waiter() a void function and using rwsem_is_contended() to check if the wait list is empty or not. This will make the code more readable. Below is the size comparison of the gcc compiled rwsem.o object files. text data bss dec hex filename Before 6791 696 0 7487 1d3f kernel/locking/rwsem.o Andrei patch 6887 696 0 7583 1d9f kernel/locking/rwsem.o This patch 6823 696 0 7519 1d5f kernel/locking/rwsem.o So this patch isn't bad from the size perspective. [1] https://lore.kernel.org/lkml/20260314182607.3343346-1-avagin@google.com/ Reported-by: syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com Fixes: 1ea4b473504b ("locking/rwsem: Remove the list_head from struct rw_se= maphore") Signed-off-by: Waiman Long Acked-by: Andrei Vagin --- kernel/locking/rwsem.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c index ba4cb74de064..e8fee8cc933f 100644 --- a/kernel/locking/rwsem.c +++ b/kernel/locking/rwsem.c @@ -365,12 +365,12 @@ enum rwsem_wake_type { #define MAX_READERS_WAKEUP 0x100 =20 static inline -bool __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *wai= ter) +void __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *wai= ter) __must_hold(&sem->wait_lock) { if (list_empty(&waiter->list)) { sem->first_waiter =3D NULL; - return true; + return; } =20 if (sem->first_waiter =3D=3D waiter) { @@ -378,8 +378,6 @@ bool __rwsem_del_waiter(struct rw_semaphore *sem, struc= t rwsem_waiter *waiter) struct rwsem_waiter, list); } list_del(&waiter->list); - - return false; } =20 /* @@ -394,7 +392,8 @@ static inline bool rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter) { lockdep_assert_held(&sem->wait_lock); - if (__rwsem_del_waiter(sem, waiter)) + __rwsem_del_waiter(sem, waiter); + if (rwsem_is_contended(sem)) return true; atomic_long_andnot(RWSEM_FLAG_HANDOFF | RWSEM_FLAG_WAITERS, &sem->count); return false; --=20 2.53.0