locking/rwsem: Fix logic error in rwsem_del_waiter()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Commit 1ea4b473504b ("locking/rwsem: Remove the list_head from struct
rw_semaphore") introduced a logic error in rwsem_del_waiter().

The root cause of this issue is an inconsistency in the return values of
__rwsem_del_waiter() and rwsem_del_waiter(). Specifically,
__rwsem_del_waiter() returns true when the wait list becomes empty,
whereas rwsem_del_waiter() is supposed to return true if the wait list
is NOT empty.

This caused a null pointer dereference in rwsem_mark_wake() because it
was being called when sem->first_waiter was NULL.

Fixes: 1ea4b473504b ("locking/rwsem: Remove the list_head from struct rw_semaphore")
Reported-by: syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com
Signed-off-by: Andrei Vagin <avagin@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com
Link: https://patch.msgid.link/20260314182607.3343346-1-avagin@google.com

authored by

Andrei Vagin and committed by

Peter Zijlstra 1 month ago 68bcd8b6 c5f59626

+2 -2

1 changed file

expand all

kernel

locking

rwsem.c

+2 -2

kernel/locking/rwsem.c

··· 370 370 { 371 371 if (list_empty(&waiter->list)) { 372 372 sem->first_waiter = NULL; 373 - return true; 373 + return false; 374 374 } 375 375 376 376 if (sem->first_waiter == waiter) { ··· 379 379 } 380 380 list_del(&waiter->list); 381 381 382 - return false; 382 + return true; 383 383 } 384 384 385 385 /*

Configure Feed

Configure Feed