locking/rwsem: Fix (possible) missed wakeup

mainline inclusion from mainline-5.0 commit e158488be27b category: bugfix bugzilla: 7210 CVE: NA ------------------------------------------------- Because wake_q_add() can imply an immediate wakeup (cmpxchg failure case), we must not rely on the wakeup being delayed. However, commit: e3851390 ("locking/rwsem: Rework zeroing reader waiter->task") relies on exactly that behaviour in that the wakeup must not happen until after we clear waiter->task. [ peterz: Added changelog. ] Signed-off-by: N Xie Yongji <xieyongji@baidu.com> Signed-off-by: N Zhang Yu <zhangyu31@baidu.com> Signed-off-by: N Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Fixes: e3851390 ("locking/rwsem: Rework zeroing reader waiter->task") Link: https://lkml.kernel.org/r/1543495830-2644-1-git-send-email-xieyongji@baidu.comSigned-off-by: N Ingo Molnar <mingo@kernel.org> (cherry picked from commit e158488be27b157802753a59b336142dc0eb0380) Signed-off-by: N Xie XiuQi <xiexiuqi@huawei.com> Reviewed-by: N Cheng Jian <cj.chengjian@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

locking/rwsem: Fix (possible) missed wakeup
mainline inclusion from mainline-5.0 commit e158488be27b category: bugfix bugzilla: 7210 CVE: NA ------------------------------------------------- Because wake_q_add() can imply an immediate wakeup (cmpxchg failure case), we must not rely on the wakeup being delayed. However, commit: e3851390 ("locking/rwsem: Rework zeroing reader waiter->task") relies on exactly that behaviour in that the wakeup must not happen until after we clear waiter->task. [ peterz: Added changelog. ] Signed-off-by: N Xie Yongji <xieyongji@baidu.com> Signed-off-by: N Zhang Yu <zhangyu31@baidu.com> Signed-off-by: N Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Fixes: e3851390 ("locking/rwsem: Rework zeroing reader waiter->task") Link: https://lkml.kernel.org/r/1543495830-2644-1-git-send-email-xieyongji@baidu.comSigned-off-by: N Ingo Molnar <mingo@kernel.org> (cherry picked from commit e158488be27b157802753a59b336142dc0eb0380) Signed-off-by: N Xie XiuQi <xiexiuqi@huawei.com> Reviewed-by: N Cheng Jian <cj.chengjian@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
5f24c443 · Xie Yongji · Xie XiuQi · 07244d26 · 5f24c443
隐藏空白更改
内联并排

Showing with 9 addition and 2 deletion

kernel/locking/rwsem-xadd.c kernel/locking/rwsem-xadd.c +9 -2

未找到文件。
--- a/kernel/locking/rwsem-xadd.c
+++ b/kernel/locking/rwsem-xadd.c
@@ -198,15 +198,22 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem,
 		woken++;
 		tsk = waiter->task;
-		wake_q_add(wake_q, tsk);
+		get_task_struct(tsk);
 		list_del(&waiter->list);
 		/*
-		 * Ensure that the last operation is setting the reader
+		 * Ensure calling get_task_struct() before setting the reader
 		 * waiter to nil such that rwsem_down_read_failed() cannot
 		 * race with do_exit() by always holding a reference count
 		 * to the task to wakeup.
 		 */
 		smp_store_release(&waiter->task, NULL);
+		/*
+		 * Ensure issuing the wakeup (either by us or someone else)
+		 * after setting the reader waiter to nil.
+		 */
+		wake_q_add(wake_q, tsk);
+		/* wake_q_add() already take the task ref */
+		put_task_struct(tsk);
 	}
 	adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment;