In the Linux kernel, the following vulnerability has been resolved:
locking/qrwlock: Fix ordering in queued_write_lock_slowpath()
While this code is executed with the wait_lock held, a reader can
acquire the lock without holding wait_lock. The writer side loops
checking the value with the atomic_cond_read_acquire(), but only truly
acquires the lock when the compare-and-exchange is completed
successfully which isn’t ordered. This exposes the window between the
acquire and the cmpxchg to an A-B-A problem which allows reads
following the lock acquisition to observe values speculatively before
the write lock is truly acquired.
We've seen a problem in epoll where the reader does a xchg while
holding the read lock, but the writer can see a value change out from
under it.
Writer | Reader
--------------------------------------------------------------------------------
ep_scan_ready_list() |
|- write_lock_irq() |
|- queued_write_lock_slowpath() |
|- atomic_cond_read_acquire() |
| read_lock_irqsave(&ep->lock, flags);
--> (observes value before unlock) | chain_epi_lockless()
| | epi->next = xchg(&ep->ovflist, epi);
| | read_unlock_irqrestore(&ep->lock, flags);
| |
| atomic_cmpxchg_relaxed() |
|-- READ_ONCE(ep->ovflist); |
A core can order the read of the ovflist ahead of the
atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire
semantics addresses this issue at which point the atomic_cond_read can
be switched to use relaxed semantics.
[peterz: use try_cmpxchg()]
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:34
Type | Values Removed | Values Added |
---|---|---|
References | () https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e - Patch | |
References | () https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56 - Patch | |
References | () https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a - Patch | |
References | () https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896 - Patch | |
References | () https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2 - Patch |
10 Apr 2024, 13:39
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-668 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
First Time |
Linux
Linux linux Kernel |
|
References | () https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e - Patch | |
References | () https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56 - Patch | |
References | () https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a - Patch | |
References | () https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896 - Patch | |
References | () https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2 - Patch |
27 Feb 2024, 14:20
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-27 10:15
Updated : 2024-11-21 06:34
NVD link : CVE-2021-46921
Mitre link : CVE-2021-46921
CVE.ORG link : CVE-2021-46921
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-668
Exposure of Resource to Wrong Sphere