From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0579A2475CB
	for <linux-kernel@vger.kernel.org>; Wed, 18 Mar 2026 17:15:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773854148; cv=none; b=eKFbUrY5T3JkcQO0291YWINcIJaNnCjpgy40OrNlvMf2xZS2JfnN/vRq/Z7u9acJRE1QqlIB4i/iiodcu4DcdvCdBXomzwdxfJJzNuHpzXNIQ/A62imcZydfGrxkE4yRcydDNKhEGyMRWzDajKpCRFL/UuCsa1vq5iRZ7+phDL8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773854148; c=relaxed/simple;
	bh=qTr18nWlN3VH9tQiMh35d09IaCj5MKckSFeDB0Kqj0E=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=iFkYQJMYX/U/2m+Mudyk9B0m90z3BJemtBDF54VR1SACDu71m8GO9k1hELVfhwtLSf1Jpkv6ee5EMlL+lKFXYPTeO8h/jvIZVk1hXIQQkT1GD0o2ugKwOQlcOC2pddwviYl+2Yc28xziucyr78sJBfYWQcUhDvrkqH73FaqTqAY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=W2zTE+5N; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="W2zTE+5N"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1773854145;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=pbfk07/BB4bCgB/aKkJWY2nrwRSvk8XJcrgHsfftMlk=;
	b=W2zTE+5NJIn4Bk4R+QFFpyctyh4TcmkDy5hz7NFdn0KmjjdUqGg5q7r3TmMRvarwBoMkyK
	IIvjCtCzLi8Y/2TeDqiBSZEqnLnxg2io1h2QjsRF3ebNcK35Gn1D9VGPpTZ9u0JelsAFKm
	oMYHV10D3q2v8zx9NlwLvm0n7fXLKtU=
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-649-kqDfEXsBM8iRu58pJLBTPw-1; Wed,
 18 Mar 2026 13:15:41 -0400
X-MC-Unique: kqDfEXsBM8iRu58pJLBTPw-1
X-Mimecast-MFC-AGG-ID: kqDfEXsBM8iRu58pJLBTPw_1773854140
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 50BE81954B25;
	Wed, 18 Mar 2026 17:15:40 +0000 (UTC)
Received: from [10.22.81.226] (unknown [10.22.81.226])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D20AE1953952;
	Wed, 18 Mar 2026 17:15:38 +0000 (UTC)
Message-ID: <b4eaaa53-1c01-428a-810d-72be16d6d256@redhat.com>
Date: Wed, 18 Mar 2026 13:15:38 -0400
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [tip: locking/core] locking/rwsem: Fix logic error in
 rwsem_del_waiter()
To: Andrei Vagin <avagin@google.com>, linux-kernel@vger.kernel.org
Cc: linux-tip-commits@vger.kernel.org,
 syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com,
 "Peter Zijlstra (Intel)" <peterz@infradead.org>, x86@kernel.org
References: <20260314182607.3343346-1-avagin@google.com>
 <177382097549.1647592.8219974128268935080.tip-bot2@tip-bot2>
 <CAEWA0a7iMj6PGeKzoyg4QA_AbS5RpKg0ntV2BRmDT4nTNa_9OA@mail.gmail.com>
Content-Language: en-US
From: Waiman Long <longman@redhat.com>
In-Reply-To: <CAEWA0a7iMj6PGeKzoyg4QA_AbS5RpKg0ntV2BRmDT4nTNa_9OA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17


On 3/18/26 12:49 PM, Andrei Vagin wrote:
> On Wed, Mar 18, 2026 at 1:02 AM tip-bot2 for Andrei Vagin
> <tip-bot2@linutronix.de> wrote:
>> The following commit has been merged into the locking/core branch of tip:
> Peter, Waiman sent another version of this fix:
> https://lkml.org/lkml/2026/3/17/2474
> I think we need to consider taking that one instead of this one.

That is fine. It may be easier for me to send another patch on top of 
the current locking/core branch.

Cheers,
Longman

>
> Thanks,
> Andrei
>
>> Commit-ID:     68bcd8b6e0b10d902f7fc8bf3f08f335f5d1640e
>> Gitweb:        https://git.kernel.org/tip/68bcd8b6e0b10d902f7fc8bf3f08f335f5d1640e
>> Author:        Andrei Vagin <avagin@google.com>
>> AuthorDate:    Sat, 14 Mar 2026 18:26:07
>> Committer:     Peter Zijlstra <peterz@infradead.org>
>> CommitterDate: Mon, 16 Mar 2026 13:16:48 +01:00
>>
>> locking/rwsem: Fix logic error in rwsem_del_waiter()
>>
>> Commit 1ea4b473504b ("locking/rwsem: Remove the list_head from struct
>> rw_semaphore") introduced a logic error in rwsem_del_waiter().
>>
>> The root cause of this issue is an inconsistency in the return values of
>> __rwsem_del_waiter() and rwsem_del_waiter(). Specifically,
>> __rwsem_del_waiter() returns true when the wait list becomes empty,
>> whereas rwsem_del_waiter() is supposed to return true if the wait list
>> is NOT empty.
>>
>> This caused a null pointer dereference in rwsem_mark_wake() because it
>> was being called when sem->first_waiter was NULL.
>>
>> Fixes: 1ea4b473504b ("locking/rwsem: Remove the list_head from struct rw_semaphore")
>> Reported-by: syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com
>> Signed-off-by: Andrei Vagin <avagin@google.com>
>> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
>> Tested-by: syzbot+3d2ff92c67127d337463@syzkaller.appspotmail.com
>> Link: https://patch.msgid.link/20260314182607.3343346-1-avagin@google.com
>> ---
>>   kernel/locking/rwsem.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
>> index ba4cb74..bf64709 100644
>> --- a/kernel/locking/rwsem.c
>> +++ b/kernel/locking/rwsem.c
>> @@ -370,7 +370,7 @@ bool __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
>>   {
>>          if (list_empty(&waiter->list)) {
>>                  sem->first_waiter = NULL;
>> -               return true;
>> +               return false;
>>          }
>>
>>          if (sem->first_waiter == waiter) {
>> @@ -379,7 +379,7 @@ bool __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
>>          }
>>          list_del(&waiter->list);
>>
>> -       return false;
>> +       return true;
>>   }
>>
>>   /*