In the Linux kernel, the following vulnerability has been resolved:
locking/qrwlock: Fix ordering in queued_write_lock_slowpath()
While this code is executed with the wait_lock held, a reader can
acquire the lock without holding wait_lock. The writer side loops
checking the value with the atomic_cond_read_acquire(), but only truly
acquires the lock when the compare-and-exchange is completed
successfully which isnβt ordered. This exposes the window between the
acquire and the cmpxchg to an A-B-A problem which allows reads
following the lock acquisition to observe values speculatively before
the write lock is truly acquired.
Weβve seen a problem in epoll where the reader does a xchg while
holding the read lock, but the writer can see a value change out from
under it.
ep_scan_ready_list() |
|- write_lock_irq() |
|- queued_write_lock_slowpath() |
|- atomic_cond_read_acquire() |
| read_lock_irqsave(&ep->lock, flags);
β> (observes value before unlock) | chain_epi_lockless()
| | epi->next = xchg(&ep->ovflist, epi);
| | read_unlock_irqrestore(&ep->lock, flags);
| |
| atomic_cmpxchg_relaxed() |
|-- READ_ONCE(ep->ovflist); |
A core can order the read of the ovflist ahead of the
atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire
semantics addresses this issue at which point the atomic_cond_read can
be switched to use relaxed semantics.
[peterz: use try_cmpxchg()]
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "b519b56e378e",
"lessThan": "5902f9453a31",
"versionType": "git"
},
{
"status": "affected",
"version": "b519b56e378e",
"lessThan": "82808cc02681",
"versionType": "git"
},
{
"status": "affected",
"version": "b519b56e378e",
"lessThan": "82fa9ced35d8",
"versionType": "git"
},
{
"status": "affected",
"version": "b519b56e378e",
"lessThan": "d558fcdb1713",
"versionType": "git"
},
{
"status": "affected",
"version": "b519b56e378e",
"lessThan": "84a24bf8c52e",
"versionType": "git"
}
],
"programFiles": [
"kernel/locking/qrwlock.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"status": "unaffected",
"version": "0",
"lessThan": "4.15",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.19.189",
"versionType": "custom",
"lessThanOrEqual": "4.19.*"
},
{
"status": "unaffected",
"version": "5.4.115",
"versionType": "custom",
"lessThanOrEqual": "5.4.*"
},
{
"status": "unaffected",
"version": "5.10.33",
"versionType": "custom",
"lessThanOrEqual": "5.10.*"
},
{
"status": "unaffected",
"version": "5.11.17",
"versionType": "custom",
"lessThanOrEqual": "5.11.*"
},
{
"status": "unaffected",
"version": "5.12",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"kernel/locking/qrwlock.c"
],
"defaultStatus": "affected"
}
]
git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e
git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56
git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a
git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896
git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2