[PATCH] locking/rwsem: Fix logic error in rwsem_del_waiter()

Next message: Mark Pearson: "Re: [PATCH] platform/x86: lenovo: wmi-gamezone: Drop gz_chain_head"
Previous message: Eric Biggers: "Re: [PATCH] ima: remove buggy support for asynchronous hashes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrei Vagin

Date: Sat Mar 14 2026 - 14:26:26 EST

Commit 1ea4b473504b ("locking/rwsem: Remove the list_head from struct
rw_semaphore") introduced a logic error in rwsem_del_waiter().

The root cause of this issue is an inconsistency in the return values of
__rwsem_del_waiter() and rwsem_del_waiter(). Specifically,
__rwsem_del_waiter() returns true when the wait list becomes empty,
whereas rwsem_del_waiter() is supposed to return true if the wait list
is NOT empty.

This caused a null pointer dereference in rwsem_mark_wake() because it
was being called when sem->first_waiter was NULL.

Cc: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
Reported-by: syzbot+3d2ff92c67127d337463@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: syzbot+3d2ff92c67127d337463@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 1ea4b473504b ("locking/rwsem: Remove the list_head from struct rw_semaphore")
Signed-off-by: Andrei Vagin <avagin@xxxxxxxxxx>
---
kernel/locking/rwsem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
index ba4cb74de064..bf647097369c 100644
--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -370,7 +370,7 @@ bool __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
{
if (list_empty(&waiter->list)) {
sem->first_waiter = NULL;
- return true;
+ return false;
}

if (sem->first_waiter == waiter) {
@@ -379,7 +379,7 @@ bool __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
}
list_del(&waiter->list);

- return false;
+ return true;
}

/*
--
2.53.0.851.ga537e3e6e9-goog