Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp823797pxb;
        Thu, 15 Apr 2021 07:27:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyKXsaQVOiCiD6ekxzgcounLIIGd2l76v3B+59R2cIV+owzWzSXG6SN+aNgq+PQ65kSk390
X-Received: by 2002:a17:906:6bd3:: with SMTP id t19mr3832666ejs.232.1618496865671;
        Thu, 15 Apr 2021 07:27:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618496865; cv=none;
        d=google.com; s=arc-20160816;
        b=u8fsN0AF4dscaKj72+TXMeRIBu5z4Fsf4052JU6S1m6QwuTX3pjShSW4QyQ9kKpZmo
         Z/cieWRLjfatMjZELnBC21dbukf9kvL2M1peAb9SxQW8K3KBQv0JnBiN3HVU6I+li9an
         IWgwU/62gTF3TiMSlkkeqCId66w68On2gncnK5dBZ+BoMTQyjvY78oUoWsIDacp5y5NN
         dnX9eoBJGqaLsZ7AzLzvH526ME0qapzmKTjNz1SEvHcDU2j4CRRzqDAhaVPkEkKg3G2z
         sYGmu35tNSWK90lszO0ldqTWeTqgnzRibEOjPgrlO3vbvjihPDs7ZQwagVlMGDWk9DUA
         1ZOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=IYYHQjQUEYAY07onLm8+SW69KoZR6LGzsTny098YXCM=;
        b=ANxRA8VEGC71zFS0OuEhjooEIg7HnY8ORIrZdjIprcawS99o9zPd4u/hN96C+p7rpb
         +iqi+r6F7rTMnQenGakqENiYIpyVqvHDF4OkKvUjd7REsnfUlXEeke0BgPl48eUdNOtR
         /ss5n23uarUSmfqHFBwRksBVM+p72EL6Gkd0Ig7WNJqpKLwiw4TTPKv1MdGZmrkXpoB0
         kvWKSoWgkOy/TFgCelNxtp9qEJXH4UbWzoyc7GsBY+c2Ib7yCMXuoHFYu5d75aUhWTvm
         nVCKFjhOWn24MeC7ilwhw4j4PbtVSHLhxXgWDDXk7FvoabbWRnH3ittcI5cupY5wELgW
         lpmg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=pkywBVSS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e6si2582997edz.445.2021.04.15.07.27.22;
        Thu, 15 Apr 2021 07:27:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=pkywBVSS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233395AbhDOO0r (ORCPT <rfc822;liruijie0318@gmail.com>
        + 99 others); Thu, 15 Apr 2021 10:26:47 -0400
Received: from smtp-fw-6001.amazon.com ([52.95.48.154]:8912 "EHLO
        smtp-fw-6001.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230056AbhDOO0p (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Apr 2021 10:26:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209;
  t=1618496783; x=1650032783;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=IYYHQjQUEYAY07onLm8+SW69KoZR6LGzsTny098YXCM=;
  b=pkywBVSSCtzez1EwimJgHNgqqyUseCYCUr2FgrOofQdfsBYBpZUSHMZY
   J/0rss4MsxurG6wYT2euQxNcZNwY2GOHQftiy2epJ+3pCB38pU0yKlDJQ
   okTstUqtUdYQgkJR3crt7VSL8y5sgHpeEjjBVgWdYuJxj+K7Xic3vnokG
   Q=;
X-IronPort-AV: E=Sophos;i="5.82,225,1613433600"; 
   d="scan'208";a="107687805"
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-1e-303d0b0e.us-east-1.amazon.com) ([10.43.8.2])
  by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP; 15 Apr 2021 14:26:22 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38])
        by email-inbound-relay-1e-303d0b0e.us-east-1.amazon.com (Postfix) with ESMTPS id C7BC0A1E7F;
        Thu, 15 Apr 2021 14:26:18 +0000 (UTC)
Received: from EX13D02UWB002.ant.amazon.com (10.43.161.160) by
 EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS)
 id 15.0.1497.2; Thu, 15 Apr 2021 14:26:17 +0000
Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by
 EX13D02UWB002.ant.amazon.com (10.43.161.160) with Microsoft SMTP Server (TLS)
 id 15.0.1497.2; Thu, 15 Apr 2021 14:26:17 +0000
Received: from dev-dsk-alisaidi-i31e-9f3421fe.us-east-1.amazon.com
 (10.200.138.153) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP
 Server id 15.0.1497.2 via Frontend Transport; Thu, 15 Apr 2021 14:26:17 +0000
Received: by dev-dsk-alisaidi-i31e-9f3421fe.us-east-1.amazon.com (Postfix, from userid 5131138)
        id 65A02228E4; Thu, 15 Apr 2021 14:26:17 +0000 (UTC)
From:   Ali Saidi <alisaidi@amazon.com>
To:     <linux-kernel@vger.kernel.org>
CC:     <alisaidi@amazon.com>, <catalin.marinas@arm.com>,
        <steve.capper@arm.com>, <benh@kernel.crashing.org>,
        <stable@vger.kernel.org>, Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@redhat.com>, Will Deacon <will@kernel.org>,
        Waiman Long <longman@redhat.com>,
        Boqun Feng <boqun.feng@gmail.com>
Subject: [PATCH] locking/qrwlock: Fix ordering in queued_write_lock_slowpath
Date:   Thu, 15 Apr 2021 14:25:52 +0000
Message-ID: <20210415142552.30916-1-alisaidi@amazon.com>
X-Mailer: git-send-email 2.24.4.AMZN
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

While this code is executed with the wait_lock held, a reader can
acquire the lock without holding wait_lock.  The writer side loops
checking the value with the atomic_cond_read_acquire(), but only truly
acquires the lock when the compare-and-exchange is completed
successfully which isn’t ordered. The other atomic operations from this
point are release-ordered and thus reads after the lock acquisition can
be completed before the lock is truly acquired which violates the
guarantees the lock should be making.

Fixes: b519b56e378ee ("locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwloc")
Signed-off-by: Ali Saidi <alisaidi@amazon.com>
Cc: stable@vger.kernel.org
---
 kernel/locking/qrwlock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/locking/qrwlock.c b/kernel/locking/qrwlock.c
index 4786dd271b45..10770f6ac4d9 100644
--- a/kernel/locking/qrwlock.c
+++ b/kernel/locking/qrwlock.c
@@ -73,8 +73,8 @@ void queued_write_lock_slowpath(struct qrwlock *lock)
 
 	/* When no more readers or writers, set the locked flag */
 	do {
-		atomic_cond_read_acquire(&lock->cnts, VAL == _QW_WAITING);
-	} while (atomic_cmpxchg_relaxed(&lock->cnts, _QW_WAITING,
+		atomic_cond_read_relaxed(&lock->cnts, VAL == _QW_WAITING);
+	} while (atomic_cmpxchg_acquire(&lock->cnts, _QW_WAITING,
 					_QW_LOCKED) != _QW_WAITING);
 unlock:
 	arch_spin_unlock(&lock->wait_lock);
-- 
2.24.4.AMZN