{"id":"CVE-2021-46921","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/qrwlock: Fix ordering in queued_write_lock_slowpath()\n\nWhile this code is executed with the wait_lock held, a reader can\nacquire the lock without holding wait_lock.  The writer side loops\nchecking the value with the atomic_cond_read_acquire(), but only truly\nacquires the lock when the compare-and-exchange is completed\nsuccessfully which isn’t ordered. This exposes the window between the\nacquire and the cmpxchg to an A-B-A problem which allows reads\nfollowing the lock acquisition to observe values speculatively before\nthe write lock is truly acquired.\n\nWe've seen a problem in epoll where the reader does a xchg while\nholding the read lock, but the writer can see a value change out from\nunder it.\n\n  Writer                                | Reader\n  --------------------------------------------------------------------------------\n  ep_scan_ready_list()                  |\n  |- write_lock_irq()                   |\n      |- queued_write_lock_slowpath()   |\n\t|- atomic_cond_read_acquire()   |\n\t\t\t\t        | read_lock_irqsave(&ep-\u003elock, flags);\n     --\u003e (observes value before unlock) |  chain_epi_lockless()\n     |                                  |    epi-\u003enext = xchg(&ep-\u003eovflist, epi);\n     |                                  | read_unlock_irqrestore(&ep-\u003elock, flags);\n     |                                  |\n     |     atomic_cmpxchg_relaxed()     |\n     |-- READ_ONCE(ep-\u003eovflist);        |\n\nA core can order the read of the ovflist ahead of the\natomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire\nsemantics addresses this issue at which point the atomic_cond_read can\nbe switched to use relaxed semantics.\n\n[peterz: use try_cmpxchg()]","modified":"2026-03-15T14:09:16.017220Z","published":"2024-02-27T10:15:06.990Z","related":["SUSE-SU-2024:0925-1","SUSE-SU-2024:0975-1","SUSE-SU-2024:0976-1","SUSE-SU-2024:1454-1","SUSE-SU-2024:1465-1","SUSE-SU-2024:1489-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e"},{"type":"FIX","url":"https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56"},{"type":"FIX","url":"https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a"},{"type":"FIX","url":"https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896"},{"type":"FIX","url":"https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46921.json","unresolved_ranges":[{"events":[{"introduced":"4.15.0"},{"fixed":"4.19.189"}]},{"events":[{"introduced":"4.20.0"},{"fixed":"5.4.115"}]},{"events":[{"introduced":"5.5.0"},{"fixed":"5.10.33"}]},{"events":[{"introduced":"5.11.0"},{"fixed":"5.11.17"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}