The rwsem code overloads the owner field with either a task struct or
negative magic numbers. Add a quick hack to catch these negative
values early on. Without this spinning on a writer that replaced the
owner with RWSEM_OWNER_UNKNOWN, rwsem_spin_on_owner can crash while
deferencing the task_struct ->on_cpu field of a -8 value.
XXX: This might be a bit of a hack as the code otherwise doesn't use
the ERR_PTR family macros, better suggestions welcome.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
---
kernel/locking/rwsem.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
index 44e68761f432..6adc719a30a1 100644
--- a/kernel/locking/rwsem.c
+++ b/kernel/locking/rwsem.c
@@ -725,6 +725,8 @@ rwsem_spin_on_owner(struct rw_semaphore *sem, unsigned long nonspinnable)
state = rwsem_owner_state(owner, flags, nonspinnable);
if (state != OWNER_WRITER)
return state;
+ if (IS_ERR(owner))
+ return state;
rcu_read_lock();
for (;;) {
--
2.24.1
