[PATCH openEuler-1.0-LTS] rtmutex: Drop rt_mutex::wait_lock before scheduling - Kernel

30 Sep 2024

From: Roland Xu mu001999@outlook.com
stable inclusion
from stable-v4.19.322
commit 432efdbe7da5ecfcbc0c2180cfdbab1441752a38
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9M4
CVE: CVE-2024-46829
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit d33d26036a0274b472299d7dcdaa5fb34329f91b upstream.
rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held.  In the
good case it returns with the lock held and in the deadlock case it emits a
warning and goes into an endless scheduling loop with the lock held, which
triggers the 'scheduling in atomic' warning.
Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning
and dropping into the schedule for ever loop.
[ tglx: Moved unlock before the WARN(), removed the pointless comment,
    massaged changelog, added Fixes tag ]
Fixes: 3d5c9340d194 ("rtmutex: Handle deadlock detection smarter")
Signed-off-by: Roland Xu mu001999@outlook.com
Signed-off-by: Thomas Gleixner tglx@linutronix.de
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/ME0P300MB063599BEF0743B8FA339C2CECC802@ME0P300MB...
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com
---
 kernel/locking/rtmutex.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 861e14ce1956..dffa14dee033 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1241,6 +1241,7 @@ __rt_mutex_slowlock(struct rt_mutex *lock, int state,
 }
static void rt_mutex_handle_deadlock(int res, int detect_deadlock,
+				     struct rt_mutex *lock,
    			     struct rt_mutex_waiter *w)
 {
    /*
@@ -1250,6 +1251,7 @@ static void rt_mutex_handle_deadlock(int res, int detect_deadlock,
    if (res != -EDEADLOCK || detect_deadlock)
    	return;
+	raw_spin_unlock_irq(&lock->wait_lock);
    /*
     * Yell lowdly and stop the task right here.
     */
@@ -1305,7 +1307,7 @@ rt_mutex_slowlock(struct rt_mutex *lock, int state,
    if (unlikely(ret)) {
    	__set_current_state(TASK_RUNNING);
    	remove_waiter(lock, &waiter);
-		rt_mutex_handle_deadlock(ret, chwalk, &waiter);
+		rt_mutex_handle_deadlock(ret, chwalk, lock, &waiter);
    }
/*
-- 
2.20.1


    