{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-46921","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-25T13:45:52.719Z","datePublished":"2024-02-27T09:36:26.461Z","dateUpdated":"2025-05-04T07:00:23.829Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:00:23.829Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/qrwlock: Fix ordering in queued_write_lock_slowpath()\n\nWhile this code is executed with the wait_lock held, a reader can\nacquire the lock without holding wait_lock.  The writer side loops\nchecking the value with the atomic_cond_read_acquire(), but only truly\nacquires the lock when the compare-and-exchange is completed\nsuccessfully which isn’t ordered. This exposes the window between the\nacquire and the cmpxchg to an A-B-A problem which allows reads\nfollowing the lock acquisition to observe values speculatively before\nthe write lock is truly acquired.\n\nWe've seen a problem in epoll where the reader does a xchg while\nholding the read lock, but the writer can see a value change out from\nunder it.\n\n  Writer                                | Reader\n  --------------------------------------------------------------------------------\n  ep_scan_ready_list()                  |\n  |- write_lock_irq()                   |\n      |- queued_write_lock_slowpath()   |\n\t|- atomic_cond_read_acquire()   |\n\t\t\t\t        | read_lock_irqsave(&ep->lock, flags);\n     --> (observes value before unlock) |  chain_epi_lockless()\n     |                                  |    epi->next = xchg(&ep->ovflist, epi);\n     |                                  | read_unlock_irqrestore(&ep->lock, flags);\n     |                                  |\n     |     atomic_cmpxchg_relaxed()     |\n     |-- READ_ONCE(ep->ovflist);        |\n\nA core can order the read of the ovflist ahead of the\natomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire\nsemantics addresses this issue at which point the atomic_cond_read can\nbe switched to use relaxed semantics.\n\n[peterz: use try_cmpxchg()]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/locking/qrwlock.c"],"versions":[{"version":"b519b56e378ee82caf9b079b04f5db87dedc3251","lessThan":"5902f9453a313be8fe78cbd7e7ca9dba9319fc6e","status":"affected","versionType":"git"},{"version":"b519b56e378ee82caf9b079b04f5db87dedc3251","lessThan":"82808cc026811fbc3ecf0c0b267a12a339eead56","status":"affected","versionType":"git"},{"version":"b519b56e378ee82caf9b079b04f5db87dedc3251","lessThan":"82fa9ced35d88581cffa4a1c856fc41fca96d80a","status":"affected","versionType":"git"},{"version":"b519b56e378ee82caf9b079b04f5db87dedc3251","lessThan":"d558fcdb17139728347bccc60a16af3e639649d2","status":"affected","versionType":"git"},{"version":"b519b56e378ee82caf9b079b04f5db87dedc3251","lessThan":"84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/locking/qrwlock.c"],"versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","status":"unaffected","versionType":"semver"},{"version":"4.19.189","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.115","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.33","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.11.17","lessThanOrEqual":"5.11.*","status":"unaffected","versionType":"semver"},{"version":"5.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"4.19.189"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.4.115"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.10.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.11.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"5.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e"},{"url":"https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56"},{"url":"https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a"},{"url":"https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2"},{"url":"https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896"}],"title":"locking/qrwlock: Fix ordering in queued_write_lock_slowpath()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-46921","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-02-27T16:11:46.310286Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-05T17:22:01.427Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:17:42.848Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896","tags":["x_transferred"]}]}]}}