CVE-2021-46921 - pub/scm/linux/kernel/git/sashal/vulns-desc - Git at Google

 The vulnerability resides in the Linux kernel's queued write lock slowpath function, specifically in the ordering of atomic operations. When a writer acquires the lock using `queued_write_lock_slowpath()`, it loops checking the value with `atomic_cond_read_acquire()` but only truly acquires the lock when the compare-and-exchange (cmpxchg) operation is completed successfully. However, this exposes a window between the acquire and the cmpxchg to an A-B-A problem, allowing reads following the lock acquisition to observe values speculatively before the write lock is truly acquired.

 This can lead to issues like the one observed in epoll, where a reader does an exchange while holding the read lock, but the writer can see a value change out from under it. The fix involves switching the cmpxchg to use acquire semantics, which addresses this issue and allows the `atomic_cond_read` to be switched to use relaxed semantics.

 The vulnerability was introduced in Linux kernel version 4.15 with commit b519b56e378e and has been fixed in various versions, including 4.19.189, 5.4.115, 5.10.33, 5.11.17, and 5.12. The affected file is `kernel/locking/qrwlock.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, rather than cherry-picking individual commits.
	The vulnerability resides in the Linux kernel's queued write lock slowpath function, specifically in the ordering of atomic operations. When a writer acquires the lock using `queued_write_lock_slowpath()`, it loops checking the value with `atomic_cond_read_acquire()` but only truly acquires the lock when the compare-and-exchange (cmpxchg) operation is completed successfully. However, this exposes a window between the acquire and the cmpxchg to an A-B-A problem, allowing reads following the lock acquisition to observe values speculatively before the write lock is truly acquired.

	This can lead to issues like the one observed in epoll, where a reader does an exchange while holding the read lock, but the writer can see a value change out from under it. The fix involves switching the cmpxchg to use acquire semantics, which addresses this issue and allows the `atomic_cond_read` to be switched to use relaxed semantics.

	The vulnerability was introduced in Linux kernel version 4.15 with commit b519b56e378e and has been fixed in various versions, including 4.19.189, 5.4.115, 5.10.33, 5.11.17, and 5.12. The affected file is `kernel/locking/qrwlock.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, rather than cherry-picking individual commits.