From: Thomas Gleixner <tglx@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"André Almeida" <andrealmeid@igalia.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Carlos O'Donell" <carlos@redhat.com>,
"Florian Weimer" <fweimer@redhat.com>,
"Rich Felker" <dalias@aerifal.cx>,
"Torvald Riegel" <triegel@redhat.com>,
"Darren Hart" <dvhart@infradead.org>,
"Ingo Molnar" <mingo@kernel.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"Arnd Bergmann" <arnd@arndb.de>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
"Uros Bizjak" <ubizjak@gmail.com>,
"Thomas Weißschuh" <linux@weissschuh.net>,
"Mark Brown" <broonie@kernel.org>,
"Richard Weinberger" <richard@nod.at>
Subject: Re: [patch V5 11/16] futex: Provide infrastructure to plug the non contended robust futex unlock race
Date: Wed, 03 Jun 2026 16:42:28 +0200 [thread overview]
Message-ID: <87jysf7kiz.ffs@fw13> (raw)
In-Reply-To: <20260603092346.GV3102624@noisy.programming.kicks-ass.net>
On Wed, Jun 03 2026 at 11:23, Peter Zijlstra wrote:
> On Tue, Jun 02, 2026 at 11:10:04AM +0200, Thomas Gleixner wrote:
>> When the FUTEX_ROBUST_UNLOCK mechanism is used for unlocking (PI-)futexes,
>> then the unlock sequence in user space looks like this:
>>
>> 1) robust_list_set_op_pending(mutex);
>> 2) robust_list_remove(mutex);
>>
>> lval = gettid();
>> 3) if (atomic_try_cmpxchg(&mutex->lock, lval, 0))
>> 4) robust_list_clear_op_pending();
>> else
>> 5) sys_futex(OP | FUTEX_ROBUST_UNLOCK, ....);
>>
>> That still leaves a minimal race window between #3 and #4 where the mutex
>> could be acquired by some other task, which observes that it is the last
>> user and:
>>
>> 1) unmaps the mutex memory
>> 2) maps a different file, which ends up covering the same address
>>
>> When then the original task exits before reaching #5 then the kernel robust
>> list handling observes the pending op entry and tries to fix up user space.
>
> This #5 reference, should be #4, yeah? Same bit of Changelog is
> replicated in a later patch and has the same issue.
Yes.
next prev parent reply other threads:[~2026-06-03 14:42 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 9:09 [patch V5 00/16] futex: Address the robust futex unlock race for real Thomas Gleixner
2026-06-02 9:09 ` [patch V5 01/16] percpu: Sanitize __percpu_qual include hell Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 02/16] futex: Move futex task related data into a struct Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 03/16] futex: Make futex_mm_init() void Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 04/16] futex: Move futex related mm_struct data into a struct Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 05/16] futex: Provide UABI defines for robust list entry modifiers Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 06/16] uaccess: Provide unsafe_atomic_store_release_user() Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 07/16] x86: Select ARCH_MEMORY_ORDER_TSO Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 08/16] futex: Cleanup UAPI defines Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-04 8:23 ` [patch V5 08/16] " David Laight
2026-06-02 9:09 ` [patch V5 09/16] futex: Add support for unlocking robust futexes Thomas Gleixner
2026-06-03 8:22 ` Peter Zijlstra
2026-06-03 9:30 ` Peter Zijlstra
2026-06-03 14:40 ` Thomas Gleixner
2026-06-03 8:35 ` Peter Zijlstra
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 10/16] futex: Add robust futex unlock IP range Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:10 ` [patch V5 11/16] futex: Provide infrastructure to plug the non contended robust futex unlock race Thomas Gleixner
2026-06-03 8:42 ` Peter Zijlstra
2026-06-03 9:14 ` Peter Zijlstra
2026-06-03 14:47 ` Thomas Gleixner
2026-06-03 9:23 ` Peter Zijlstra
2026-06-03 14:42 ` Thomas Gleixner [this message]
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:10 ` [patch V5 12/16] x86/vdso: Prepare for robust futex unlock support Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:10 ` [patch V5 13/16] x86/vdso: Implement __vdso_futex_robust_try_unlock() Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:10 ` [patch V5 14/16] Documentation: futex: Add a note about robust list race condition Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for André Almeida
2026-06-02 9:10 ` [patch V5 15/16] selftests: futex: Add tests for robust release operations Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for André Almeida
2026-06-02 9:10 ` [patch V5 16/16] [RFC] vdso, x86: Expose vdso.so.dbg through sysfs Thomas Gleixner
2026-06-02 10:39 ` Thomas Weißschuh
2026-06-02 20:02 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87jysf7kiz.ffs@fw13 \
--to=tglx@kernel.org \
--cc=Liam.Howlett@oracle.com \
--cc=andrealmeid@igalia.com \
--cc=arnd@arndb.de \
--cc=bigeasy@linutronix.de \
--cc=broonie@kernel.org \
--cc=carlos@redhat.com \
--cc=dalias@aerifal.cx \
--cc=dave@stgolabs.net \
--cc=dvhart@infradead.org \
--cc=fweimer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=richard@nod.at \
--cc=triegel@redhat.com \
--cc=ubizjak@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.