Re: [PATCH v3 01/10] futex: Check value after qemu_futex_wait()

[Peter Xu <peterx@redhat.com>]

On Sun, May 11, 2025 at 03:08:18PM +0900, Akihiko Odaki wrote:
> futex(2) - Linux manual page
> https://man7.org/linux/man-pages/man2/futex.2.html
> > Note that a wake-up can also be caused by common futex usage patterns
> > in unrelated code that happened to have previously used the futex
> > word's memory location (e.g., typical futex-based implementations of
> > Pthreads mutexes can cause this under some conditions).  Therefore,
> > callers should always conservatively assume that a return value of 0
> > can mean a spurious wake-up, and use the futex word's value (i.e.,
> > the user-space synchronization scheme) to decide whether to continue
> > to block or not.

I'm just curious - do you know when this will happen?

AFAIU, QEMU uses futex always on private mappings, internally futex does
use (mm, HVA) tuple to index a futex, afaict.  Hence, I don't see how it
can get spurious wakeups..  And _if_ it happens, since mm pointer can't
change it must mean the HVA of the futex word is reused, it sounds like an
UAF user bug to me instead.

I checked the man-pages git repo, this line was introduced in:

https://github.com/mkerrisk/man-pages/commit/4b35dc5dabcf356ce6dcb1f949f7b00e76c7587d

I also didn't see details yet in commit message on why that paragraph was
added.

And..

> 
> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
> ---
>  include/qemu/futex.h              |  9 +++++++++
>  tests/unit/test-aio-multithread.c |  4 +++-
>  util/qemu-thread-posix.c          | 28 ++++++++++++++++------------
>  3 files changed, 28 insertions(+), 13 deletions(-)
> 
> diff --git a/include/qemu/futex.h b/include/qemu/futex.h
> index 91ae88966e12..f57774005330 100644
> --- a/include/qemu/futex.h
> +++ b/include/qemu/futex.h
> @@ -24,6 +24,15 @@ static inline void qemu_futex_wake(void *f, int n)
>      qemu_futex(f, FUTEX_WAKE, n, NULL, NULL, 0);
>  }
>  
> +/*
> + * Note that a wake-up can also be caused by common futex usage patterns in
> + * unrelated code that happened to have previously used the futex word's
> + * memory location (e.g., typical futex-based implementations of Pthreads
> + * mutexes can cause this under some conditions).  Therefore, callers should

.. another thing that was unclear to me is, here it's mentioning "typical
futex-based implementations of pthreads mutexes..", but here
qemu_futex_wait() is using raw futex without any pthread impl.  Does it
also mean that this may not be applicable to whatever might cause a
spurious wakeup?

> + * always conservatively assume that it is a spurious wake-up, and use the futex
> + * word's value (i.e., the user-space synchronization scheme) to decide whether
> + * to continue to block or not.
> + */
>  static inline void qemu_futex_wait(void *f, unsigned val)
>  {
>      while (qemu_futex(f, FUTEX_WAIT, (int) val, NULL, NULL, 0)) {
> diff --git a/tests/unit/test-aio-multithread.c b/tests/unit/test-aio-multithread.c
> index 08d4570ccb14..8c2e41545a29 100644
> --- a/tests/unit/test-aio-multithread.c
> +++ b/tests/unit/test-aio-multithread.c
> @@ -305,7 +305,9 @@ static void mcs_mutex_lock(void)
>      prev = qatomic_xchg(&mutex_head, id);
>      if (prev != -1) {
>          qatomic_set(&nodes[prev].next, id);
> -        qemu_futex_wait(&nodes[id].locked, 1);
> +        while (qatomic_read(&nodes[id].locked) == 1) {
> +            qemu_futex_wait(&nodes[id].locked, 1);
> +        }
>      }
>  }
>  
> diff --git a/util/qemu-thread-posix.c b/util/qemu-thread-posix.c
> index b2e26e21205b..eade5311d175 100644
> --- a/util/qemu-thread-posix.c
> +++ b/util/qemu-thread-posix.c
> @@ -428,17 +428,21 @@ void qemu_event_wait(QemuEvent *ev)
>  
>      assert(ev->initialized);
>  
> -    /*
> -     * qemu_event_wait must synchronize with qemu_event_set even if it does
> -     * not go down the slow path, so this load-acquire is needed that
> -     * synchronizes with the first memory barrier in qemu_event_set().
> -     *
> -     * If we do go down the slow path, there is no requirement at all: we
> -     * might miss a qemu_event_set() here but ultimately the memory barrier in
> -     * qemu_futex_wait() will ensure the check is done correctly.
> -     */
> -    value = qatomic_load_acquire(&ev->value);
> -    if (value != EV_SET) {
> +    while (true) {
> +        /*
> +         * qemu_event_wait must synchronize with qemu_event_set even if it does
> +         * not go down the slow path, so this load-acquire is needed that
> +         * synchronizes with the first memory barrier in qemu_event_set().
> +         *
> +         * If we do go down the slow path, there is no requirement at all: we
> +         * might miss a qemu_event_set() here but ultimately the memory barrier
> +         * in qemu_futex_wait() will ensure the check is done correctly.
> +         */
> +        value = qatomic_load_acquire(&ev->value);
> +        if (value == EV_SET) {
> +            break;
> +        }
> +
>          if (value == EV_FREE) {
>              /*
>               * Leave the event reset and tell qemu_event_set that there are
> @@ -452,7 +456,7 @@ void qemu_event_wait(QemuEvent *ev)
>               * like the load above.
>               */
>              if (qatomic_cmpxchg(&ev->value, EV_FREE, EV_BUSY) == EV_SET) {
> -                return;
> +                break;
>              }
>          }
>  
> 
> -- 
> 2.49.0
> 

-- 
Peter Xu