From: Thomas Gleixner <tglx@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"André Almeida" <andrealmeid@igalia.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Carlos O'Donell" <carlos@redhat.com>,
"Florian Weimer" <fweimer@redhat.com>,
"Rich Felker" <dalias@aerifal.cx>,
"Torvald Riegel" <triegel@redhat.com>,
"Darren Hart" <dvhart@infradead.org>,
"Ingo Molnar" <mingo@kernel.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"Arnd Bergmann" <arnd@arndb.de>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
"Uros Bizjak" <ubizjak@gmail.com>,
"Thomas Weißschuh" <linux@weissschuh.net>,
"Mark Brown" <broonie@kernel.org>,
"Richard Weinberger" <richard@nod.at>
Subject: Re: [patch V5 11/16] futex: Provide infrastructure to plug the non contended robust futex unlock race
Date: Wed, 03 Jun 2026 16:42:28 +0200 [thread overview]
Message-ID: <87jysf7kiz.ffs@fw13> (raw)
In-Reply-To: <20260603092346.GV3102624@noisy.programming.kicks-ass.net>
On Wed, Jun 03 2026 at 11:23, Peter Zijlstra wrote:
> On Tue, Jun 02, 2026 at 11:10:04AM +0200, Thomas Gleixner wrote:
>> When the FUTEX_ROBUST_UNLOCK mechanism is used for unlocking (PI-)futexes,
>> then the unlock sequence in user space looks like this:
>>
>> 1) robust_list_set_op_pending(mutex);
>> 2) robust_list_remove(mutex);
>>
>> lval = gettid();
>> 3) if (atomic_try_cmpxchg(&mutex->lock, lval, 0))
>> 4) robust_list_clear_op_pending();
>> else
>> 5) sys_futex(OP | FUTEX_ROBUST_UNLOCK, ....);
>>
>> That still leaves a minimal race window between #3 and #4 where the mutex
>> could be acquired by some other task, which observes that it is the last
>> user and:
>>
>> 1) unmaps the mutex memory
>> 2) maps a different file, which ends up covering the same address
>>
>> When then the original task exits before reaching #5 then the kernel robust
>> list handling observes the pending op entry and tries to fix up user space.
>
> This #5 reference, should be #4, yeah? Same bit of Changelog is
> replicated in a later patch and has the same issue.
Yes.
next prev parent reply other threads:[~2026-06-03 14:42 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 9:09 [patch V5 00/16] futex: Address the robust futex unlock race for real Thomas Gleixner
2026-06-02 9:09 ` [patch V5 01/16] percpu: Sanitize __percpu_qual include hell Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 02/16] futex: Move futex task related data into a struct Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 03/16] futex: Make futex_mm_init() void Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 04/16] futex: Move futex related mm_struct data into a struct Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 05/16] futex: Provide UABI defines for robust list entry modifiers Thomas Gleixner
2026-06-03 14:25 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 06/16] uaccess: Provide unsafe_atomic_store_release_user() Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 07/16] x86: Select ARCH_MEMORY_ORDER_TSO Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 08/16] futex: Cleanup UAPI defines Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 09/16] futex: Add support for unlocking robust futexes Thomas Gleixner
2026-06-03 8:22 ` Peter Zijlstra
2026-06-03 9:30 ` Peter Zijlstra
2026-06-03 14:40 ` Thomas Gleixner
2026-06-03 8:35 ` Peter Zijlstra
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:09 ` [patch V5 10/16] futex: Add robust futex unlock IP range Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:10 ` [patch V5 11/16] futex: Provide infrastructure to plug the non contended robust futex unlock race Thomas Gleixner
2026-06-03 8:42 ` Peter Zijlstra
2026-06-03 9:14 ` Peter Zijlstra
2026-06-03 14:47 ` Thomas Gleixner
2026-06-03 9:23 ` Peter Zijlstra
2026-06-03 14:42 ` Thomas Gleixner [this message]
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:10 ` [patch V5 12/16] x86/vdso: Prepare for robust futex unlock support Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:10 ` [patch V5 13/16] x86/vdso: Implement __vdso_futex_robust_try_unlock() Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for Thomas Gleixner
2026-06-02 9:10 ` [patch V5 14/16] Documentation: futex: Add a note about robust list race condition Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for André Almeida
2026-06-02 9:10 ` [patch V5 15/16] selftests: futex: Add tests for robust release operations Thomas Gleixner
2026-06-03 14:24 ` [tip: locking/core] " tip-bot2 for André Almeida
2026-06-02 9:10 ` [patch V5 16/16] [RFC] vdso, x86: Expose vdso.so.dbg through sysfs Thomas Gleixner
2026-06-02 10:39 ` Thomas Weißschuh
2026-06-02 20:02 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87jysf7kiz.ffs@fw13 \
--to=tglx@kernel.org \
--cc=Liam.Howlett@oracle.com \
--cc=andrealmeid@igalia.com \
--cc=arnd@arndb.de \
--cc=bigeasy@linutronix.de \
--cc=broonie@kernel.org \
--cc=carlos@redhat.com \
--cc=dalias@aerifal.cx \
--cc=dave@stgolabs.net \
--cc=dvhart@infradead.org \
--cc=fweimer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=richard@nod.at \
--cc=triegel@redhat.com \
--cc=ubizjak@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox