From nobody Thu Apr  2 22:04:18 2026
Received: from fanzine2.igalia.com (fanzine2.igalia.com [213.97.179.56])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 868972C08AB
	for <linux-kernel@vger.kernel.org>; Thu, 26 Mar 2026 14:32:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=213.97.179.56
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774535555; cv=none;
 b=I1Jkdc9Uw7OcrTJzhnfb3N6K7PBPxXYRtqOmr6ODjUvMmOMl+3FJ6MCe7STLfPPuV6lAcnObuVCAmc0r1BxEtaf5+Y3qCf8wC/5vSa4+mLrMuMTFGAjKL5tQy1lXuu9+ys7wUFuQBXhbQ+9oGCg3Szc0GB7PpW+ergNco0IbEDg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774535555; c=relaxed/simple;
	bh=KGggsxKWWJDvxaZ4e4xHAmrO3udLwXZkKDv0ovsn68Q=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=humhrlZDDhy8q1lD3q2IQu/rBojvroZUZyXpjWeXcGXmf1u2IfqH0/uzmAjCLTERZTa55bkVOmmQ5uKUQltQMIiG/0Z9kx6je1T35V+euR0bcKloecbWtKCVeC2Dg+JDqk3Awn8pdZItNvC3WI8icQnYwFL5EDkc5IT1SxgIndY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=igalia.com;
 spf=pass smtp.mailfrom=igalia.com;
 dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com
 header.b=mzhWLpHN; arc=none smtp.client-ip=213.97.179.56
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=igalia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=igalia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com
 header.b="mzhWLpHN"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com;
	s=20170329; h=Cc:To:In-Reply-To:References:Message-Id:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From:Sender:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=qmFOeZD7OODiOJY74657oUnTl2CWU008CdCSDu/nIPo=; b=mzhWLpHNzOFu92ZSI4R3D7v+O9
	IpTr9UPvxvekkXfTmyrpQRCMMt4xp5H0BlH0ZDr4Q0dgMqGCUAO8ZUy9xGUIU1TqjHJD0zTVQxM7k
	l1UyI61hhx9Tf4GsSPIFwyAQ3CIMlKlWIV3zMhAVse8xiD+Oi9ROPJRhZer4PiPz7tnm/uBMsOj/0
	bXA2kkNvc9cxsEf94cmG23qna9BJqoFpZVunJlnMAO+T+/OlQfrv9BJHSt+frHC2zb58EHLwS9Fqm
	niu134kLXkQPq+KuuZvo1ZylEe0OVrCf/rkAT7KG0Vjn5xRv2eC78zTa+FjRdgj5SfW0csplZhhw2
	OgaE9hZg==;
Received: from [179.118.189.200] (helo=[192.168.15.100])
	by fanzine2.igalia.com with esmtpsa
	(Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim)
	id 1w5lkt-006MiO-Mw; Thu, 26 Mar 2026 15:32:15 +0100
From: =?utf-8?q?Andr=C3=A9_Almeida?= <andrealmeid@igalia.com>
Date: Thu, 26 Mar 2026 11:31:50 -0300
Subject: [PATCH 1/2] Documentation: futex: Add a note about robust list
 race condition
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260326-tonyk-vdso_test-v1-1-30a6f78c8bc3@igalia.com>
References: <20260326-tonyk-vdso_test-v1-0-30a6f78c8bc3@igalia.com>
In-Reply-To: <20260326-tonyk-vdso_test-v1-0-30a6f78c8bc3@igalia.com>
To: Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
 Peter Zijlstra <peterz@infradead.org>, Darren Hart <dvhart@infradead.org>,
 Davidlohr Bueso <dave@stgolabs.net>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
 Carlos O'Donell <carlos@redhat.com>, Florian Weimer <fweimer@redhat.com>,
 Darren Hart <dvhart@infradead.org>, Arnd Bergmann <arnd@arndb.de>,
 =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>
Cc: linux-kernel@vger.kernel.org, kernel-dev@igalia.com,
 =?utf-8?q?Andr=C3=A9_Almeida?= <andrealmeid@igalia.com>
X-Mailer: b4 0.15.0

Add a note to the documentation giving a brief explanation why doing a
robust futex release in userspace is racy, what should be done to avoid
it and provide links to read more.

Signed-off-by: Andr=C3=A9 Almeida <andrealmeid@igalia.com>
---
 Documentation/locking/robust-futex-ABI.rst | 44 ++++++++++++++++++++++++++=
++++
 1 file changed, 44 insertions(+)

diff --git a/Documentation/locking/robust-futex-ABI.rst b/Documentation/loc=
king/robust-futex-ABI.rst
index f24904f1c16f..1808b108a58e 100644
--- a/Documentation/locking/robust-futex-ABI.rst
+++ b/Documentation/locking/robust-futex-ABI.rst
@@ -153,6 +153,9 @@ On removal:
  3) release the futex lock, and
  4) clear the 'lock_op_pending' word.
=20
+Please note that the removal of a robust futex purely in userspace is
+racy. Refer to the next chapter to learn more and how to avoid this.
+
 On exit, the kernel will consider the address stored in
 'list_op_pending' and the address of each 'lock word' found by walking
 the list starting at 'head'.  For each such address, if the bottom 30
@@ -182,3 +185,44 @@ any point:
 When the kernel sees a list entry whose 'lock word' doesn't have the
 current threads TID in the lower 30 bits, it does nothing with that
 entry, and goes on to the next entry.
+
+Robust release is racy
+----------------------
+
+The removal of a robust futex from the list is racy when doing solely in
+userspace. Quoting Thomas Gleixer for the explanation:
+
+  The robust futex unlock mechanism is racy in respect to the clearing of =
the
+  robust_list_head::list_op_pending pointer because unlock and clearing the
+  pointer are not atomic. The race window is between the unlock and cleari=
ng
+  the pending op pointer. If the task is forced to exit in this window, ex=
it
+  will access a potentially invalid pending op pointer when cleaning up the
+  robust list. That happens if another task manages to unmap the object
+  containing the lock before the cleanup, which results in an UAF. In the
+  worst case this UAF can lead to memory corruption when unrelated content
+  has been mapped to the same address by the time the access happens.
+
+A full in dept analysis can be read at
+https://lore.kernel.org/lkml/20260316162316.356674433@kernel.org/
+
+To overcome that, the kernel needs to participate of the lock release oper=
ation.
+This ensures that the release happens "atomically" in the regard of releas=
ing
+the lock and removing the address from ``lock_op_pending``. If the release=
 is
+interrupted by a signal, the kernel will also verify if it interrupted the
+release operation.
+
+For the contended unlock case, where other threads are waiting for the lock
+release, there's the ``FUTEX_ROBUST_UNLOCK`` operation for the ``futex()``
+system call, which must be used with one of the following operations:
+``FUTEX_WAKE``, ``FUTEX_WAKE_BITSET`` or ``FUTEX_UNLOCK_PI``. The kernel w=
ill
+release the lock (set the futex word to zero), clean the ``lock_op_pending=
``
+field. Then, it will proceed with the normal wake path.
+
+For the non-contended path, there's still a race between checking the fute=
x word
+and clearing the ``lock_op_pending`` field. To solve this without the need=
 of a
+complete system call, userspace should call the virtual syscall
+``__vdso_futex_robust_listXX_try_unlock()`` (where XX is either 32 or 64,
+depending on the size of the pointer). If the vDSO call succeeds, it means=
 that
+it released the lock and cleared ``lock_op_pending``. If it fails, that me=
ans
+that there are waiters for this lock and a call to ``futex()`` syscall with
+``FUTEX_ROBUST_UNLOCK`` is needed.

--=20
2.53.0