From nobody Mon Apr  6 12:13:35 2026
Received: from fanzine2.igalia.com (fanzine2.igalia.com [213.97.179.56])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 05643288B1
	for <linux-kernel@vger.kernel.org>; Sun, 29 Mar 2026 21:39:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=213.97.179.56
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774820403; cv=none;
 b=TeNuZ56i0kc3nOQ/LpXK7h9n8Zm4iREBHXElu3ztxpgOGzscm7mXtE2KkIyVkHjkWNFGw2muIOWiwng81cx9zFCrTznoBe0/fViQ7IDydNcVFimmcTNTkGKvSwlNndEfp5V4neJ1Gf80i8WCPgaEWicZlV4SIFBt6FyQxMw9WGQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774820403; c=relaxed/simple;
	bh=KGggsxKWWJDvxaZ4e4xHAmrO3udLwXZkKDv0ovsn68Q=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=ln1Dk/VI3YCekpL2gIcAJbnPP/pHWHw8xovpfAR1MtE5BvvfKliXCahd+F/W7X30vV0w7f5sQ9SZIPVcAA5LrRPf+W5rFZUp+08uQvnC5e8Yi2ZmHxbVROd515e2J8mNg3GvWjWgDONvNFPqbYtlnYa1PVWN6hMDUwk9TBYPIho=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=igalia.com;
 spf=pass smtp.mailfrom=igalia.com;
 dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com
 header.b=jjmKOGnE; arc=none smtp.client-ip=213.97.179.56
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=igalia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=igalia.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com
 header.b="jjmKOGnE"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com;
	s=20170329; h=Cc:To:In-Reply-To:References:Message-Id:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From:Sender:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=qmFOeZD7OODiOJY74657oUnTl2CWU008CdCSDu/nIPo=; b=jjmKOGnEZ8EU2+DtF6bQeuZo9G
	FSM7iPCxHsrerKX5yXGdpbsodvpr3FAmUFfPa83JUa/rgZ2a3YGPwhMz2gk/BhJoI/ZGxTmrCoxCU
	lrOGRhlB/DiZnHSN+4rkfhIp4R0cLm4IFJf2ISvdLNWGQLvexbiruDGpN7lsuhpoIDEW1rJp64nq7
	rq89ne+zGsaXgMCuFPS+iukKRKTPoFbKXjSnBqtvee6RL41YbCcILdNAoBRuqcZofHh2n1+YD3BW3
	H7FbtK13RTNBKvK0c+l5Ekx9QClDNtVzB9ho+6jIF4OHCKGLXmsAXR2QYcX2X+6uVWsd2EPPD+Kfs
	uCFkQ/TQ==;
Received: from [187.57.76.124] (helo=[192.168.15.100])
	by fanzine2.igalia.com with esmtpsa
	(Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim)
	id 1w6xrR-008hgU-A8; Sun, 29 Mar 2026 23:39:57 +0200
From: =?utf-8?q?Andr=C3=A9_Almeida?= <andrealmeid@igalia.com>
Date: Sun, 29 Mar 2026 18:39:27 -0300
Subject: [PATCH v2 1/2] Documentation: futex: Add a note about robust list
 race condition
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260329-tonyk-vdso_test-v2-1-b7db810e44a1@igalia.com>
References: <20260329-tonyk-vdso_test-v2-0-b7db810e44a1@igalia.com>
In-Reply-To: <20260329-tonyk-vdso_test-v2-0-b7db810e44a1@igalia.com>
To: Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
 Peter Zijlstra <peterz@infradead.org>, Darren Hart <dvhart@infradead.org>,
 Davidlohr Bueso <dave@stgolabs.net>,
 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
 Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
 Carlos O'Donell <carlos@redhat.com>, Florian Weimer <fweimer@redhat.com>,
 Darren Hart <dvhart@infradead.org>, Arnd Bergmann <arnd@arndb.de>,
 =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>
Cc: linux-kernel@vger.kernel.org, kernel-dev@igalia.com,
 =?utf-8?q?Andr=C3=A9_Almeida?= <andrealmeid@igalia.com>
X-Mailer: b4 0.15.0

Add a note to the documentation giving a brief explanation why doing a
robust futex release in userspace is racy, what should be done to avoid
it and provide links to read more.

Signed-off-by: Andr=C3=A9 Almeida <andrealmeid@igalia.com>
---
 Documentation/locking/robust-futex-ABI.rst | 44 ++++++++++++++++++++++++++=
++++
 1 file changed, 44 insertions(+)

diff --git a/Documentation/locking/robust-futex-ABI.rst b/Documentation/loc=
king/robust-futex-ABI.rst
index f24904f1c16f..1808b108a58e 100644
--- a/Documentation/locking/robust-futex-ABI.rst
+++ b/Documentation/locking/robust-futex-ABI.rst
@@ -153,6 +153,9 @@ On removal:
  3) release the futex lock, and
  4) clear the 'lock_op_pending' word.
=20
+Please note that the removal of a robust futex purely in userspace is
+racy. Refer to the next chapter to learn more and how to avoid this.
+
 On exit, the kernel will consider the address stored in
 'list_op_pending' and the address of each 'lock word' found by walking
 the list starting at 'head'.  For each such address, if the bottom 30
@@ -182,3 +185,44 @@ any point:
 When the kernel sees a list entry whose 'lock word' doesn't have the
 current threads TID in the lower 30 bits, it does nothing with that
 entry, and goes on to the next entry.
+
+Robust release is racy
+----------------------
+
+The removal of a robust futex from the list is racy when doing solely in
+userspace. Quoting Thomas Gleixer for the explanation:
+
+  The robust futex unlock mechanism is racy in respect to the clearing of =
the
+  robust_list_head::list_op_pending pointer because unlock and clearing the
+  pointer are not atomic. The race window is between the unlock and cleari=
ng
+  the pending op pointer. If the task is forced to exit in this window, ex=
it
+  will access a potentially invalid pending op pointer when cleaning up the
+  robust list. That happens if another task manages to unmap the object
+  containing the lock before the cleanup, which results in an UAF. In the
+  worst case this UAF can lead to memory corruption when unrelated content
+  has been mapped to the same address by the time the access happens.
+
+A full in dept analysis can be read at
+https://lore.kernel.org/lkml/20260316162316.356674433@kernel.org/
+
+To overcome that, the kernel needs to participate of the lock release oper=
ation.
+This ensures that the release happens "atomically" in the regard of releas=
ing
+the lock and removing the address from ``lock_op_pending``. If the release=
 is
+interrupted by a signal, the kernel will also verify if it interrupted the
+release operation.
+
+For the contended unlock case, where other threads are waiting for the lock
+release, there's the ``FUTEX_ROBUST_UNLOCK`` operation for the ``futex()``
+system call, which must be used with one of the following operations:
+``FUTEX_WAKE``, ``FUTEX_WAKE_BITSET`` or ``FUTEX_UNLOCK_PI``. The kernel w=
ill
+release the lock (set the futex word to zero), clean the ``lock_op_pending=
``
+field. Then, it will proceed with the normal wake path.
+
+For the non-contended path, there's still a race between checking the fute=
x word
+and clearing the ``lock_op_pending`` field. To solve this without the need=
 of a
+complete system call, userspace should call the virtual syscall
+``__vdso_futex_robust_listXX_try_unlock()`` (where XX is either 32 or 64,
+depending on the size of the pointer). If the vDSO call succeeds, it means=
 that
+it released the lock and cleared ``lock_op_pending``. If it fails, that me=
ans
+that there are waiters for this lock and a call to ``futex()`` syscall with
+``FUTEX_ROBUST_UNLOCK`` is needed.

--=20
2.53.0