From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 393693D666A for ; Mon, 30 Mar 2026 13:51:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.155.92.199 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774878685; cv=none; b=RZm41vmR4kX55WM2Kv3ajsBwT4yW9U2/DIB1JcNacZbJes1k/hOKqGaKSgzzL7TBs6gzrOzHy1oXu/vKbBrXcFBbF/bdBTU8z91yvVPmEaaJUGitbd4yjZTMzx2vogKKVE+fZZJLEvlVJE7fnhux4zsYCCujcNHxpDZCiCRb1lM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774878685; c=relaxed/simple; bh=e+xvtSBFpYcTdxaDwfecWlmFIRhRsxSPZ8Q8vlgtUA8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=VuC5jV3m0hm8XN+WrHj3UNSjPJjPdOHrEpOXsc1agijdT/UcVr5/WE2kOicQdrMZUG39xTDdcFi4NoBNdgm5hSPnafHdg5efYFgRR4L6oQ8MeRcn4riM50oHfgz/F6tUNJOghstOQhgP4lMhd8eEFEBCITNCCs/VWRSVNd+bMI8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=jpH3ebZL; arc=none smtp.client-ip=90.155.92.199 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=infradead.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="jpH3ebZL" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=2SSK3TvOqrHph5uEKd7/uTpmhWrdbSeyomy0xSsxye8=; b=jpH3ebZLkyVFbqBWhPVj7w3FYz ctn38KoSLyIjEnhWPWKYhDzG5GZTtsESfS2r+FPxpIB9aNVDlkZzTYsIiDmTWHZ8yFOUbgoguliMo BkJjI4pKRYx7NZYdCzLl+QgE5VDzEL2P4UxTUkbuskYE9Ha1zaXLwLSJ6MXruJviSP7nVb3SV634l odf/MaUyGZXPgDkN+bS05q8ttpXaFSt3w9GZCsww+9rCOapaBgZ6dePoipY599wEOzZq4ubOqjRxk k53YkMvrTHDDJjMsKyK+k/v1UHuKrQNo3yjLRzNo2M5tLTJQ0v29T97u8ONCuTb8c1DHzvv9JJ3gz GwlE7qSQ==; Received: from 2001-1c00-8d85-4b00-266e-96ff-fe07-7dcc.cable.dynamic.v6.ziggo.nl ([2001:1c00:8d85:4b00:266e:96ff:fe07:7dcc] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.98.2 #2 (Red Hat Linux)) id 1w7D1I-0000000DzMn-2PLR; Mon, 30 Mar 2026 13:51:08 +0000 Received: by noisy.programming.kicks-ass.net (Postfix, from userid 1000) id 094A8300346; Mon, 30 Mar 2026 15:51:08 +0200 (CEST) Date: Mon, 30 Mar 2026 15:51:07 +0200 From: Peter Zijlstra To: Mark Rutland Cc: Thomas Gleixner , LKML , Mathieu Desnoyers , =?iso-8859-1?Q?Andr=E8?= Almeida , Sebastian Andrzej Siewior , Carlos O'Donell , Florian Weimer , Rich Felker , Torvald Riegel , Darren Hart , Ingo Molnar , Davidlohr Bueso , Arnd Bergmann , "Liam R . Howlett" , Uros Bizjak , Thomas =?iso-8859-1?Q?Wei=DFschuh?= Subject: Re: [patch V3 00/14] futex: Address the robust futex unlock race for real Message-ID: <20260330135107.GO3738786@noisy.programming.kicks-ass.net> References: <20260330114212.927686587@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Mon, Mar 30, 2026 at 02:45:59PM +0100, Mark Rutland wrote: > On Mon, Mar 30, 2026 at 02:01:58PM +0200, Thomas Gleixner wrote: > > This is a follow up to v2 which can be found here: > > > > https://lore.kernel.org/20260319225224.853416463@kernel.org > > > > The v1 cover letter contains a detailed analysis of the underlying > > problem: > > > > https://lore.kernel.org/20260316162316.356674433@kernel.org > > > > TLDR: > > > > The robust futex unlock mechanism is racy in respect to the clearing of the > > robust_list_head::list_op_pending pointer because unlock and clearing the > > pointer are not atomic. The race window is between the unlock and clearing > > the pending op pointer. If the task is forced to exit in this window, exit > > will access a potentially invalid pending op pointer when cleaning up the > > robust list. That happens if another task manages to unmap the object > > containing the lock before the cleanup, which results in an UAF. In the > > worst case this UAF can lead to memory corruption when unrelated content > > has been mapped to the same address by the time the access happens. > > > > User space can't solve this problem without help from the kernel. This > > series provides the kernel side infrastructure to help it along: > > > > 1) Combined unlock, pointer clearing, wake-up for the contended case > > > > 2) VDSO based unlock and pointer clearing helpers with a fix-up function > > in the kernel when user space was interrupted within the critical > > section. > > I see the vdso bits in this series are specific to x86. Do other > architectures need something here? > > I might be missing some context; I'm not sure whether that's not > necessary or just not implemented by this series, and so I'm not sure > whether arm64 folk and other need to go dig into this. > ARM64 (and all the other archs) need the relevant VDSO bits as well. > > Changes since v2: > > > - Rename ARCH_STORE_IMPLIES_RELEASE to ARCH_MEMORY_ORDER_TOS - Peter > > I believe that should be s/TOS/TSO/, since the standard terminology is > Total Store Order (TSO). Indeed!