mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: "Thomas Gleixner" <tglx@kernel.org>,
	"André Almeida" <andrealmeid@igalia.com>
Cc: linux-kernel@vger.kernel.org, Carlos O'Donell <carlos@redhat.com>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Peter Zijlstra <peterz@infradead.org>,
	Florian Weimer <fweimer@redhat.com>,
	Rich Felker <dalias@aerifal.cx>,
	Torvald Riegel <triegel@redhat.com>,
	Darren Hart <dvhart@infradead.org>,
	Ingo Molnar <mingo@redhat.com>,
	Davidlohr Bueso <dave@stgolabs.net>,
	Arnd Bergmann <arnd@arndb.de>,
	"Liam R . Howlett" <Liam.Howlett@oracle.com>
Subject: Re: [RFC PATCH] futex: Introduce __vdso_robust_futex_unlock
Date: Mon, 16 Mar 2026 15:36:36 -0400	[thread overview]
Message-ID: <a2c29bb7-d0af-4d5f-8858-ead460979cd9@efficios.com> (raw)
In-Reply-To: <874imfpukd.ffs@tglx>

On 2026-03-16 13:12, Thomas Gleixner wrote:
> On Thu, Mar 12 2026 at 18:52, Mathieu Desnoyers wrote:
[...]

> To fix this for correctness sake it needs more than a hack in the kernel
> without even looking at the overall larger picture.

If my POC helped move the discussion forward, then it has achieved
its purpose. :)

> I sat down and did a
> full analysis and here are the most important questions:
> 
> Q: Have non-PI and PI to be treated differently?
> 
> A: No.
> 
>     That's just historical evolution. While PI can't use XCHG because that
>     would create inconsistent state, there is absolutely no reason why
>     non-PI can't use try_cmpxchg().

Agreed.

> 
> 
> Q: Is it required to unlock in user space first and then go into the kernel
>     to wake up waiters?
> 
> A: No.
> 
>     That's again a historical leftover from the 1st generation futexes which
>     preceeded both robust and PI. There is no technical reason to keep it
>     this way.
> 
>     So both can do:
> 
>         if (cmpxchg(lock, tid, 0) != tid)
>         		sys_futex(UNLOCK,....);
> 
>     which then allows for both non-PI and PI to hand the pending op pointer
>     into the syscall and let the kernel deal with the unlock, the op pointer
>     and the wake up in one go.

Yes, that's a nice simplification.

> 
>     That reduces the problem space to take care of the non-contended unlock
>     case, where the pending op is cleared after the cmpxchg() succeeded.
> 
>     And yes, that part can be done in the VDSO and a fixup mechanism in the
>     kernel.

Yes.

> 
> 
> Q: Are robust list pointers guaranteed to be 64-bit when running as a
>     64-bit task?
> 
> A: No.
> 
>     The gaming emulators use both the native 64-bit robust list and the
>     32-bit robust list from the same 64-bit application to make the
>     emulation work.
> 
>     So both the UNLOCK syscall and the fixup need to have means to figure
>     out the to be cleared size for that pointer.
> 
>     Sure, this can be done with a boat load of different functions and flags
>     and whatever, but that makes the actual fixup handling in the kernel
>     more complicated than necessary.

Good point, this is a requirement I did not know about. I notice you
are dealing with it in your series.

> 
> 
> Q: Have regular signal delivery and process exit in case of crash or being
>     killed by a external signal to be treated differently?
> 
> A: No.
> 
>     A task always goes through the same signal code path for both cases so
>     all of this can be handled in _one_ place without even touching the
>     robust list cleanup code.

So far, yes.

> 
>     sys_exit() is different because there a task voluntarily exits and if
>     it does so between the unlock and the clearing of the op pointer,
>     then so be it. That'd be wilfull ignorance or malice and not any
>     different from the task doing the corruption itself in user space
>     right away.

I'm not sure about this one. How about the two following scenario:
A concurrent thread calls sys_exit concurrently with the vdso. Is this
something we should handle or consider it "wilfull ignorance/malice" ?

> Q: Are exception tables a good idea?
> 
> A: No.
> 
>     This is not an exception handling case. It's a fixup similar to RSEQ
>     critical section fixups and so it has to be handled with dedicated
>     mechanisms which are performant and not glued onto something which has a
>     completely different purpose.

I agree with your kernel-level approach. I've proposed a few changes to
the vdso itself and vdso2c script to increase robustness in my review.

Thanks,

Mathieu

-- 
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com

  reply	other threads:[~2026-03-16 19:36 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-11 18:54 Mathieu Desnoyers
2026-03-11 20:11 ` Mathieu Desnoyers
2026-03-12  8:49 ` Florian Weimer
2026-03-12 13:13   ` Mathieu Desnoyers
2026-03-12 14:12     ` Florian Weimer
2026-03-12 14:14       ` André Almeida
2026-03-12 16:09         ` Mathieu Desnoyers
2026-03-12 13:46 ` André Almeida
2026-03-12 14:04   ` Mathieu Desnoyers
2026-03-12 18:40     ` Mathieu Desnoyers
2026-03-12 18:58       ` André Almeida
2026-03-12 19:10     ` Thomas Gleixner
2026-03-12 19:16       ` Mathieu Desnoyers
2026-03-13  8:20         ` Florian Weimer
2026-03-12 20:19   ` Thomas Gleixner
2026-03-12 21:28     ` Mathieu Desnoyers
2026-03-12 22:23 ` Thomas Gleixner
2026-03-12 22:52   ` Mathieu Desnoyers
2026-03-13 12:12     ` Sebastian Andrzej Siewior
2026-03-13 12:17       ` Mathieu Desnoyers
2026-03-13 13:29         ` Sebastian Andrzej Siewior
2026-03-13 13:35           ` Mathieu Desnoyers
2026-03-16 17:12     ` Thomas Gleixner
2026-03-16 19:36       ` Mathieu Desnoyers [this message]
2026-03-16 20:27         ` Thomas Gleixner
2026-03-16 21:01           ` Mathieu Desnoyers
2026-03-16 22:19             ` Thomas Gleixner
2026-03-16 22:30               ` Mathieu Desnoyers
2026-03-16 23:29                 ` Thomas Gleixner
2026-03-20 18:13                   ` Mathieu Desnoyers
2026-03-24 21:35                     ` Thomas Gleixner
2026-03-25 14:12                       ` Mathieu Desnoyers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a2c29bb7-d0af-4d5f-8858-ead460979cd9@efficios.com \
    --to=mathieu.desnoyers@efficios.com \
    --cc=Liam.Howlett@oracle.com \
    --cc=andrealmeid@igalia.com \
    --cc=arnd@arndb.de \
    --cc=bigeasy@linutronix.de \
    --cc=carlos@redhat.com \
    --cc=dalias@aerifal.cx \
    --cc=dave@stgolabs.net \
    --cc=dvhart@infradead.org \
    --cc=fweimer@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=tglx@kernel.org \
    --cc=triegel@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome