Re: [RFC PATCH 0/2] futex: how to solve the robust_list race condition?

[Mathieu Desnoyers]

On 2026-02-27 14:16, André Almeida wrote:
[...]
> > Trying to find a backward compatible way to solve this may be tricky.
> > Here is one possible approach I have in mind: Introduce a new syscall,
> > e.g. sys_cleanup_robust_list(void *addr)
> >
> > This system call would be invoked on pthread_mutex_destroy(3) of
> > robust mutexes, and do the following:
> >
> > - Calculate the offset of @addr within its mapping,
> > - Iterate on all processes which map the backing store which contain
> >    the lock address @addr.
> >    - Iterate on each thread sibling within each of those processes,
> >      - If the thread has a robust list, and its list_op_pending points
> >        to the same offset within the backing store mapping, clear the
> >        list_op_pending pointer.
> >
> > The overhead would be added specifically to pthread_mutex_destroy(3),
> > and only for robust mutexes.
> >
> > Thoughts ?
[...]
> About the system call, we would call sys_cleanup_robust_list() before 
> freeing/unmapping the robust mutex. To guarantee that we check every 
> process that shares the memory region, would we need to check *every* 
> single process? I don't think there's a way find a way to find such maps 
> without checking them all.

We should be able to do it with just an iteration on the struct address_space
reverse mapping (list of vma which map the shared mapping).

AFAIU we'd want to get the struct address_space associated with the
__user pointer, then, while holding i_mmap_lock_read(mapping), iterate
on its reverse mapping (i_mmap field) with vma_interval_tree_foreach. We
can get each mm_struct through vma->vm_mm.

We'd want to do most of this in a kthread and use other mm_struct through
use_mm().

For each mm_struct, we go through the owner field to get the thread
group leader, and iterate on all thread siblings (for_each_thread).

For each of those threads, we'd want to clear the list_op_pending
if it matches the offset of @addr within the mapping. I suspect we'd
want to clear that userspace pointer with a futex_atomic_cmpxchg_inatomic
which only clears the pointer if the old value match the one we expect.

Thanks,

Mathieu

--
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com