Race condition in glibc/NPTL/Linux robust mutexes?

Question

In a comment on the question Automatically release mutex on crashes in Unix back in 2010, jilles claimed:

glibc\'s robust mutexes are so fast because glib

Answer 1

I think I found the race, and it is indeed very ugly. It goes like this:

Thread A has held the robust mutex and unlocks it. The basic procedure is:

1. Put it in the "pending" slot of the thread's robust list header.
2. Remove it from the linked list of robust mutexes held by the current thread.
3. Unlock the mutex.
4. Clear the "pending" slot of the thread's robust list header.

The problem is that between steps 3 and 4, another thread in the same process could obtain the mutex, then unlock it, and (rightly) believing itself to be the final user of the mutex, destroy and free/munmap it. After that, if any thread in the process creates a shared mapping of a file, device, or shared memory and it happens to get assigned the same address, and the value at that location happens to match the pid of the thread that's still between steps 3 and 4 of unlocking, you have a situation whereby, if the process is killed, the kernel will corrupt the mapped file by setting the high bit of a 32-bit integer it thinks is the mutex owner id.

The solution is to hold a global lock on mmap/munmap between steps 2 and 4 above, exactly the same as in my solution to the barrier issue described in my answer to this question:

Can a correct fail-safe process-shared barrier be implemented on Linux?