Re: [PATCH 7/7] lib/tests: test_ratelimit: fix stress test thread lifecycle and leak

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Jia He" <justin.he@arm.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 7/7] lib/tests: test_ratelimit: fix stress test thread lifecycle and leak
Date: Thu, 14 May 2026 18:18:19 +0000	[thread overview]
Message-ID: <20260514181819.C0713C2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260514050455.2954509-8-justin.he@arm.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free in kthread_stop() due to uncontrolled child thread exit
--

commit cb9c7c9c5b3cf7b61d434d8dc2e4e72ebc4cfd3a
Author: Jia He <justin.he@arm.com>

lib/tests: test_ratelimit: fix stress test thread lifecycle and leak

This commit changes the stress test to use kthread_create() and
wake_up_process() instead of kthread_run() to properly handle creation
failures. It adds an out_stop label to clean up successfully started
threads if a subsequent thread fails to start, and resets doneflag
before spawning threads.

> diff --git a/lib/tests/test_ratelimit.c b/lib/tests/test_ratelimit.c
> index 33cea5f3d28b2..64f26260c0d85 100644
> --- a/lib/tests/test_ratelimit.c
> +++ b/lib/tests/test_ratelimit.c
[ ... ]
> @@ -105,26 +105,44 @@ static void test_ratelimit_stress(struct kunit *test)
[ ... ]
>  	schedule_timeout_idle(stress_duration);
> +
> +out_stop:
>  	WRITE_ONCE(doneflag, 1);
> -	for (i = 0; i < n_stress_kthread; i++) {
> +	for (i = 0; i < n_started; i++) {
>  		kthread_stop(sktp[i].tp);

Could this trigger a use-after-free if the child threads exit before
kthread_stop() is called?

When WRITE_ONCE(doneflag, 1) is executed, the child threads running
test_ratelimit_stress_child() observe the flag and return, which invokes
do_exit() and drops the task_struct reference.

If a child thread exits completely before the parent loop reaches its
kthread_stop() call, kthread_stop() will attempt to access a freed
task_struct. This appears to affect both the new error path and the
normal teardown path.

Would it be safer for the parent to take an explicit reference via
get_task_struct() during creation and use kthread_stop_put(), or
alternatively, have the children spin on kthread_should_stop() instead
of exiting immediately on doneflag?
[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260514050455.2954509-1-justin.he@arm.com?part=7

next prev parent reply	other threads:[~2026-05-14 18:18 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-14  5:04 [PATCH 0/7] Silence spurious warnings and crashes from kunit test suites Jia He
2026-05-14  5:04 ` [PATCH 1/7] init/initramfs_test: wait_for_initramfs() before running Jia He
2026-05-14  5:58   ` David Disseldorp
2026-05-14 12:29   ` sashiko-bot
2026-05-15  5:24     ` Justin He
2026-05-14  5:04 ` [PATCH 2/7] kfence: kunit: skip when no pool is available Jia He
2026-05-14  7:54   ` Marco Elver
2026-05-14  5:04 ` [PATCH 3/7] lib/math/int_log: drop WARN_ON for value == 0 Jia He
2026-05-14  5:04 ` [PATCH 4/7] kunit: platform: catch duplicate (name, id) in kunit_platform_device_add() Jia He
2026-05-14 16:30   ` sashiko-bot
2026-05-14  5:04 ` [PATCH 5/7] misc: reject duplicate names in misc_register() Jia He
2026-05-14  7:00   ` Greg Kroah-Hartman
2026-05-14  7:25     ` Justin He
2026-05-14 17:18   ` sashiko-bot
2026-05-14  5:04 ` [PATCH 6/7] hw_breakpoint_test: fix test_many_cpus failure on large systems Jia He
2026-05-14  8:01   ` Marco Elver
2026-05-14  5:04 ` [PATCH 7/7] lib/tests: test_ratelimit: fix stress test thread lifecycle and leak Jia He
2026-05-14 18:18   ` sashiko-bot [this message]
2026-05-15  5:33     ` Justin He
2026-05-14  7:02 ` [PATCH 0/7] Silence spurious warnings and crashes from kunit test suites Greg Kroah-Hartman
2026-05-14  7:17   ` Justin He

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260514181819.C0713C2BCB3@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=justin.he@arm.com \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.