From: sashiko-bot@kernel.org
To: "Jia He" <justin.he@arm.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 7/7] lib/tests: test_ratelimit: fix stress test thread lifecycle and leak
Date: Thu, 14 May 2026 18:18:19 +0000 [thread overview]
Message-ID: <20260514181819.C0713C2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260514050455.2954509-8-justin.he@arm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free in kthread_stop() due to uncontrolled child thread exit
--
commit cb9c7c9c5b3cf7b61d434d8dc2e4e72ebc4cfd3a
Author: Jia He <justin.he@arm.com>
lib/tests: test_ratelimit: fix stress test thread lifecycle and leak
This commit changes the stress test to use kthread_create() and
wake_up_process() instead of kthread_run() to properly handle creation
failures. It adds an out_stop label to clean up successfully started
threads if a subsequent thread fails to start, and resets doneflag
before spawning threads.
> diff --git a/lib/tests/test_ratelimit.c b/lib/tests/test_ratelimit.c
> index 33cea5f3d28b2..64f26260c0d85 100644
> --- a/lib/tests/test_ratelimit.c
> +++ b/lib/tests/test_ratelimit.c
[ ... ]
> @@ -105,26 +105,44 @@ static void test_ratelimit_stress(struct kunit *test)
[ ... ]
> schedule_timeout_idle(stress_duration);
> +
> +out_stop:
> WRITE_ONCE(doneflag, 1);
> - for (i = 0; i < n_stress_kthread; i++) {
> + for (i = 0; i < n_started; i++) {
> kthread_stop(sktp[i].tp);
Could this trigger a use-after-free if the child threads exit before
kthread_stop() is called?
When WRITE_ONCE(doneflag, 1) is executed, the child threads running
test_ratelimit_stress_child() observe the flag and return, which invokes
do_exit() and drops the task_struct reference.
If a child thread exits completely before the parent loop reaches its
kthread_stop() call, kthread_stop() will attempt to access a freed
task_struct. This appears to affect both the new error path and the
normal teardown path.
Would it be safer for the parent to take an explicit reference via
get_task_struct() during creation and use kthread_stop_put(), or
alternatively, have the children spin on kthread_should_stop() instead
of exiting immediately on doneflag?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260514050455.2954509-1-justin.he@arm.com?part=7
next prev parent reply other threads:[~2026-05-14 18:18 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 5:04 [PATCH 0/7] Silence spurious warnings and crashes from kunit test suites Jia He
2026-05-14 5:04 ` [PATCH 1/7] init/initramfs_test: wait_for_initramfs() before running Jia He
2026-05-14 5:58 ` David Disseldorp
2026-05-14 12:29 ` sashiko-bot
2026-05-14 5:04 ` [PATCH 2/7] kfence: kunit: skip when no pool is available Jia He
2026-05-14 7:54 ` Marco Elver
2026-05-14 5:04 ` [PATCH 3/7] lib/math/int_log: drop WARN_ON for value == 0 Jia He
2026-05-14 5:04 ` [PATCH 4/7] kunit: platform: catch duplicate (name, id) in kunit_platform_device_add() Jia He
2026-05-14 16:30 ` sashiko-bot
2026-05-14 5:04 ` [PATCH 5/7] misc: reject duplicate names in misc_register() Jia He
2026-05-14 7:00 ` Greg Kroah-Hartman
2026-05-14 7:25 ` Justin He
2026-05-14 17:18 ` sashiko-bot
2026-05-14 5:04 ` [PATCH 6/7] hw_breakpoint_test: fix test_many_cpus failure on large systems Jia He
2026-05-14 8:01 ` Marco Elver
2026-05-14 5:04 ` [PATCH 7/7] lib/tests: test_ratelimit: fix stress test thread lifecycle and leak Jia He
2026-05-14 18:18 ` sashiko-bot [this message]
2026-05-14 7:02 ` [PATCH 0/7] Silence spurious warnings and crashes from kunit test suites Greg Kroah-Hartman
2026-05-14 7:17 ` Justin He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514181819.C0713C2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=justin.he@arm.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox