From: Paolo Abeni <pabeni@redhat.com>
To: jk@codeconstruct.com.au
Cc: matt@codeconstruct.com.au, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, gregkh@linuxfoundation.org,
netdev@vger.kernel.org, linux-usb@vger.kernel.org
Subject: Re: [PATCH net-next 10/12] net: mctp: usblib: Add initial kunit tests
Date: Thu, 2 Jul 2026 12:10:49 +0200 [thread overview]
Message-ID: <20260702101049.139262-1-pabeni@redhat.com> (raw)
In-Reply-To: <20260630-dev-mctp-usb-1-1-v1-10-86a311fc67b7@codeconstruct.com.au>
From: AI Reviewer <ai@example.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://netdev-ai.bots.linux.dev/sashiko/
---
net: mctp: usblib: Add initial kunit tests
This commit introduces an initial set of kunit tests covering the
mctp-usblib receive path, exercising packet extraction from incoming
USB transfer data.
> diff --git a/drivers/net/mctp/mctp-usblib-test.c b/drivers/net/mctp/mctp-usblib-test.c
> new file mode 100644
> index 000000000000..ac837cbb4436
> --- /dev/null
> +++ b/drivers/net/mctp/mctp-usblib-test.c
> @@ -0,0 +1,330 @@
[ ... ]
> +static struct mctp_usblib_test_dev *mctp_usblib_test_create_dev(void)
> +{
> + struct mctp_usblib_test_dev *dev;
> + struct net_device *ndev;
> + int rc;
> +
> + ndev = alloc_netdev(sizeof(*dev), "mctptest%d", NET_NAME_ENUM,
> + mctp_usblib_dev_setup);
> + if (!ndev)
> + return NULL;
> +
> + dev = netdev_priv(ndev);
> + dev->ndev = ndev;
> + skb_queue_head_init(&dev->rx_pkts);
> +
> + rc = register_netdev(ndev);
> + if (rc) {
> + free_netdev(ndev);
> + return NULL;
> + }
> +
> + rcu_read_lock();
> + dev->mdev = __mctp_dev_get(ndev);
> + dev->mdev->net = mctp_default_net(dev_net(ndev));
> + rcu_read_unlock();
[Low]
Can __mctp_dev_get() return NULL here? Looking at net/mctp/device.c:
struct mctp_dev *__mctp_dev_get(const struct net_device *dev)
{
struct mctp_dev *mdev = rcu_dereference(dev->mctp_ptr);
if (mdev)
if (!refcount_inc_not_zero(&mdev->refs))
return NULL;
return mdev;
}
If mctp_add_dev() fails inside the NETDEV_REGISTER notifier path, mctp_ptr
will not be installed and __mctp_dev_get() returns NULL, making the
subsequent dev->mdev->net = ... a NULL dereference in the test kthread.
> +
> + rtnl_lock();
> + dev_open(ndev, NULL);
> + rtnl_unlock();
[Low]
Is it intentional to ignore the return value of dev_open() here? If
dev_open() fails the netdev is registered but never brought up, and the
test then proceeds against an inconsistently-initialized device.
> +
> + return dev;
> +}
> +
> +static int mctp_usblib_test_dst_output(struct mctp_dst *dst,
> + struct sk_buff *skb)
> +{
> + struct mctp_usblib_test_dev *dev = netdev_priv(skb->dev);
> +
> + skb_queue_tail(&dev->rx_pkts, skb);
> +
> + return 0;
> +}
> +
> +static void mctp_usblib_test_init(struct kunit *test,
> + struct mctp_usblib_test_ctx *ctx)
> +{
> + struct mctp_route *rt = &ctx->rt;
> +
> + ctx->dev = mctp_usblib_test_create_dev();
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx->dev);
> +
> + memset(rt, 0, sizeof(*rt));
> + rt->min = local_eid;
> + rt->max = local_eid;
> + rt->dst_type = MCTP_ROUTE_DIRECT;
> + rt->type = RTN_LOCAL;
> + rt->dev = ctx->dev->mdev;
> + rt->output = mctp_usblib_test_dst_output;
> +
> + list_add_rcu(&ctx->rt.list, &init_net.mctp.routes);
> +}
[High]
What happens to ctx.rt on a KUNIT_ASSERT_* failure later in the test?
The ctx variable is a stack local in mctp_usblib_test_rx_single() and
mctp_usblib_test_rx_pkt_span(), and mctp_usblib_test_init() inserts
&ctx->rt.list into the global RCU-protected list init_net.mctp.routes:
list_add_rcu(&ctx->rt.list, &init_net.mctp.routes);
KUNIT_ASSERT_* macros invoke __kunit_abort() which calls
kunit_try_catch_throw() and ultimately kthread_exit(0), so control never
returns to the test function:
lib/kunit/test.c: __kunit_abort()
-> kunit_try_catch_throw()
-> kthread_exit(0)
When the test kthread exits, its stack is gone, leaving a list_head in
init_net.mctp.routes that points at freed/reused stack memory.
The next RCU traversal of init_net.mctp.routes (subsequent mctp test,
mctp routing code, another kunit run) would then dereference that
dangling pointer.
The same abort path also bypasses unregister_netdev() and the
mctp_dev_put() done by mctp_usblib_test_fini().
Would using kunit_add_action() / kunit_add_action_or_reset() (or suite
.init/.exit hooks together with kunit_kmalloc()) ensure list_del_rcu(),
synchronize_rcu() and the netdev teardown always run, regardless of
assertion outcome?
> +
[ ... ]
> +static void mctp_usblib_test_rx_single(struct kunit *test)
> +{
> + struct mctp_usblib_test_dev *dev;
> + struct mctp_usblib_test_ctx ctx;
> + struct mctp_usblib_rx rx;
> + struct sk_buff *skb;
> + size_t len;
> + void *buf;
> + int rc;
> +
> + mctp_usblib_test_init(test, &ctx);
> + dev = ctx.dev;
> +
> + mctp_usblib_rx_init(&rx, true);
> +
> + rc = mctp_usblib_rx_prepare(dev->ndev, &rx, &buf, &len, GFP_KERNEL);
> + KUNIT_ASSERT_EQ(test, rc, 0);
> +
> + mctp_usblib_test_init_pkt(buf, 8, 8);
> +
> + rc = mctp_usblib_rx_complete(dev->ndev, &rx, 8);
> + KUNIT_ASSERT_EQ(test, rc, 0);
> +
> + skb = __skb_dequeue(&dev->rx_pkts);
> + KUNIT_EXPECT_NOT_ERR_OR_NULL(test, skb);
> + KUNIT_EXPECT_EQ(test, skb->len, 4);
> + kfree_skb(skb);
> +
> + mctp_usblib_rx_fini(&rx);
> + mctp_usblib_test_fini(test, &ctx);
> +}
> +
[ ... ]
> +static void mctp_usblib_test_rx_pkt_span(struct kunit *test)
> +{
> + const struct mctp_usblib_test_pkt_span *pkt_span = test->param_value;
> + size_t len, xfer_len, off, xfer_off;
> + struct mctp_usblib_test_dev *dev;
> + struct mctp_usblib_test_ctx ctx;
> + struct mctp_usblib_rx rx;
> + unsigned int i;
> + u8 *pktbuf;
> + void *buf;
> + int rc;
> +
> + mctp_usblib_test_pkt_span_validate(test, pkt_span, &len);
> + pktbuf = kmalloc_array(1, len, GFP_KERNEL);
> +
> + /* lay out packets */
> + for (off = 0, i = 0; i < pkt_span->n_pkts; i++) {
> + len = pkt_span->pkts[i];
> + mctp_usblib_test_init_pkt(pktbuf + off, len, len);
> + off += len;
> + }
[Low]
Is the kmalloc_array() return value missing a NULL check? pktbuf is
dereferenced immediately via mctp_usblib_test_init_pkt(pktbuf + off, ...),
so an allocation failure (including under kunit fault injection) becomes
a NULL deref. Would kunit_kmalloc_array() or an explicit
KUNIT_ASSERT_NOT_NULL(test, pktbuf) be more appropriate here?
> +
[ ... ]
> + /* check received packets */
> + KUNIT_EXPECT_EQ(test, dev->rx_pkts.qlen, pkt_span->n_pkts);
> + for (i = 0; ; i++) {
> + struct sk_buff *skb = __skb_dequeue(&dev->rx_pkts);
> +
> + if (!skb)
> + break;
> +
> + if (i <= pkt_span->n_pkts)
> + KUNIT_EXPECT_EQ(test, skb->len, pkt_span->pkts[i] - 4);
> +
> + kfree_skb(skb);
> + }
[Low]
Should this comparison be i < pkt_span->n_pkts rather than
i <= pkt_span->n_pkts?
With <=, when i == n_pkts the test reads pkts[n_pkts], which is a
zero-initialized tail slot of pkts[6]; the expected length then
underflows to (size_t)0 - 4 and produces a confusing diagnostic instead
of a clean failure if the queue ever holds more SKBs than expected.
> +
[ ... ]
--
This is an AI-generated review.
next prev parent reply other threads:[~2026-07-02 10:11 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 3:21 [PATCH net-next 00/12] net: mctp: usb: Add support for MCTP-over-USB v1.1 Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 01/12] net: mctp: usb: Include version indicator in max packet size defines Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 02/12] net: mctp: usb: Use packet-length max for maximum packet-size check Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 03/12] net: mctp: usblib: Move RX transfer processing to a new mctp-usblib Jeremy Kerr
2026-07-02 10:09 ` Paolo Abeni
2026-06-30 3:21 ` [PATCH net-next 04/12] net: mctp: usblib: Move TX transfer processing to mctp-usblib Jeremy Kerr
2026-07-02 10:10 ` Paolo Abeni
2026-06-30 3:21 ` [PATCH net-next 05/12] net: mctp: usb: Allow for multiple urb submissions from a packet tx Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 06/12] net: mctp: usblib: Add support for multi-packet transmit Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 07/12] net: mctp: usb: Accommodate DSP0283 v1.1 header format Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 08/12] net: mctp: usblib: Implement receive-side packet spanning Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 09/12] net: mctp: usblib: Implement transmit-side " Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 10/12] net: mctp: usblib: Add initial kunit tests Jeremy Kerr
2026-07-02 10:10 ` Paolo Abeni [this message]
2026-06-30 3:21 ` [PATCH net-next 11/12] net: mctp: usb: enable v1.1 packet spanning Jeremy Kerr
2026-06-30 3:21 ` [PATCH net-next 12/12] net: mctp: usb: Allow multiple urbs in flight Jeremy Kerr
2026-07-02 10:09 ` Paolo Abeni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702101049.139262-1-pabeni@redhat.com \
--to=pabeni@redhat.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jk@codeconstruct.com.au \
--cc=kuba@kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=matt@codeconstruct.com.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox