Skip to content

sched/group: skip group_release for kernel thread group#18826

Open
wyr-7 wants to merge 1 commit intoapache:masterfrom
wyr-7:group-kthread-fix
Open

sched/group: skip group_release for kernel thread group#18826
wyr-7 wants to merge 1 commit intoapache:masterfrom
wyr-7:group-kthread-fix

Conversation

@wyr-7
Copy link
Copy Markdown
Contributor

@wyr-7 wyr-7 commented Apr 30, 2026
edited by cederom
Loading

Summary

When CONFIG_DISABLE_PTHREAD=y, HAVE_GROUP_MEMBERS is undefined and group_leave() unconditionally calls group_release() for every exiting thread. This destroys the shared g_kthread_group resources (mutex, fdlist, task_info) while other kernel threads are still using them, causing use-after-free crashes.

PR #18517 added GROUP_FLAG_STATIC to guard group_drop() against freeing the static g_kthread_group struct. However, group_release() still runs and destroys internal resources (tg_mutex, tg_fdlist, tg_info) that are shared by all kernel threads.

Fix by checking TCB_FLAG_TTYPE_KERNEL in group_leave() before calling group_release(), so the entire release path is skipped for kernel threads. This is safe because g_kthread_group is statically allocated and its lifetime is the entire system.

Also fix the "Bits 3-7: Available" comment to "Bits 5-7" since bit 4 is now used by GROUP_FLAG_FD_BACKTRACE.

Impact

All configurations with CONFIG_DISABLE_PTHREAD=y that dynamically create and destroy kernel threads have fixed use-after-free.

Testing

Tested on Infineon TC4D9 EVB (TriCore, NuttX SMP BMP). Verified kernel thread exit does not corrupt shared g_kthread_group by stopping an rptun channel (destroys rpmsg kthread).

Before rptun stop (rpmsg-corecs-0 kthread PID 48 present):

  core0> ps
  PID GROUP PRI POLICY   TYPE    NPX STATE    EVENT     SIGMASK            STACK    USED FILLED    CPU COMMAND
    0     0   0 FIFO     Kthread   - Ready              0000000000000000 0003008 0001136  37.7%  95.2% CPU0 IDLE
    1     0 224 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001076  27.1%   0.1% hpwork 0xd0000540 0xd0000590
    2     0 100 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001992  50.2%   0.3% lpwork 0xd00004c0 0xd0000510
    3     3 253 FIFO     Task      - Waiting  Semaphore 0000000000000000 0003904 0002820  72.2%   0.0% init
   12     0 253 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0002108  53.1%   0.0% kautocore_init
   13     0 201 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0000700  17.6%   0.7% BSW_TASK_1MS_C0
   14    14 254 FIFO     Task      - Running            0000000000000000 0003904 0002620  67.1%   0.0% nsh
   23    23 100 FIFO     Task      - Waiting  Semaphore 0000000000000000 0003904 0002044  52.3%   0.0% dfxd -f /etc/dfxd_setup_cpu0.cfg
   37     0 251 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0000564  14.2%   0.0% isrwork 0x70030f40 0x70030f90
   38     0 250 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0000564  14.2%   0.0% isrwork 0x70031240 0x70031290
   39     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003904 0001372  35.1%   0.0% rpmsg-core1-0 0x70033020 0x70033070
   40     0 200 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003904 0001212  31.0%   0.0% rpmsg-core1_1-0 0x70034710 0x70034760
   41     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003904 0001372  35.1%   0.0% rpmsg-core2-0 0x70029c08 0x70029c58
   42     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0001372  34.5%   0.0% rpmsg-core3-0 0x7002a2a0 0x7002a2f0
   43     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003904 0001372  35.1%   0.0% rpmsg-core4-0 0x7002a5a8 0x7002a5f8
   47     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0001372  34.5%   0.0% rpmsg-core5-0 0x7002c280 0x7002c2d0
   48     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0001372  34.5%   0.0% rpmsg-corecs-0 0x7002c828 0x7002c878
   49     0 199 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001256  31.6%   0.7% BSW_TASK_5MS_C0
   50     0 197 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001892  47.6%   2.4% BSW_TASK_10MS_C0
   51     0 195 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001304  32.8%   0.1% BSW_TASK_20MS_C0
   52     0 193 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001256  31.6%   0.0% BSW_TASK_50MS_C0
   53     0 191 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001884  47.4%   0.2% BSW_TASK_100MS_C0
   54     0 101 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003904 0001396  35.7%   0.0% autocore_macc 0xb0036094

  core0> rptun stop /dev/rptun/corecs
  [01/01/70 00:01:32.462760] [CPU0] rx_vq: freeing non-empty virtqueue
  [01/01/70 00:01:32.462779] [CPU0] tx_vq: freeing non-empty virtqueue

After rptun stop (rpmsg-corecs-0 gone, all other kthreads intact):

  core0> ps
  PID GROUP PRI POLICY   TYPE    NPX STATE    EVENT     SIGMASK            STACK    USED FILLED    CPU COMMAND
    0     0   0 FIFO     Kthread   - Ready              0000000000000000 0003008 0001136  37.7%  95.2% CPU0 IDLE
    1     0 224 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001076  27.1%   0.1% hpwork 0xd0000540 0xd0000590
    2     0 100 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001992  50.2%   0.3% lpwork 0xd00004c0 0xd0000510
    3     3 253 FIFO     Task      - Waiting  Semaphore 0000000000000000 0003904 0002820  72.2%   0.0% init
   12     0 253 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0002108  53.1%   0.0% kautocore_init
   13     0 201 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0000700  17.6%   0.7% BSW_TASK_1MS_C0
   14    14 254 FIFO     Task      - Running            0000000000000000 0003904 0003316  84.9%!  0.0% nsh
   23    23 100 FIFO     Task      - Waiting  Semaphore 0000000000000000 0003904 0002044  52.3%   0.0% dfxd -f /etc/dfxd_setup_cpu0.cfg
   37     0 251 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0000564  14.2%   0.0% isrwork 0x70030f40 0x70030f90
   38     0 250 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0000564  14.2%   0.0% isrwork 0x70031240 0x70031290
   39     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003904 0001372  35.1%   0.0% rpmsg-core1-0 0x70033020 0x70033070
   40     0 200 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003904 0001212  31.0%   0.0% rpmsg-core1_1-0 0x70034710 0x70034760
   41     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003904 0001372  35.1%   0.0% rpmsg-core2-0 0x70029c08 0x70029c58
   42     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0001372  34.5%   0.0% rpmsg-core3-0 0x7002a2a0 0x7002a2f0
   43     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003904 0001372  35.1%   0.0% rpmsg-core4-0 0x7002a5a8 0x7002a5f8
   47     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 0003968 0001372  34.5%   0.0% rpmsg-core5-0 0x7002c280 0x7002c2d0
   49     0 199 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001256  31.6%   0.7% BSW_TASK_5MS_C0
   50     0 197 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001892  47.6%   2.3% BSW_TASK_10MS_C0
   51     0 195 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001304  32.8%   0.1% BSW_TASK_20MS_C0
   52     0 193 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001256  31.6%   0.0% BSW_TASK_50MS_C0
   53     0 191 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003968 0001884  47.4%   0.1% BSW_TASK_100MS_C0
   54     0 101 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 0003904 0001396  35.7%   0.0% autocore_macc 0xb0036094

System continues running normally after kthread exit. No crash, no assert, no corruption of g_kthread_group resources. PID 48 (rpmsg-corecs-0) successfully destroyed while 20+ other kernel threads sharing the same g_kthread_group remain healthy.

@github-actions github-actions Bot added Area: OS Components OS Components issues Size: S The size of the change in this PR is small labels Apr 30, 2026
@wyr-7 wyr-7 force-pushed the group-kthread-fix branch 2 times, most recently from 6b021c5 to 108a3e6 Compare April 30, 2026 08:17
@xiaoxiang781216 xiaoxiang781216 mentioned this pull request Apr 30, 2026
Closed
@wyr-7 wyr-7 force-pushed the group-kthread-fix branch from 108a3e6 to e607b27 Compare April 30, 2026 11:49
@wyr-7
sched/group: skip group_release for kernel thread group
0d11eee 
When CONFIG_DISABLE_PTHREAD=y, HAVE_GROUP_MEMBERS is undefined and
group_leave() unconditionally calls group_release() for every exiting
thread. This destroys the shared g_kthread_group resources (mutex,
fdlist, task_info) while other kernel threads are still using them,
causing use-after-free crashes.

Fix by checking TCB_FLAG_TTYPE_KERNEL in group_leave() before calling
group_release(), so the entire release path is skipped for kernel
threads. This is safe because g_kthread_group is statically allocated
and its lifetime is the entire system.

Signed-off-by: wangyongrong <wangyongrong@xiaomi.com>
@wyr-7 wyr-7 force-pushed the group-kthread-fix branch from e607b27 to 0d11eee Compare April 30, 2026 11:58
acassis
acassis reviewed May 1, 2026
View reviewed changes
Comment thread sched/group/group_leave.c
group = tcb->group;
if (group)
{
bool release = !(tcb->flags & TCB_FLAG_TTYPE_KERNEL);
Copy link
Copy Markdown
Contributor

@acassis acassis May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please include comment here explaining the idea of this new modification

@cederom
Copy link
Copy Markdown
Contributor

cederom commented May 5, 2026

Could you please take a look at this approach and verify @mzanders? :-)

cederom
cederom approved these changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cederom cederom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @wyr-7 amazing work! :-)

Please let's wait for the verification by @mzanders as he found the issue and proposed initial fix he will provide additional testing on his hardware :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@acassis acassis acassis left review comments

@cederom cederom cederom approved these changes

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

@anchao anchao Awaiting requested review from anchao anchao is a code owner

@pussuw pussuw Awaiting requested review from pussuw pussuw is a code owner

@masayuki2009 masayuki2009 Awaiting requested review from masayuki2009 masayuki2009 is a code owner

Assignees

No one assigned

Labels

Area: OS Components OS Components issues Size: S The size of the change in this PR is small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wyr-7 @cederom @acassis @xiaoxiang781216