[PR] sched/group: skip group_release for kernel thread group [nuttx]

Thu, 30 Apr 2026 01:08:34 -0700 


wyr-7 opened a new pull request, #18826:
URL: https://github.com/apache/nuttx/pull/18826

   Summary:
   When CONFIG_DISABLE_PTHREAD=y, HAVE_GROUP_MEMBERS is undefined and 
group_leave() unconditionally calls group_release() for every exiting thread. 
This destroys the shared g_kthread_group resources (mutex, fdlist, task_info) 
while other kernel threads are still using them, causing use-after-free crashes.
   
   PR #18517 added GROUP_FLAG_STATIC to guard group_drop() against freeing the 
static g_kthread_group struct. However, group_release() still runs and destroys 
internal resources (tg_mutex, tg_fdlist, tg_info) that are shared by all kernel 
threads.
   
   Fix by checking TCB_FLAG_TTYPE_KERNEL in group_leave() before calling 
group_release(), so the entire release path is skipped for kernel threads. This 
is safe because g_kthread_group is statically allocated and its lifetime is the 
entire system.
   
   Also fix the "Bits 3-7: Available" comment to "Bits 5-7" since bit 4 is now 
used by GROUP_FLAG_FD_BACKTRACE.
   
   Impact:
   All configurations with CONFIG_DISABLE_PTHREAD=y that dynamically create and 
destroy kernel threads.
   
   Testing:
   Tested on Infineon TC4D9 EVB (TriCore, NuttX SMP BMP). Verified kernel 
thread exit does not corrupt shared g_kthread_group by stopping an rptun 
channel (destroys rpmsg kthread).
   
   Before rptun stop (rpmsg-corecs-0 kthread PID 48 present):
   
     core0> ps
     PID GROUP PRI POLICY   TYPE    NPX STATE    EVENT     SIGMASK            
STACK    USED FILLED    CPU COMMAND
       0     0   0 FIFO     Kthread   - Ready              0000000000000000 
0003008 0001136  37.7%  95.2% CPU0 IDLE
       1     0 224 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001076  27.1%   0.1% hpwork 0xd0000540 0xd0000590
       2     0 100 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001992  50.2%   0.3% lpwork 0xd00004c0 0xd0000510
       3     3 253 FIFO     Task      - Waiting  Semaphore 0000000000000000 
0003904 0002820  72.2%   0.0% init
      12     0 253 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0002108  53.1%   0.0% kautocore_init
      13     0 201 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0000700  17.6%   0.7% BSW_TASK_1MS_C0
      14    14 254 FIFO     Task      - Running            0000000000000000 
0003904 0002620  67.1%   0.0% nsh
      23    23 100 FIFO     Task      - Waiting  Semaphore 0000000000000000 
0003904 0002044  52.3%   0.0% dfxd -f /etc/dfxd_setup_cpu0.cfg
      37     0 251 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0000564  14.2%   0.0% isrwork 0x70030f40 0x70030f90
      38     0 250 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0000564  14.2%   0.0% isrwork 0x70031240 0x70031290
      39     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003904 0001372  35.1%   0.0% rpmsg-core1-0 0x70033020 0x70033070
      40     0 200 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003904 0001212  31.0%   0.0% rpmsg-core1_1-0 0x70034710 0x70034760
      41     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003904 0001372  35.1%   0.0% rpmsg-core2-0 0x70029c08 0x70029c58
      42     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0001372  34.5%   0.0% rpmsg-core3-0 0x7002a2a0 0x7002a2f0
      43     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003904 0001372  35.1%   0.0% rpmsg-core4-0 0x7002a5a8 0x7002a5f8
      47     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0001372  34.5%   0.0% rpmsg-core5-0 0x7002c280 0x7002c2d0
      48     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0001372  34.5%   0.0% rpmsg-corecs-0 0x7002c828 0x7002c878
      49     0 199 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001256  31.6%   0.7% BSW_TASK_5MS_C0
      50     0 197 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001892  47.6%   2.4% BSW_TASK_10MS_C0
      51     0 195 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001304  32.8%   0.1% BSW_TASK_20MS_C0
      52     0 193 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001256  31.6%   0.0% BSW_TASK_50MS_C0
      53     0 191 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001884  47.4%   0.2% BSW_TASK_100MS_C0
      54     0 101 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003904 0001396  35.7%   0.0% autocore_macc 0xb0036094
   
     core0> rptun stop /dev/rptun/corecs
     [01/01/70 00:01:32.462760] [CPU0] rx_vq: freeing non-empty virtqueue
     [01/01/70 00:01:32.462779] [CPU0] tx_vq: freeing non-empty virtqueue
   
   After rptun stop (rpmsg-corecs-0 gone, all other kthreads intact):
   
     core0> ps
     PID GROUP PRI POLICY   TYPE    NPX STATE    EVENT     SIGMASK            
STACK    USED FILLED    CPU COMMAND
       0     0   0 FIFO     Kthread   - Ready              0000000000000000 
0003008 0001136  37.7%  95.2% CPU0 IDLE
       1     0 224 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001076  27.1%   0.1% hpwork 0xd0000540 0xd0000590
       2     0 100 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001992  50.2%   0.3% lpwork 0xd00004c0 0xd0000510
       3     3 253 FIFO     Task      - Waiting  Semaphore 0000000000000000 
0003904 0002820  72.2%   0.0% init
      12     0 253 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0002108  53.1%   0.0% kautocore_init
      13     0 201 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0000700  17.6%   0.7% BSW_TASK_1MS_C0
      14    14 254 FIFO     Task      - Running            0000000000000000 
0003904 0003316  84.9%!  0.0% nsh
      23    23 100 FIFO     Task      - Waiting  Semaphore 0000000000000000 
0003904 0002044  52.3%   0.0% dfxd -f /etc/dfxd_setup_cpu0.cfg
      37     0 251 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0000564  14.2%   0.0% isrwork 0x70030f40 0x70030f90
      38     0 250 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0000564  14.2%   0.0% isrwork 0x70031240 0x70031290
      39     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003904 0001372  35.1%   0.0% rpmsg-core1-0 0x70033020 0x70033070
      40     0 200 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003904 0001212  31.0%   0.0% rpmsg-core1_1-0 0x70034710 0x70034760
      41     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003904 0001372  35.1%   0.0% rpmsg-core2-0 0x70029c08 0x70029c58
      42     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0001372  34.5%   0.0% rpmsg-core3-0 0x7002a2a0 0x7002a2f0
      43     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003904 0001372  35.1%   0.0% rpmsg-core4-0 0x7002a5a8 0x7002a5f8
      47     0 189 FIFO     Kthread   - Waiting  Semaphore fffffffffff7fdff 
0003968 0001372  34.5%   0.0% rpmsg-core5-0 0x7002c280 0x7002c2d0
      49     0 199 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001256  31.6%   0.7% BSW_TASK_5MS_C0
      50     0 197 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001892  47.6%   2.3% BSW_TASK_10MS_C0
      51     0 195 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001304  32.8%   0.1% BSW_TASK_20MS_C0
      52     0 193 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001256  31.6%   0.0% BSW_TASK_50MS_C0
      53     0 191 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003968 0001884  47.4%   0.1% BSW_TASK_100MS_C0
      54     0 101 FIFO     Kthread   - Waiting  Semaphore 0000000000000000 
0003904 0001396  35.7%   0.0% autocore_macc 0xb0036094
   
   System continues running normally after kthread exit. No crash, no assert, 
no corruption of g_kthread_group resources. PID 48 (rpmsg-corecs-0) 
successfully destroyed while 20+ other kernel threads sharing the same 
g_kthread_group remain healthy.
   
   Change-Id: I5323003966d0cac38de029585811a680794a3885
   
   *Note: Please adhere to [Contributing 
Guidelines](https://github.com/apache/nuttx/blob/master/CONTRIBUTING.md).*
   
   ## Summary
   
   *Update this section with information on why change is necessary,
    what it exactly does and how, if new feature shows up, provide
    references (dependencies, similar problems and solutions), etc.*
   
   ## Impact
   
   *Update this section, where applicable, on how change affects users,
    build process, hardware, documentation, security, compatibility, etc.*
   
   ## Testing
   
   *This section should provide a detailed description of what you did
   to verify your changes work and do not break existing code.*
   
   *Please provide information about your host machine, the board(s) you
   tested your changes on, and how you tested. Logs should be included.*
   
   *For example, when changing something in the core OS functions, you
   may want to run the OSTest application to verify that there are no
   regressions. Changes to ADC code may warrant running the `adc`
   example. Adding a new uORB driver may require that you run
   `uorb_listener` to verify correct operation.*
   
   *Pure documentation changes can just be tested with `make html`
   (see docs) and verification of the correct format in your
   browser.*
   
   **_PRs without testing information will not be accepted. We will
   request test logs._**
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to