Re: [PATCH] selftests/mm: add folio_split() and filemap_get_entry() race test

[Zi Yan]

On 13 Mar 2026, at 7:40, Zi Yan wrote:

> The added folio_split_race_test is a modified C port of the race condition
> test from [1]. The test creates shmem huge pages shared by both a parent
> and a child processes, where the parent process punches holes in the shmem
> to cause folio_split() in the kernel and the child process reads the shmem
> in 16 threads to cause filemap_get_entry() in the kernel.
> filemap_get_entry() reads the folio and xarray split by folio_split()
> locklessly. The original test[2] is written in rust and uses memfd (shmem
> backed). This C port uses shmem directly.
>
> Note: the initial rust to C conversion is done by Cursor.
>
> Link: https://lore.kernel.org/all/CAKNNEtw5_kZomhkugedKMPOG-sxs5Q5OLumWJdiWXv+C9Yct0w@xxxxxxxxxxxxxx/ [1]
> Link: https://github.com/dfinity/thp-madv-remove-test [2]
> Signed-off-by: Zi Yan <ziy@xxxxxxxxxx>
> Cc: Bas van Dijk <bas@xxxxxxxxxxx>
> Cc: Adam Bratschi-Kaye <adam.bratschikaye@xxxxxxxxxxx>
> ---
>  tools/testing/selftests/mm/Makefile           |   1 +
>  .../selftests/mm/folio_split_race_test.c      | 380 ++++++++++++++++++
>  tools/testing/selftests/mm/run_vmtests.sh     |   2 +
>  3 files changed, 383 insertions(+)
>  create mode 100644 tools/testing/selftests/mm/folio_split_race_test.c

I got some AI feedback from[1].

[1] https://sashiko.dev/#/patchset/20260313114037.3593642-1-ziy%40nvidia.com

<snip>

> diff --git a/tools/testing/selftests/mm/folio_split_race_test.c b/tools/testing/selftests/mm/folio_split_race_test.c
> new file mode 100644
> index 0000000000000..cf5a5666bab77
> --- /dev/null
> +++ b/tools/testing/selftests/mm/folio_split_race_test.c

<snip>

> +static void *reader_thread(void *arg)
> +{
> +	struct reader_arg *ra = (struct reader_arg *)arg;
> +	unsigned char *base = ra->base;
> +	struct SharedCtl *ctl = ra->ctl;
> +	int tid = ra->tid;
> +	atomic_size_t *failures = ra->failures;
> +	atomic_size_t *verified = ra->verified;
> +	size_t page_idx;
> +
> +	while (atomic_load_explicit(&ctl->stop, memory_order_acquire) == 0) {

If parent exits early without setting ctl->stop to 1, child will loop
forever.

I will add prctl(PR_SET_PDEATHSIG, SIGTERM) at the beginning of
child, so that child gets TERM when parent exits.


> +		for (page_idx = (size_t)tid; page_idx < TOTAL_PAGES;
> +		     page_idx += NUM_READER_THREADS) {
> +			if (page_idx % PUNCH_INTERVAL >= 0 &&
> +			    page_idx % PUNCH_INTERVAL < PUNCH_SIZE_FACTOR)

page_idx % PUNCH_INTERVAL >= 0 is a nop, since page_idx is unsigned.

I will leave it as is to show the range of page_idx % PUNCH_INTERVAL.

<snip>

> +/* Run a single iteration. Returns total number of corrupted pages. */
> +static size_t run_iteration(void)
> +{
> +	struct SharedCtl *ctl;
> +	pid_t pid;
> +	unsigned char *parent_base;
> +	bool *is_punched;
> +	size_t i;
> +	size_t child_failures, child_verified, parent_failures;
> +	int status;
> +	size_t n_punched = 0;
> +

<snip>

> +
> +	/* ---- Parent process ---- */
> +	while (atomic_load_explicit(&ctl->ready, memory_order_acquire) == 0)
> +		usleep(1000);

If child exits/crashes without setting ctl->ready, parent can loop forever.

I will add waitpid(pid, &status, WNOHANG) == pid to check child status
and break if child is gone.

<snip>

> +
> +	atomic_store_explicit(&ctl->stop, 1, memory_order_release);
> +
> +	if (waitpid(pid, &status, 0) != pid)
> +		ksft_exit_fail_msg("waitpid failed\n");
> +
> +	child_failures = atomic_load_explicit(&ctl->child_failures,
> +					      memory_order_acquire);

If child exits abnormally without setting ctl->child_failures, we will
miss an issue.

I will inspect child exit status and fail the test if child exits abnormally.


<snip>

> +int main(void)
> +{
> +	size_t iter;
> +	size_t failures;
> +	struct thp_settings current_settings;
> +	bool failed = false;
> +
> +	ksft_print_header();
> +
> +	if (!thp_is_enabled())
> +		ksft_exit_skip("Transparent Hugepages not available\n");
> +
> +	if (geteuid() != 0) {
> +		ksft_print_msg("Please run the benchmark as root\n");
> +		ksft_finished();
> +	}

ksft_finished() here leads to a PASS status.

Will use ksft_exit_skip() instead.

> +
> +	thp_save_settings();
> +	thp_read_settings(&current_settings);
> +	current_settings.shmem_enabled = SHMEM_ADVISE;
> +	thp_write_settings(&current_settings);
> +
> +	ksft_set_plan(1);
> +

<snip>

> +	for (iter = 1; iter <= NUM_ITERATIONS; iter++) {
> +		failures = run_iteration();

run_iteration() has several ksft_exit_fail_msg() or if it crashes,
THP settings are not restored.

Will add signal handlers and atexit() to call thp_restore_settings().

> +		if (failures > 0) {
> +			failed = true;
> +			ksft_print_msg(
> +				"FAILED on iteration %zu: %zu pages corrupted by cross-process MADV_REMOVE!\n",
> +				iter, failures);
> +			break;
> +		}
> +	}
> +
> +	thp_restore_settings();
> +
> +	if (failed) {
> +		ksft_test_result_fail("Test failed\n");
> +		ksft_exit_fail();
> +	} else {
> +		ksft_test_result_pass("All %d iterations passed\n", NUM_ITERATIONS);
> +		ksft_exit_pass();
> +	}
> +
> +	return 0;
> +}

--
Best Regards,
Yan, Zi