[LTP] [PATCH] userfaultfd: Add test using UFFDIO_POISON

Fri Feb 6 15:47:54 CET 2026

Hi Ricardo,

...
> +static void sigbus_handler(int sig)
> +{
> +	if (sig == SIGBUS) {
> +		sigbus_seen = 1;
> +		siglongjmp(jmpbuf, 1);
> +	}
> +}
> +
> +static void set_pages(void)
> +{
> +	page_size = sysconf(_SC_PAGE_SIZE);
> +	page = SAFE_MMAP(NULL, page_size, PROT_READ | PROT_WRITE,
> +			MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
> +}
> +
> +static void reset_pages(void)
> +{
> +	SAFE_MUNMAP(page, page_size);
> +}
> +
> +static void *handle_thread(void)
> +{
> +	static struct uffd_msg msg;
> +	struct uffdio_poison uffdio_poison = {};
> +	struct pollfd pollfd;
> +	int nready;
> +
> +	SAFE_PTHREAD_BARRIER_WAIT(&barrier);
> +
> +	pollfd.fd = uffd;
> +	pollfd.events = POLLIN;
> +	nready = poll(&pollfd, 1, -1);
> +	if (nready == -1)
> +		tst_brk(TBROK | TERRNO, "Error on poll");
> +
> +	SAFE_READ(1, uffd, &msg, sizeof(msg));
> +
> +	if (msg.event != UFFD_EVENT_PAGEFAULT)
> +		tst_brk(TFAIL, "Received unexpected UFFD_EVENT %d", msg.event);
> +
> +	poison_fault_seen = 1;
> +
> +	/* Poison the page that triggered the fault */
> +	uffdio_poison.range.start = msg.arg.pagefault.address & ~(page_size - 1);
> +	uffdio_poison.range.len = page_size;
> +
> +	SAFE_IOCTL(uffd, UFFDIO_POISON, &uffdio_poison);

CI shows old toolchains fail due:
error: 'UFFDIO_POISON' undeclared

We need a fallback definition in include/lapi/userfaultfd.h.

> +
> +	close(uffd);
> +	return NULL;
> +}
> +
> +static void run(void)
> +{
> +	pthread_t thr;
> +	struct uffdio_api uffdio_api = {};
> +	struct uffdio_register uffdio_register;
> +	struct sigaction sa = {};
> +	volatile char dummy;
> +
> +	sa.sa_handler = sigbus_handler;
> +	sigemptyset(&sa.sa_mask);
> +	SAFE_SIGACTION(SIGBUS, &sa, NULL);
> +
> +	set_pages();
> +
> +	uffd = SAFE_USERFAULTFD(O_CLOEXEC | O_NONBLOCK, false);
> +
> +	uffdio_api.api = UFFD_API;
> +	uffdio_api.features = UFFD_FEATURE_POISON;
> +
> +	SAFE_IOCTL(uffd, UFFDIO_API, &uffdio_api);
> +
> +	uffdio_register.range.start = (unsigned long) page;
> +	uffdio_register.range.len = page_size;
> +	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
> +
> +	SAFE_IOCTL(uffd, UFFDIO_REGISTER, &uffdio_register);
> +
> +	SAFE_PTHREAD_BARRIER_INIT(&barrier, NULL, 2);
> +	SAFE_PTHREAD_CREATE(&thr, NULL, (void *) handle_thread, NULL);
> +
> +	SAFE_PTHREAD_BARRIER_WAIT(&barrier);
> +
> +	/* Try to read from the page: should trigger fault, get poisoned, then SIGBUS */
> +	if (sigsetjmp(jmpbuf, 1) == 0) {
> +		dummy = page[0];
> +		(void)dummy;
> +	}
> +
> +	SAFE_PTHREAD_JOIN(thr, NULL);
> +	SAFE_PTHREAD_BARRIER_DESTROY(&barrier);
> +	reset_pages();
If any of the SAFE_* functions fail, reset_pages() is not called.
We should call it also in cleanup(), guard it with variable not to be munmapped
twice.

The rest LGTM.

Kind regards,
Petr

> +
> +	if (poison_fault_seen && sigbus_seen) {
> +		tst_res(TPASS, "POISON successfully triggered SIGBUS");
> +	} else if (poison_fault_seen && !sigbus_seen) {
> +		tst_res(TFAIL, "POISON fault seen but no SIGBUS received");
> +	} else if (!poison_fault_seen && sigbus_seen) {
> +		tst_res(TFAIL, "SIGBUS received but no poison fault seen");
> +	} else {
> +		tst_res(TFAIL, "No poison fault or SIGBUS observed");
> +	}
> +}
> +
> +static struct tst_test test = {
> +	.test_all = run,
> +	.min_kver = "6.6",
> +};