[LTP] fanotify: fix crash when running multiple iterations

linuxtestproject.agent@gmail.com linuxtestproject.agent@gmail.com
Thu May 28 00:06:13 CEST 2026 

Hi AnonymeMeow,

On Thu, 28 May 2026 03:50:55 +0800, AnonymeMeow wrote:
> [PATCH 1/2] fanotify: fix crash when running multiple iterations

This commit fixes two unrelated crashes in two separate test files.
Consider splitting into two commits for cleaner history.

> +static void clean_upper_dir(void)
> +{
> +	unsigned int i;
> +
> +	SAFE_MOUNT(OVL_UPPER, MOUNT_PATH, "none", MS_BIND, NULL);
> +	for (i = 0; i < ARRAY_SIZE(objects); i++)
> +		SAFE_UNLINK(objects[i].path);
> +	SAFE_UMOUNT(MOUNT_PATH);
> +}

SAFE_UNLINK is called unconditionally for all objects, including
DIR_PATH_ONE which is a directory. delete_objects() correctly uses
SAFE_RMDIR for directories. This works here only because overlayfs
whiteouts for directories are character devices, but it is fragile
and inconsistent with delete_objects(). Use is_dir the same way
delete_objects() does.

[...]

> --- [PATCH 2/2] ---
> fanotify: prepare tests for thread pidfd reporting

> +#include <pthread.h>
>  #include "tst_test.h"
>  #include "tst_safe_stdio.h"
>  #include "tst_safe_macros.h"
> +#include "tst_safe_pthread.h"
>  #include "lapi/pidfd.h"

> +	*(int *)arg = SAFE_PIDFD_OPEN(gettid(), PIDFD_THREAD);

PIDFD_THREAD (added in Linux 6.9) has no fallback definition in
include/lapi/pidfd.h. This will fail to compile on systems with
kernel headers older than 6.9. Add:

  #ifndef PIDFD_THREAD
  # define PIDFD_THREAD O_EXCL
  #endif

to include/lapi/pidfd.h.

[...]

> +static pthread_t do_pthread_create(int want_pidfd_err)
>  {
> +	int pidfd;
>  	pthread_t worker;
[...]
> +		int status;
> +		struct pidfd_fdinfo_t thread_pidfd_fdinfo;
> +		TST_CHECKPOINT_WAKE(0);
> +		SAFE_PTHREAD_JOIN(worker, (void **)&status);
> +		if (status != 0)

status is int (4 bytes). SAFE_PTHREAD_JOIN writes a void * (8 bytes
on 64-bit) into &status, overflowing into adjacent stack memory.
Use void *status instead:

  void *status;
  SAFE_PTHREAD_JOIN(worker, &status);
  if (status != NULL)

[...]

> +	if (tc->trigger_in_child && !tc->want_pidfd_err) {
> +		int status;
> +		TST_CHECKPOINT_WAKE(0);
> +		if (TST_VARIANT_PIDFD_THREAD) {
> +			SAFE_PTHREAD_JOIN(worker_id.pthread_id, (void **)&status);
> +			if (status != 0)

Same int/void * mismatch as above.

---
Note:

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer

More information about the ltp mailing list