[LTP] [PATCH] userfaultfd: Add test using UFFDIO_POISON

[LTP] [PATCH] userfaultfd: Add test using UFFDIO_POISON

[Ricardo Branco]

Signed-off-by: Ricardo Branco <rbranco@suse.de>
---
 .../kernel/syscalls/userfaultfd/.gitignore    |   1 +
 .../kernel/syscalls/userfaultfd/Makefile      |   1 +
 .../syscalls/userfaultfd/userfaultfd06.c      | 138 ++++++++++++++++++
 3 files changed, 140 insertions(+)
 create mode 100644 testcases/kernel/syscalls/userfaultfd/userfaultfd06.c

diff --git a/testcases/kernel/syscalls/userfaultfd/.gitignore b/testcases/kernel/syscalls/userfaultfd/.gitignore
index fb2ae243b..bc32fdf3b 100644
--- a/testcases/kernel/syscalls/userfaultfd/.gitignore
+++ b/testcases/kernel/syscalls/userfaultfd/.gitignore
@@ -3,3 +3,4 @@
 /userfaultfd03
 /userfaultfd04
 /userfaultfd05
+/userfaultfd06
diff --git a/testcases/kernel/syscalls/userfaultfd/Makefile b/testcases/kernel/syscalls/userfaultfd/Makefile
index 96650a65a..3252e47df 100644
--- a/testcases/kernel/syscalls/userfaultfd/Makefile
+++ b/testcases/kernel/syscalls/userfaultfd/Makefile
@@ -16,3 +16,4 @@ userfaultfd02: CFLAGS += -pthread
 userfaultfd03: CFLAGS += -pthread
 userfaultfd04: CFLAGS += -pthread
 userfaultfd05: CFLAGS += -pthread
+userfaultfd06: CFLAGS += -pthread
diff --git a/testcases/kernel/syscalls/userfaultfd/userfaultfd06.c b/testcases/kernel/syscalls/userfaultfd/userfaultfd06.c
new file mode 100644
index 000000000..176bd3eeb
--- /dev/null
+++ b/testcases/kernel/syscalls/userfaultfd/userfaultfd06.c
@@ -0,0 +1,138 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2026 SUSE LLC
+ * Author: Ricardo Branco <rbranco@suse.com>
+ */
+
+/*\
+ * Force a pagefault event and handle it using :manpage:`userfaultfd(2)`
+ * from a different thread testing UFFDIO_POISON.
+ */
+
+#include "config.h"
+#include <poll.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <unistd.h>
+#include "tst_test.h"
+#include "tst_safe_macros.h"
+#include "tst_safe_pthread.h"
+#include "lapi/userfaultfd.h"
+
+static int page_size;
+static char *page;
+static int uffd;
+static volatile int poison_fault_seen;
+static volatile int sigbus_seen;
+static sigjmp_buf jmpbuf;
+static pthread_barrier_t barrier;
+
+static void sigbus_handler(int sig)
+{
+	if (sig == SIGBUS) {
+		sigbus_seen = 1;
+		siglongjmp(jmpbuf, 1);
+	}
+}
+
+static void set_pages(void)
+{
+	page_size = sysconf(_SC_PAGE_SIZE);
+	page = SAFE_MMAP(NULL, page_size, PROT_READ | PROT_WRITE,
+			MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+}
+
+static void reset_pages(void)
+{
+	SAFE_MUNMAP(page, page_size);
+}
+
+static void *handle_thread(void)
+{
+	static struct uffd_msg msg;
+	struct uffdio_poison uffdio_poison = {};
+	struct pollfd pollfd;
+	int nready;
+
+	SAFE_PTHREAD_BARRIER_WAIT(&barrier);
+
+	pollfd.fd = uffd;
+	pollfd.events = POLLIN;
+	nready = poll(&pollfd, 1, -1);
+	if (nready == -1)
+		tst_brk(TBROK | TERRNO, "Error on poll");
+
+	SAFE_READ(1, uffd, &msg, sizeof(msg));
+
+	if (msg.event != UFFD_EVENT_PAGEFAULT)
+		tst_brk(TFAIL, "Received unexpected UFFD_EVENT %d", msg.event);
+
+	poison_fault_seen = 1;
+
+	/* Poison the page that triggered the fault */
+	uffdio_poison.range.start = msg.arg.pagefault.address & ~(page_size - 1);
+	uffdio_poison.range.len = page_size;
+
+	SAFE_IOCTL(uffd, UFFDIO_POISON, &uffdio_poison);
+
+	close(uffd);
+	return NULL;
+}
+
+static void run(void)
+{
+	pthread_t thr;
+	struct uffdio_api uffdio_api = {};
+	struct uffdio_register uffdio_register;
+	struct sigaction sa = {};
+	volatile char dummy;
+
+	sa.sa_handler = sigbus_handler;
+	sigemptyset(&sa.sa_mask);
+	SAFE_SIGACTION(SIGBUS, &sa, NULL);
+
+	set_pages();
+
+	uffd = SAFE_USERFAULTFD(O_CLOEXEC | O_NONBLOCK, false);
+
+	uffdio_api.api = UFFD_API;
+	uffdio_api.features = UFFD_FEATURE_POISON;
+
+	SAFE_IOCTL(uffd, UFFDIO_API, &uffdio_api);
+
+	uffdio_register.range.start = (unsigned long) page;
+	uffdio_register.range.len = page_size;
+	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
+
+	SAFE_IOCTL(uffd, UFFDIO_REGISTER, &uffdio_register);
+
+	SAFE_PTHREAD_BARRIER_INIT(&barrier, NULL, 2);
+	SAFE_PTHREAD_CREATE(&thr, NULL, (void *) handle_thread, NULL);
+
+	SAFE_PTHREAD_BARRIER_WAIT(&barrier);
+
+	/* Try to read from the page: should trigger fault, get poisoned, then SIGBUS */
+	if (sigsetjmp(jmpbuf, 1) == 0) {
+		dummy = page[0];
+		(void)dummy;
+	}
+
+	SAFE_PTHREAD_JOIN(thr, NULL);
+	SAFE_PTHREAD_BARRIER_DESTROY(&barrier);
+	reset_pages();
+
+	if (poison_fault_seen && sigbus_seen) {
+		tst_res(TPASS, "POISON successfully triggered SIGBUS");
+	} else if (poison_fault_seen && !sigbus_seen) {
+		tst_res(TFAIL, "POISON fault seen but no SIGBUS received");
+	} else if (!poison_fault_seen && sigbus_seen) {
+		tst_res(TFAIL, "SIGBUS received but no poison fault seen");
+	} else {
+		tst_res(TFAIL, "No poison fault or SIGBUS observed");
+	}
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.min_kver = "6.6",
+};
-- 
2.53.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] userfaultfd: Add test using UFFDIO_POISON

[Cyril Hrubis]

Hi!
> +static void run(void)
> +{
> +	pthread_t thr;
> +	struct uffdio_api uffdio_api = {};
> +	struct uffdio_register uffdio_register;
> +	struct sigaction sa = {};
> +	volatile char dummy;
> +
> +	sa.sa_handler = sigbus_handler;
> +	sigemptyset(&sa.sa_mask);
> +	SAFE_SIGACTION(SIGBUS, &sa, NULL);
> +
> +	set_pages();
> +
> +	uffd = SAFE_USERFAULTFD(O_CLOEXEC | O_NONBLOCK, false);
> +
> +	uffdio_api.api = UFFD_API;
> +	uffdio_api.features = UFFD_FEATURE_POISON;
> +
> +	SAFE_IOCTL(uffd, UFFDIO_API, &uffdio_api);
> +
> +	uffdio_register.range.start = (unsigned long) page;
> +	uffdio_register.range.len = page_size;
> +	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
> +
> +	SAFE_IOCTL(uffd, UFFDIO_REGISTER, &uffdio_register);
> +
> +	SAFE_PTHREAD_BARRIER_INIT(&barrier, NULL, 2);

Why does this test need barriers and the rest of the tests that looks
nearly the same does not?

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] userfaultfd: Add test using UFFDIO_POISON

[Petr Vorel]

Hi Ricardo,

...
> +static void sigbus_handler(int sig)
> +{
> +	if (sig == SIGBUS) {
> +		sigbus_seen = 1;
> +		siglongjmp(jmpbuf, 1);
> +	}
> +}
> +
> +static void set_pages(void)
> +{
> +	page_size = sysconf(_SC_PAGE_SIZE);
> +	page = SAFE_MMAP(NULL, page_size, PROT_READ | PROT_WRITE,
> +			MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
> +}
> +
> +static void reset_pages(void)
> +{
> +	SAFE_MUNMAP(page, page_size);
> +}
> +
> +static void *handle_thread(void)
> +{
> +	static struct uffd_msg msg;
> +	struct uffdio_poison uffdio_poison = {};
> +	struct pollfd pollfd;
> +	int nready;
> +
> +	SAFE_PTHREAD_BARRIER_WAIT(&barrier);
> +
> +	pollfd.fd = uffd;
> +	pollfd.events = POLLIN;
> +	nready = poll(&pollfd, 1, -1);
> +	if (nready == -1)
> +		tst_brk(TBROK | TERRNO, "Error on poll");
> +
> +	SAFE_READ(1, uffd, &msg, sizeof(msg));
> +
> +	if (msg.event != UFFD_EVENT_PAGEFAULT)
> +		tst_brk(TFAIL, "Received unexpected UFFD_EVENT %d", msg.event);
> +
> +	poison_fault_seen = 1;
> +
> +	/* Poison the page that triggered the fault */
> +	uffdio_poison.range.start = msg.arg.pagefault.address & ~(page_size - 1);
> +	uffdio_poison.range.len = page_size;
> +
> +	SAFE_IOCTL(uffd, UFFDIO_POISON, &uffdio_poison);

CI shows old toolchains fail due:
error: 'UFFDIO_POISON' undeclared

We need a fallback definition in include/lapi/userfaultfd.h.

> +
> +	close(uffd);
> +	return NULL;
> +}
> +
> +static void run(void)
> +{
> +	pthread_t thr;
> +	struct uffdio_api uffdio_api = {};
> +	struct uffdio_register uffdio_register;
> +	struct sigaction sa = {};
> +	volatile char dummy;
> +
> +	sa.sa_handler = sigbus_handler;
> +	sigemptyset(&sa.sa_mask);
> +	SAFE_SIGACTION(SIGBUS, &sa, NULL);
> +
> +	set_pages();
> +
> +	uffd = SAFE_USERFAULTFD(O_CLOEXEC | O_NONBLOCK, false);
> +
> +	uffdio_api.api = UFFD_API;
> +	uffdio_api.features = UFFD_FEATURE_POISON;
> +
> +	SAFE_IOCTL(uffd, UFFDIO_API, &uffdio_api);
> +
> +	uffdio_register.range.start = (unsigned long) page;
> +	uffdio_register.range.len = page_size;
> +	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
> +
> +	SAFE_IOCTL(uffd, UFFDIO_REGISTER, &uffdio_register);
> +
> +	SAFE_PTHREAD_BARRIER_INIT(&barrier, NULL, 2);
> +	SAFE_PTHREAD_CREATE(&thr, NULL, (void *) handle_thread, NULL);
> +
> +	SAFE_PTHREAD_BARRIER_WAIT(&barrier);
> +
> +	/* Try to read from the page: should trigger fault, get poisoned, then SIGBUS */
> +	if (sigsetjmp(jmpbuf, 1) == 0) {
> +		dummy = page[0];
> +		(void)dummy;
> +	}
> +
> +	SAFE_PTHREAD_JOIN(thr, NULL);
> +	SAFE_PTHREAD_BARRIER_DESTROY(&barrier);
> +	reset_pages();
If any of the SAFE_* functions fail, reset_pages() is not called.
We should call it also in cleanup(), guard it with variable not to be munmapped
twice.

The rest LGTM.

Kind regards,
Petr

> +
> +	if (poison_fault_seen && sigbus_seen) {
> +		tst_res(TPASS, "POISON successfully triggered SIGBUS");
> +	} else if (poison_fault_seen && !sigbus_seen) {
> +		tst_res(TFAIL, "POISON fault seen but no SIGBUS received");
> +	} else if (!poison_fault_seen && sigbus_seen) {
> +		tst_res(TFAIL, "SIGBUS received but no poison fault seen");
> +	} else {
> +		tst_res(TFAIL, "No poison fault or SIGBUS observed");
> +	}
> +}
> +
> +static struct tst_test test = {
> +	.test_all = run,
> +	.min_kver = "6.6",
> +};

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] userfaultfd: Add test using UFFDIO_POISON

[Ricardo Branco]

On 2/6/26 3:47 PM, Cyril Hrubis wrote:
> Hi!
>> +static void run(void)
>> +{
>> +	pthread_t thr;
>> +	struct uffdio_api uffdio_api = {};
>> +	struct uffdio_register uffdio_register;
>> +	struct sigaction sa = {};
>> +	volatile char dummy;
>> +
>> +	sa.sa_handler = sigbus_handler;
>> +	sigemptyset(&sa.sa_mask);
>> +	SAFE_SIGACTION(SIGBUS, &sa, NULL);
>> +
>> +	set_pages();
>> +
>> +	uffd = SAFE_USERFAULTFD(O_CLOEXEC | O_NONBLOCK, false);
>> +
>> +	uffdio_api.api = UFFD_API;
>> +	uffdio_api.features = UFFD_FEATURE_POISON;
>> +
>> +	SAFE_IOCTL(uffd, UFFDIO_API, &uffdio_api);
>> +
>> +	uffdio_register.range.start = (unsigned long) page;
>> +	uffdio_register.range.len = page_size;
>> +	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
>> +
>> +	SAFE_IOCTL(uffd, UFFDIO_REGISTER, &uffdio_register);
>> +
>> +	SAFE_PTHREAD_BARRIER_INIT(&barrier, NULL, 2);
> Why does this test need barriers and the rest of the tests that looks
> nearly the same does not?

This one is more complex because of the signal handling & siglongjmp.

In the other tests we can just wait for the handler thread. In this test we
must also coordinate with the signal handler,

The alternative would be fork + waitpid with WIFSIGNALED,

Best,
Ricardo.

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp