Hm you're combining 2 of my least favourite things in one :)
- Doing a >1 patch series with patch N+1 in-reply-to patch N
- Doing a vN+1 in reply to a vN series.
Just for future, please send series independent of each other not in reply to
other series, and if there's more than 1 patch, send a cover letter and have all
the patches reply to that!
Thanks, Lorenzo
On Wed, Jun 03, 2026 at 12:43:09PM +0200, Chris Gellermann wrote:
> Clone3_set_tid uses getline(&line, ...) in a loop to read the child's
> process status. The code expects that getline allocates the buffer for
> the line on the first loop iteration. According to the Open Group
> Spec[1], char *line has to be null pointer for this:
>
> > ssize_t getline(char **restrict lineptr, ...);
> > If *lineptr is a null pointer or if the object pointed to by *lineptr
> > is of insufficient size, an object shall be allocated as if by
> malloc()
> > or the object shall be reallocated as if by realloc()[...].
>
> However, char *line is only declared, leading to an undefined value
> that is potentially non-null. In an example run with Musl v1.2.6, the
> realloc call[2] of getdelim, which implements getline, triggers a
> segfault:
>
> ./run_kselftest.sh --test clone3:clone3_set_tid
> [ 1366.165898] kselftest: Running tests in clone3
> ...
> [ 1367.799244] clone3_set_tid[811]: unhandled signal 11 code 0x1 at
> 0x0000000000000000 in libc.so[68184,3fbf69f000+4c000]
> [ 1367.802808] CPU: 0 UID: 0 PID: 811 Comm: clone3_set_tid Not tainted
> ..
> [ 1367.804188] epc: 0x0000003fbf6b0184
> [ 1367.804188] ra : 0x0000003fbf6d4664
> [ 1367.804188] sp : 0x0000003fce5f2e40
> [ 1367.805314] gp : 0x0000002aaab0dfb8
> [ 1367.805314] tp : 0x0000003fbf6f14a8
> [ 1367.805314] t0 : 0x0000003fbf63d000
> ...
>
> Looking at the realloc implementation, Musl mallocs for a null pointer
> memory. But for a non-null pointer, it assumes it's passed a valid
> pointer to the heap and tries to access its meta-data. This leads to the
> segfault we see:
>
> void *realloc(void *p, size_t n)
> {
> if (!p) return malloc(n);
> if (size_overflows(n)) return 0;
>
> struct meta *g = get_meta(p);
> ...
> }
>
> Fix this by properly initializing the line pointer to NULL.
>
> [1] https://pubs.opengroup.org/onlinepubs/9799919799/functions/getline.html
> [2] https://git.musl-libc.org/cgit/musl/tree/src/stdio/getdelim.c#n38
>
> Fixes: 41585bbeeef9 ("selftests: add tests for clone3() with *set_tid")
> Cc: [email protected]
> Acked-by: David Hildenbrand (arm) <[email protected]>
> Reviewed-by: Lorenzo Stoakes <[email protected]>
> Signed-off-by: Chris Gellermann <[email protected]>
> ---
> tools/testing/selftests/clone3/clone3_set_tid.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/clone3/clone3_set_tid.c
> b/tools/testing/selftests/clone3/clone3_set_tid.c
> index 5c944aee6b41..485efa7c9eed 100644
> --- a/tools/testing/selftests/clone3/clone3_set_tid.c
> +++ b/tools/testing/selftests/clone3/clone3_set_tid.c
> @@ -141,7 +141,7 @@ int main(int argc, char *argv[])
> {
> FILE *f;
> char buf;
> - char *line;
> + char *line = NULL;
> int status;
> int ret = -1;
> size_t len = 0;
> --
> 2.47.3
>
