fix: aptos thread with a ghost file

- added test to reproduce the issue
- fixed the issue
- added way to run criu tests on container

Author: fals

Makefile

@@ -421,6 +421,14 @@ docker-test:
 		./test/zdtm.py run -a --keep-going --ignore-taint
 .PHONY: docker-test
 
+#
+# CastAI custom targets
+castai-test:
+	docker build -t criu-test -f test/Dockerfile .
+	docker run --rm --privileged --cgroupns=host -v /lib/modules:/lib/modules \
+		criu-test run -a -p 4 --keep-going --ignore-taint
+.PHONY: castai-test
+
 help:
 	@echo '    Targets:'
 	@echo '      all             - Build all [*] targets'
@@ -439,6 +447,7 @@ help:
 	@echo '      test            - Run zdtm test-suite'
 	@echo '      gcov            - Make code coverage report'
 	@echo '      unittest        - Run unit tests'
+	@echo '      castai-test     - Build and run all ZDTM tests in Docker'
 	@echo '      lint            - Run code linters'
 	@echo '      indent          - Indent C code'
 	@echo '      amdgpu_plugin   - Make AMD GPU plugin'

criu/files-reg.c

@@ -1351,6 +1351,48 @@ static int check_path_remap(struct fd_link *link, const struct fd_parms *parms,
 				pr_info("Dumping dead process remap of %d\n", pid);
 				return dump_dead_process_remap(pid, id);
 			}
+
+			/*
+			 * The process is alive, but the path may reference a
+			 * dead thread: /proc/<pid>/task/<tid>/... If the
+			 * thread <tid> has exited, the task/<tid> directory
+			 * no longer exists and the file can't be opened on
+			 * restore. Handle this by creating a TASK_HELPER
+			 * process with vPID=<tid> and rewriting the path to
+			 * /proc/<tid>/task/<tid>/... so it resolves through
+			 * the helper's /proc entry.
+			 */
+			if (*end == '/' && !strncmp(end, "/task/", 6)) {
+				pid_t tid;
+				char *tend;
+				char task_path[PATH_MAX];
+
+				tid = strtol(end + 6, &tend, 10);
+				if (tid != 0 && (*tend == '/' || *tend == '\0')) {
+					/*
+					 * Check if /proc/<pid>/task/<tid>
+					 * exists by temporarily truncating
+					 * the path at the character after
+					 * the tid.
+					 */
+					char saved = *tend;
+					*tend = '\0';
+					ret = faccessat(mntns_root, rpath, F_OK, 0);
+					*tend = saved;
+
+					if (ret) {
+						snprintf(task_path, sizeof(task_path),
+							 "%.*s%d/task/%d%s",
+							 (int)(start - rpath) + 1,
+							 rpath, tid, tid, tend);
+						pr_info("Dumping dead thread remap %d/%d\n",
+							pid, tid);
+						strcpy(link->name, task_path);
+						link->len = strlen(link->name);
+						return dump_dead_process_remap(tid, id);
+					}
+				}
+			}
 		}
 
 		return 0;
@@ -1661,7 +1703,7 @@ static int get_build_id(const int fd, const struct stat *fd_status, unsigned cha
 	 */
 	mapped_size = min_t(size_t, fd_status->st_size, BUILD_ID_MAP_SIZE);
 	start_addr = mmap(0, mapped_size, PROT_READ, MAP_PRIVATE | MAP_FILE, fd, 0);
-	if ((void*)start_addr == MAP_FAILED) {
+	if ((void *)start_addr == MAP_FAILED) {
 		pr_warn("Couldn't mmap file with fd %d\n", fd);
 		return -1;
 	}

test/Dockerfile

@@ -0,0 +1,33 @@
+FROM ubuntu:24.04
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
+	libnet-dev \
+	libnl-route-3-dev \
+	gcc \
+	bsdmainutils \
+	build-essential \
+	git-core \
+	iptables \
+	libaio-dev \
+	libbsd-dev \
+	libcap-dev \
+	libnl-3-dev \
+	libprotobuf-c-dev \
+	libprotobuf-dev \
+	libselinux-dev \
+	libpcre2-dev \
+	iproute2 \
+	kmod \
+	pkg-config \
+	protobuf-c-compiler \
+	protobuf-compiler \
+	python3-minimal \
+	python3-protobuf \
+	uuid-dev \
+	python3-yaml
+
+COPY . /criu
+WORKDIR /criu
+RUN make mrproper && make -j $(nproc) && make -C test/zdtm -j $(nproc)
+
+ENTRYPOINT ["./test/zdtm.py"]

test/zdtm/static/Makefile

@@ -190,6 +190,7 @@ TST_NOFILE	:=				\
 		unhashed_proc			\
 		cow00				\
 		child_opened_proc		\
+		proc_task_comm			\
 		posix_timers			\
 		sigpending			\
 		sigaltstack			\
@@ -606,6 +607,7 @@ socket_aio:		LDLIBS += -lrt -pthread
 uptime_grow:		LDLIBS += -lrt -pthread
 unlink_largefile:	CFLAGS += -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE
 inotify_system_nodel:	CFLAGS += -DNO_DEL
+proc_task_comm:		LDLIBS += -pthread
 pthread00:		LDLIBS += -pthread
 pthread00-pac:		CFLAGS += ${PAC_CFLAGS}
 pthread00-pac:		LDLIBS += -pthread

test/zdtm/static/proc_task_comm.c

@@ -0,0 +1,112 @@
+/*
+ * Test that CRIU can checkpoint/restore a process that has an open fd
+ * referencing /proc/self/task/<tid>/comm where the thread <tid> has
+ * already exited. This reproduces a bug seen with Rust applications
+ * using Prometheus metrics libraries that hold open fds to per-thread
+ * /proc/self/task/<tid>/stat files.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
+#include <errno.h>
+#include <pthread.h>
+#include <syscall.h>
+
+#include "zdtmtst.h"
+
+const char *test_doc = "Check C/R of fd referencing /proc/self/task/<dead_tid>/comm";
+const char *test_author = "CRIU developers";
+
+static int thread_fd = -1;
+static pid_t thread_tid;
+
+static void *thread_fn(void *arg)
+{
+	char path[128];
+
+	thread_tid = syscall(__NR_gettid);
+
+	/*
+	 * Open our own /proc/self/task/<tid>/comm. The kernel resolves
+	 * /proc/self to /proc/<pid>, so the stored path will be
+	 * /proc/<pid>/task/<tid>/comm with numeric PID and TID.
+	 */
+	snprintf(path, sizeof(path), "/proc/self/task/%d/comm", thread_tid);
+	thread_fd = open(path, O_RDONLY);
+	if (thread_fd < 0) {
+		pr_perror("Failed to open %s in thread", path);
+		return (void *)1;
+	}
+
+	test_msg("Thread %d opened %s as fd %d\n", thread_tid, path, thread_fd);
+	return NULL;
+}
+
+int main(int argc, char **argv)
+{
+	pthread_t th;
+	void *retval;
+	int ret;
+
+	test_init(argc, argv);
+
+	/* Create a thread that opens its own /proc/self/task/<tid>/comm */
+	ret = pthread_create(&th, NULL, thread_fn, NULL);
+	if (ret) {
+		pr_perror("pthread_create failed");
+		return 1;
+	}
+
+	/* Wait for the thread to finish — it has opened the fd and exited */
+	ret = pthread_join(th, &retval);
+	if (ret) {
+		pr_perror("pthread_join failed");
+		return 1;
+	}
+
+	if (retval != NULL) {
+		fail("Thread failed to open proc file");
+		return 1;
+	}
+
+	if (thread_fd < 0) {
+		fail("Thread did not produce a valid fd");
+		return 1;
+	}
+
+	/*
+	 * At this point:
+	 * - thread_fd points to /proc/<pid>/task/<dead_tid>/comm
+	 * - The thread with <dead_tid> has exited
+	 * - The fd is still valid (held open by the process)
+	 *
+	 * CRIU will dump this fd with the path stored as-is. On restore,
+	 * the dead thread's TID won't exist, so openat() will fail with
+	 * ENOENT unless CRIU handles this case.
+	 */
+	test_msg("Thread %d has exited, fd %d still open\n",
+		 thread_tid, thread_fd);
+
+	test_daemon();
+	test_waitsig();
+
+	/*
+	 * After restore, verify the fd is still valid.
+	 * We only check F_GETFD — the thread is dead, so the file content
+	 * may not be meaningful, but the fd must be valid.
+	 */
+	ret = fcntl(thread_fd, F_GETFD);
+	if (ret < 0) {
+		fail("fd %d is not valid after restore: %s",
+		     thread_fd, strerror(errno));
+		close(thread_fd);
+		return 1;
+	}
+
+	close(thread_fd);
+	pass();
+	return 0;
+}

test/zdtm/static/proc_task_comm.desc

@@ -0,0 +1 @@
+{'flavor': 'ns uns'}