fix: defer reopen of live-thread proc fds until after clone()

Instead of rewriting /proc/<pid>/task/<tid>/... paths to the leader
thread (which returns wrong data), defer the actual open until after
threads exist in the restorer blob.

Phase 1 (collect): Mark live-thread proc paths with deferred_thread_fd
instead of rewriting them. Dead-thread TASK_HELPER case is unchanged.

Phase 2 (placeholder): Open /dev/null to reserve the fd number, then
collect deferred fd metadata into rst_mem for the restorer.

Phase 3 (restorer): After clone() creates all threads, loop through
deferred fds and reopen via sys_openat(proc_fd, path) + sys_dup2() +
sys_lseek(). At this point /proc/<pid>/task/<tid>/ exists.

The test is expanded to verify both dead-thread (fd validity check) and
live-thread (reads tid from /proc/self/task/<tid>/stat to prove it
points to the correct thread, not the leader) cases.

Author: fals

criu/cr-restore.c

@@ -272,16 +272,19 @@ static int crtools_prepare_shared(void)
  */
 
 static struct collect_image_info *cinfos[] = {
-	&file_locks_cinfo,  &pipe_data_cinfo, &fifo_data_cinfo, &sk_queues_cinfo,
+	&file_locks_cinfo,
+	&pipe_data_cinfo,
+	&fifo_data_cinfo,
+	&sk_queues_cinfo,
 #ifdef CONFIG_HAS_LIBBPF
 	&bpfmap_data_cinfo,
 #endif
 };
 
 static struct collect_image_info *cinfos_files[] = {
-	&unix_sk_cinfo,	      &fifo_cinfo,     &pipe_cinfo,    &nsfile_cinfo,	    &packet_sk_cinfo,
-	&netlink_sk_cinfo,    &eventfd_cinfo,  &epoll_cinfo,   &epoll_tfd_cinfo,    &signalfd_cinfo,
-	&tunfile_cinfo,	      &timerfd_cinfo,  &inotify_cinfo, &inotify_mark_cinfo, &fanotify_cinfo,
+	&unix_sk_cinfo, &fifo_cinfo, &pipe_cinfo, &nsfile_cinfo, &packet_sk_cinfo,
+	&netlink_sk_cinfo, &eventfd_cinfo, &epoll_cinfo, &epoll_tfd_cinfo, &signalfd_cinfo,
+	&tunfile_cinfo, &timerfd_cinfo, &inotify_cinfo, &inotify_mark_cinfo, &fanotify_cinfo,
 	&fanotify_mark_cinfo, &ext_file_cinfo, &memfd_cinfo, &pidfd_cinfo
 };
 
@@ -500,6 +503,65 @@ static int collect_inotify_fds(struct task_restore_args *ta)
 	return 0;
 }
 
+static int collect_deferred_proc_fds(struct task_restore_args *ta)
+{
+	struct list_head *list = &rsti(current)->fds;
+	struct fdt *fdt = rsti(current)->fdt;
+	struct fdinfo_list_entry *fle;
+
+	/* Only the fdt owner restores fds */
+	if (fdt && fdt->pid != vpid(current))
+		return 0;
+
+	ta->deferred_fds = (struct deferred_proc_fd *)rst_mem_align_cpos(RM_PRIVATE);
+	ta->deferred_fds_n = 0;
+
+	list_for_each_entry(fle, list, ps_list) {
+		struct file_desc *d = fle->desc;
+		struct reg_file_info *rfi;
+		struct deferred_proc_fd *df;
+		char *orig_path;
+
+		if (d->ops->type != FD_TYPES__REG)
+			continue;
+
+		rfi = container_of(d, struct reg_file_info, d);
+		if (!rfi->deferred_thread_fd)
+			continue;
+
+		df = rst_mem_alloc(sizeof(*df), RM_PRIVATE);
+		if (!df)
+			return -1;
+
+		orig_path = rfi->orig_path;
+
+		/*
+		 * orig_path is "proc/<pid>/task/<tid>/...", strip "proc/"
+		 * prefix to get a path relative to /proc for
+		 * sys_openat(proc_fd, ...).
+		 */
+		if (strncmp(orig_path, "proc/", 5) == 0)
+			orig_path += 5;
+
+		if (strlen(orig_path) >= sizeof(df->path)) {
+			pr_err("Deferred proc path too long: %s\n", orig_path);
+			return -1;
+		}
+
+		df->target_fd = fle->fe->fd;
+		df->flags = rfi->rfe->flags;
+		df->pos = rfi->rfe->pos;
+		strncpy(df->path, orig_path, sizeof(df->path) - 1);
+		df->path[sizeof(df->path) - 1] = '\0';
+
+		ta->deferred_fds_n++;
+		pr_info("Collected deferred proc fd %d -> %s\n",
+			df->target_fd, df->path);
+	}
+
+	return 0;
+}
+
 static int open_core(int pid, CoreEntry **pcore)
 {
 	int ret;
@@ -676,6 +738,9 @@ static int restore_one_alive_task(int pid, CoreEntry *core)
 	if (collect_inotify_fds(ta) < 0)
 		return -1;
 
+	if (collect_deferred_proc_fds(ta) < 0)
+		return -1;
+
 	if (prepare_proc_misc(pid, core->tc, ta))
 		return -1;
 
@@ -1709,7 +1774,10 @@ static int restore_task_with_children(void *_arg)
 }
 
 int __attribute((weak)) arch_ptrace_restore(int pid, struct pstree_item *item);
-int arch_ptrace_restore(int pid, struct pstree_item *item) { return 0; }
+int arch_ptrace_restore(int pid, struct pstree_item *item)
+{
+	return 0;
+}
 
 static int attach_to_tasks(bool root_seized)
 {
@@ -3133,7 +3201,9 @@ static void *restorer_munmap_addr(CoreEntry *core, void *restorer_blob)
 }
 
 void arch_rsti_init(struct pstree_item *p) __attribute__((weak));
-void arch_rsti_init(struct pstree_item *p) {}
+void arch_rsti_init(struct pstree_item *p)
+{
+}
 
 static int sigreturn_restore(pid_t pid, struct task_restore_args *task_args, unsigned long alen, CoreEntry *core)
 {
@@ -3329,6 +3399,7 @@ static int sigreturn_restore(pid_t pid, struct task_restore_args *task_args, uns
 	RST_MEM_FIXUP_PPTR(task_args->zombies);
 	RST_MEM_FIXUP_PPTR(task_args->vma_ios);
 	RST_MEM_FIXUP_PPTR(task_args->inotify_fds);
+	RST_MEM_FIXUP_PPTR(task_args->deferred_fds);
 
 	task_args->compatible_mode = core_is_compat(core);
 	/*

criu/files-reg.c

@@ -2552,8 +2552,28 @@ int collect_filemap(struct vma_area *vma)
 
 static int open_fe_fd(struct file_desc *fd, int *new_fd)
 {
+	struct reg_file_info *rfi;
 	int tmp;
 
+	rfi = container_of(fd, struct reg_file_info, d);
+
+	if (rfi->deferred_thread_fd) {
+		/*
+		 * This is a live-thread /proc/<pid>/task/<tid>/... fd.
+		 * The thread doesn't exist yet (created later by the
+		 * restorer via clone()), so open /dev/null as a
+		 * placeholder. The restorer will reopen the correct
+		 * path after threads are created.
+		 */
+		tmp = open("/dev/null", rfi->rfe->flags & O_ACCMODE);
+		if (tmp < 0) {
+			pr_perror("Can't open /dev/null for deferred proc fd");
+			return -1;
+		}
+		*new_fd = tmp;
+		return 0;
+	}
+
 	tmp = open_path(fd, do_open_reg, NULL);
 	if (tmp < 0)
 		return -1;
@@ -2690,18 +2710,15 @@ static int fixup_thread_proc_path(struct reg_file_info *rfi)
 		/*
 		 * Live thread: the thread exists in the pstree but
 		 * won't be created until the restorer blob runs
-		 * clone(), which is after prepare_fds(). Rewrite the
-		 * path to use the thread-group leader's tid instead;
-		 * the leader is the only thread that exists at
-		 * prepare_fds() time.
+		 * clone(), which is after prepare_fds(). Mark this
+		 * file as deferred -- open_fe_fd() will open /dev/null
+		 * as a placeholder, and the restorer will reopen the
+		 * correct path after threads exist.
 		 */
-		new_path = xmalloc(5 + 20 + 6 + 20 + strlen(tid_end) + 1);
-		if (!new_path)
-			return -1;
-
-		sprintf(new_path, "proc/%d/task/%d%s", pid, pid, tid_end);
-		pr_info("Rewrote live thread path: %s -> %s\n",
-			rfi->path, new_path);
+		rfi->deferred_thread_fd = true;
+		rfi->orig_path = rfi->path;
+		pr_info("Deferred live thread proc path: %s\n", rfi->path);
+		return 0;
 	}
 
 	rfi->path = new_path;
@@ -2722,6 +2739,8 @@ static int collect_one_regfile(void *o, ProtobufCMessage *base, struct cr_img *i
 		rfi->path = rfi->rfe->name + 1;
 	rfi->remap = NULL;
 	rfi->size_mode_checked = false;
+	rfi->deferred_thread_fd = false;
+	rfi->orig_path = NULL;
 
 	if (fixup_thread_proc_path(rfi))
 		return -1;

criu/include/files-reg.h

@@ -24,7 +24,9 @@ struct reg_file_info {
 	struct file_remap *remap;
 	bool size_mode_checked;
 	bool is_dir;
+	bool deferred_thread_fd; /* placeholder for live thread proc fd */
 	char *path;
+	char *orig_path; /* original proc path for deferred reopen */
 };
 
 extern int open_reg_by_id(u32 id);

criu/include/restorer.h

@@ -141,6 +141,13 @@ struct restore_vma_io {
 
 #define RIO_SIZE(niovs) (sizeof(struct restore_vma_io) + (niovs) * sizeof(struct iovec))
 
+struct deferred_proc_fd {
+	int target_fd;	/* fd number to dup2 over */
+	int flags;	/* open flags (O_RDONLY etc) */
+	off_t pos;	/* file position to restore */
+	char path[128]; /* path relative to /proc, e.g. "1/task/7/stat" */
+};
+
 struct task_restore_args {
 	struct thread_restore_args *t; /* thread group leader */
 
@@ -196,6 +203,9 @@ struct task_restore_args {
 	int *inotify_fds; /* fds to cleanup inotify events at CR_STATE_RESTORE_SIGCHLD stage */
 	unsigned int inotify_fds_n;
 
+	struct deferred_proc_fd *deferred_fds; /* live-thread proc fds to reopen after clone() */
+	unsigned int deferred_fds_n;
+
 	/* * * * * * * * * * * * * * * * * * * * */
 
 	unsigned long task_size;
@@ -256,7 +266,7 @@ struct task_restore_args {
  * For arm64 stack needs to aligned to 16 bytes.
  * Hence align to 16 bytes for all
 */
-#define RESTORE_ALIGN_STACK(start, size) (ALIGN((start) + (size)-16, 16))
+#define RESTORE_ALIGN_STACK(start, size) (ALIGN((start) + (size) - 16, 16))
 
 static inline unsigned long restorer_stack(struct restore_mem_zone *mz)
 {

criu/pie/restorer.c

@@ -366,7 +366,6 @@ static int restore_creds(struct thread_creds_args *args, int procfd, int lsm_typ
 		}
 	}
 
-
 	if (lsm_type != LSMTYPE__SELINUX) {
 		/*
 		 * SELinux does not support setting the process context for
@@ -2198,6 +2197,36 @@ __visible long __export_restore_task(struct task_restore_args *args)
 			sys_close(fd);
 	}
 
+	/*
+	 * Reopen deferred /proc/<pid>/task/<tid>/... fds now that
+	 * all threads have been created by clone() above. The fds
+	 * currently point to /dev/null placeholders.
+	 */
+	for (i = 0; i < args->deferred_fds_n; i++) {
+		struct deferred_proc_fd *df = &args->deferred_fds[i];
+		int dfd;
+
+		dfd = sys_openat(args->proc_fd, df->path, df->flags, 0);
+		if (dfd < 0) {
+			pr_err("Can't reopen deferred proc fd %d (%s): %ld\n",
+			       df->target_fd, df->path, (long)dfd);
+			goto core_restore_end;
+		}
+
+		if (dfd != df->target_fd) {
+			if (sys_dup2(dfd, df->target_fd) != df->target_fd) {
+				pr_err("Can't dup2 deferred proc fd %d -> %d\n",
+				       dfd, df->target_fd);
+				sys_close(dfd);
+				goto core_restore_end;
+			}
+			sys_close(dfd);
+		}
+
+		if (df->pos != 0 && df->pos != (off_t)-1)
+			sys_lseek(df->target_fd, df->pos, SEEK_SET);
+	}
+
 	restore_rlims(args);
 
 	ret = create_posix_timers(args);