Re: [PATCH bpf v2 2/2] selftests/bpf: Add test for arena VMA use-after-free on fork

Next message: Roman Gushchin: "Re: [PATCH 7.2 v10 0/2] skip redundant sync IPIs when TLB flush sent them"
Previous message: syzbot: "[syzbot] [mm?] WARNING: bad unlock balance in __zap_vma_range"
Next in thread: Emil Tsalapatis: "Re: [PATCH bpf v2 2/2] selftests/bpf: Add test for arena VMA use-after-free on fork"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ihor Solodrai

Date: Fri Apr 24 2026 - 16:02:30 EST

On 4/11/26 10:33 AM, Emil Tsalapatis wrote:
> On Sat Apr 11, 2026 at 7:29 AM EDT, Weiming Shi wrote:
>> Add a selftest that reproduces the arena VMA use-after-free fixed in
>> the previous commit. The test creates an arena, mmaps it, allocates
>> pages via BPF, forks, has the parent munmap the arena, then has the
>> child call bpf_arena_free_pages. Without the fix this triggers a
>> KASAN slab-use-after-free in zap_page_range_single.
>>
>> Signed-off-by: Weiming Shi <bestswngs@xxxxxxxxx>
>> ---
>> .../selftests/bpf/prog_tests/arena_fork.c | 86 +++++++++++++++++++
>> .../testing/selftests/bpf/progs/arena_fork.c | 41 +++++++++
>> 2 files changed, 127 insertions(+)
>> create mode 100644 tools/testing/selftests/bpf/prog_tests/arena_fork.c
>> create mode 100644 tools/testing/selftests/bpf/progs/arena_fork.c
>>
>
> The test doesn't work for me as advertised. Does it fail for you under
> vmtest without patch 1/2?
>
> The test doesn't fail on base vmtest for me, even without the previous patch,
> because KASAN isn't turned on for the CI. With KASAN the test triggers
> the splat just fine.
>
> Should we maybe turn on KASAN and panic_on_warn by default on vmtest?

Hi Emil,

I just noticed this message. BPF CI has KASAN enabled by default
(disabled only on s390x) for almost a year now [1]. Did the test fail
locally for you, but not on CI?

[1] https://github.com/kernel-patches/vmtest/commit/5db11d295888c3f048021a15c3a8a9875c8612c3

>
>> [...]
>