Re: [PATCH bpf v2 2/2] selftests/bpf: Add test for arena VMA use-after-free on fork

[Emil Tsalapatis]

On Fri Apr 24, 2026 at 4:01 PM EDT, Ihor Solodrai wrote:
> On 4/11/26 10:33 AM, Emil Tsalapatis wrote:
>> On Sat Apr 11, 2026 at 7:29 AM EDT, Weiming Shi wrote:
>>> Add a selftest that reproduces the arena VMA use-after-free fixed in
>>> the previous commit. The test creates an arena, mmaps it, allocates
>>> pages via BPF, forks, has the parent munmap the arena, then has the
>>> child call bpf_arena_free_pages. Without the fix this triggers a
>>> KASAN slab-use-after-free in zap_page_range_single.
>>>
>>> Signed-off-by: Weiming Shi <bestswngs@xxxxxxxxx>
>>> ---
>>>  .../selftests/bpf/prog_tests/arena_fork.c     | 86 +++++++++++++++++++
>>>  .../testing/selftests/bpf/progs/arena_fork.c  | 41 +++++++++
>>>  2 files changed, 127 insertions(+)
>>>  create mode 100644 tools/testing/selftests/bpf/prog_tests/arena_fork.c
>>>  create mode 100644 tools/testing/selftests/bpf/progs/arena_fork.c
>>>
>> 
>> The test doesn't work for me as advertised. Does it fail for you under
>> vmtest without patch 1/2?
>> 
>> The test doesn't fail on base vmtest for me, even without the previous patch,
>> because KASAN isn't turned on for the CI. With KASAN the test triggers
>> the splat just fine. 
>> 
>> Should we maybe turn on KASAN and panic_on_warn by default on vmtest?
>
> Hi Emil,
>
> I just noticed this message. BPF CI has KASAN enabled by default
> (disabled only on s390x) for almost a year now [1].  Did the test fail
> locally for you, but not on CI?
>
> [1] https://github.com/kernel-patches/vmtest/commit/5db11d295888c3f048021a15c3a8a9875c8612c3

Hi Ihor,

My bad, I misspoke - I thought the CI was running the standard vmtest config. Since
we're running KASAN on the CI it's not an issue that the vmtest config
doesn't have it on by default.

>
>> 
>>> [...]
>>