1. Patchew
  2. linux
  3. View series

[PATCH bpf v2 0/2] bpf: Fix arena VMA use-after-free on fork

Weiming Shi posted 2 patches 2 months ago
There is a newer version of this series
kernel/bpf/arena.c                            | 26 ++++--
.../selftests/bpf/prog_tests/arena_fork.c     | 86 +++++++++++++++++++
.../testing/selftests/bpf/progs/arena_fork.c  | 41 +++++++++
3 files changed, 148 insertions(+), 5 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/arena_fork.c
create mode 100644 tools/testing/selftests/bpf/progs/arena_fork.c
[PATCH bpf v2 0/2] bpf: Fix arena VMA use-after-free on fork
Posted by Weiming Shi 2 months ago 
arena_vm_open() only increments a refcount on the shared vma_list entry
but never registers the new VMA. After fork + parent munmap, vml->vma
becomes a dangling pointer. bpf_arena_free_pages -> zap_pages then
dereferences it, causing a slab-use-after-free in zap_page_range_single.

Patch 1 fixes the bug by giving each VMA its own vma_list entry,
following the HugeTLB vma_lock pattern (hugetlb_vm_op_open).
Patch 2 adds a selftest that reproduces the issue.

Changes since v1:
- Added missing Reported-by tag

Weiming Shi (2):
  bpf: Fix use-after-free of arena VMA on fork
  selftests/bpf: Add test for arena VMA use-after-free on fork

 kernel/bpf/arena.c                            | 26 ++++--
 .../selftests/bpf/prog_tests/arena_fork.c     | 86 +++++++++++++++++++
 .../testing/selftests/bpf/progs/arena_fork.c  | 41 +++++++++
 3 files changed, 148 insertions(+), 5 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/arena_fork.c
 create mode 100644 tools/testing/selftests/bpf/progs/arena_fork.c

-- 
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.