1. Patchew
  2. linux
  3. View series

[PATCH bpf v4 0/2] bpf: Fix arena VMA use-after-free on fork

Weiming Shi posted 2 patches 2 months ago 
kernel/bpf/arena.c                            | 23 ++++--
.../selftests/bpf/prog_tests/arena_fork.c     | 80 +++++++++++++++++++
.../testing/selftests/bpf/progs/arena_fork.c  | 41 ++++++++++
3 files changed, 138 insertions(+), 6 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/arena_fork.c
create mode 100644 tools/testing/selftests/bpf/progs/arena_fork.c
[PATCH bpf v4 0/2] bpf: Fix arena VMA use-after-free on fork
Posted by Weiming Shi 2 months ago 
arena_vm_open() only increments a refcount on the shared vma_list entry
but never registers the new VMA. After fork + parent munmap, vml->vma
becomes a dangling pointer. bpf_arena_free_pages -> zap_pages then
dereferences it, causing a slab-use-after-free in zap_page_range_single.

Patch 1 fixes the bug by tracking each child VMA separately in
arena_vm_open, and adds arena_vm_may_split() to prevent VMA splitting.
Patch 2 adds a selftest that reproduces the issue (requires KASAN to
detect the UAF).

v4:
- Fixed commit message: OOM case description, may_split rationale

v3:
- Added arena_vm_may_split() to prevent VMA splitting
- Reuse remember_vma() in arena_vm_open(), removed HugeTLB references
- selftests: fixed copyright, trimmed comments, use sysconf()

v2:
- Added missing Reported-by tag

Weiming Shi (2):
  bpf: Fix use-after-free of arena VMA on fork
  selftests/bpf: Add test for arena VMA use-after-free on fork

 kernel/bpf/arena.c                            | 23 ++++--
 .../selftests/bpf/prog_tests/arena_fork.c     | 80 +++++++++++++++++++
 .../testing/selftests/bpf/progs/arena_fork.c  | 41 ++++++++++
 3 files changed, 138 insertions(+), 6 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/arena_fork.c
 create mode 100644 tools/testing/selftests/bpf/progs/arena_fork.c

-- 
2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.