[PATCH bpf-next] selftests/bpf: add test for arena vma split and fork rejection

[Ruslan Valiyev <linuxoid@gmail.com>]

Verify that an arena map's mmap()ed VMA cannot be split with a partial
munmap() or inherited across fork().

Before commit 4fddde2a732d ("bpf: Fix use-after-free in arena_vm_close
on fork") the arena VMA had no .may_split callback and was not marked
VM_DONTCOPY, so a splitting munmap() and a fork() both succeeded.  The
fork() case left the child with a VMA whose vml->vma still pointed at
the parent, dangling after the parent unmapped and leading to a
use-after-free if the child freed arena pages.

The test creates an arena map, mmap()s it, and asserts that a splitting
munmap() fails with -EINVAL and that the child of a fork() does not
inherit the arena VMA.

Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
---
 .../selftests/bpf/prog_tests/arena_fork.c     | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/arena_fork.c

diff --git a/tools/testing/selftests/bpf/prog_tests/arena_fork.c b/tools/testing/selftests/bpf/prog_tests/arena_fork.c
new file mode 100644
index 0000000000000..f3d5218c9e071
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/arena_fork.c
@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <test_progs.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+
+/* Regression test for commit 4fddde2a732d ("bpf: Fix use-after-free in
+ * arena_vm_close on fork"): an arena VMA must reject a splitting munmap()
+ * (.may_split) and must not be inherited across fork() (VM_DONTCOPY). On
+ * an unfixed kernel both operations succeed.
+ */
+
+#define NR_PAGES 3
+
+void test_arena_fork(void)
+{
+	LIBBPF_OPTS(bpf_map_create_opts, opts, .map_flags = BPF_F_MMAPABLE);
+	long ps = sysconf(_SC_PAGESIZE);
+	size_t sz = (size_t)NR_PAGES * ps;
+	int fd, ret, status, err;
+	void *area;
+	pid_t pid;
+
+	fd = bpf_map_create(BPF_MAP_TYPE_ARENA, "arena_fork", 0, 0, NR_PAGES, &opts);
+	if (!ASSERT_OK_FD(fd, "arena map create"))
+		return;
+
+	area = mmap(NULL, sz, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+	if (!ASSERT_NEQ(area, MAP_FAILED, "mmap arena"))
+		goto close_fd;
+
+	/* A split of the arena VMA must be rejected (.may_split). */
+	ret = munmap((char *)area + ps, ps);
+	err = errno;
+	ASSERT_ERR(ret, "split munmap rejected");
+	ASSERT_EQ(err, EINVAL, "split munmap errno");
+
+	/* The child of a fork() must not inherit the arena VMA (VM_DONTCOPY);
+	 * mincore() returns ENOMEM for the unmapped range.
+	 */
+	pid = fork();
+	if (ASSERT_GE(pid, 0, "fork")) {
+		if (pid == 0) {
+			unsigned char vec;
+
+			_exit(mincore(area, ps, &vec) < 0 && errno == ENOMEM ? 0 : 1);
+		}
+		while ((ret = waitpid(pid, &status, 0)) < 0 && errno == EINTR)
+			;
+		if (ASSERT_EQ(ret, pid, "waitpid"))
+			ASSERT_TRUE(WIFEXITED(status) && WEXITSTATUS(status) == 0,
+				    "child must not inherit arena vma");
+	}
+
+	munmap(area, sz);
+close_fd:
+	close(fd);
+}

base-commit: 174914ea551314c52a61713b9c4bde9e42d48073
-- 
2.43.0