[PATCH v2 00/13] bpf: Add arena ASAN runtime and BPF library

[PATCH v2 00/13] bpf: Add arena ASAN runtime and BPF library

[Emil Tsalapatis]

Add a new subdirectory to tools/testing/selftests/bpf called libarena,
along with programs useful for writing arena-based BPF code. This
patchset adds the following:

1) libarena, a subdirectory where arena BPF code that is generally useful 
to BPF arena programs can be easily added and tested.

2) An ASAN runtime for BPF arena programs. BPF arenas allow for accessing 
memory after it has been freed or if it out of bounds, making it more 
difficult to triage bugs combined to regular BPF. Use LLVM's recently added 
support for address-space based sanitization to selectively sanitize just 
the arena accesses.

3) A set of memory allocators that can be reused by BPF programs to handle 
memory allocation/deletion. The allocators use the ASAN runtime to add 
address sanitization if requested.

The patch includes testing for the new allocators and ASAN features that
can be built from the top directory using "make libarena_test" and
"make libarena_test_asan". The generated binaries reside in libarena/.

The structure of this patch is:

1-2: Add BPF Streams kfunc for dumping the current program stack, and
allow BPF Streams kfuncs to be callable while holding a lock.

3-4: Minor changes to the /testing/selftests/bpf directory headers to
prepare for the introduction of libarena.

5-7: Add the base libarena directory and testing scaffolding, and
introduce the ASAN runtime.

8-9: Add a arena memory bump allocator along with testing. This
allocator is used for permanent allocations during program init.

10-11: Add a stack page-oriented allocator along with testing. This 
allocator is used for repeated large allocations to avoid constant
bpf_arena_{alloc,free}_pages calls.

12-13: Add a buddy allocator along with testing. The allocator acts as a
general allocator for arena-based BPF programs.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>

v1->v2 (https://lore.kernel.org/bpf/20260122160131.2238331-1-etsal@meta.com/)

- Added missing format string argument (AI)
- Fix outdated selftests prog name check (AI)
- Fixed stack allocation check for segment creation (AI)
- Fix errors in non-ASAN bump allocator selftests (AI)
- Propagate error value from individual selftests in selftest.c
- Removed embedded metadata from bump allocator as it was needlessly
  complicating its behavior

Emil Tsalapatis (13):
  bpf: Add bpf_stream_print_stack stack dumping kfunc
  bpf: Allow BPF stream kfuncs while holding a lock
  selftests: bpf: Move bpf_arena_spin_lock.h to the top level
  selftests: bpf: Make WRITE_ONCE macro in bpf_atomic.h conditional
  selftests: bpf: Add basic libarena scaffolding
  selftests: bpf: Add arena ASAN runtime to libarena
  selftests: bpf: Add ASAN support for libarena selftests
  selftest: bpf: Add bump allocator for libarena
  selftests: bpf: Add libarena selftests for the bump allocator
  selftest: bpf: Add libarena stack allocator
  selftests: bpf: Add selftests for the libarena stack allocator
  selftests: bpf: Add buddy allocator for libarena
  selftests: bpf: Add selftests for the libarena buddy allocator

 kernel/bpf/helpers.c                          |   1 +
 kernel/bpf/stream.c                           |  13 +
 kernel/bpf/verifier.c                         |  13 +-
 tools/lib/bpf/bpf_helpers.h                   |   2 +
 tools/testing/selftests/bpf/.gitignore        |   2 +
 tools/testing/selftests/bpf/Makefile          |  24 +
 .../bpf/{progs => }/bpf_arena_spin_lock.h     |   4 +-
 tools/testing/selftests/bpf/bpf_atomic.h      |   2 +
 tools/testing/selftests/bpf/libarena/Makefile |  69 ++
 .../selftests/bpf/libarena/include/asan.h     | 133 +++
 .../selftests/bpf/libarena/include/buddy.h    |  62 ++
 .../selftests/bpf/libarena/include/bump.h     |  26 +
 .../selftests/bpf/libarena/include/common.h   | 118 +++
 .../selftests/bpf/libarena/include/stack.h    |  44 +
 .../selftests/bpf/libarena/include/userapi.h  |  23 +
 .../bpf/libarena/selftests/selftest.c         | 328 ++++++++
 .../bpf/libarena/selftests/selftest.h         |  17 +
 .../libarena/selftests/st_asan_buddy.bpf.c    | 238 ++++++
 .../bpf/libarena/selftests/st_asan_bump.bpf.c | 193 +++++
 .../bpf/libarena/selftests/st_asan_common.h   |  49 ++
 .../libarena/selftests/st_asan_stack.bpf.c    | 253 ++++++
 .../bpf/libarena/selftests/st_buddy.bpf.c     | 231 ++++++
 .../bpf/libarena/selftests/st_bump.bpf.c      | 281 +++++++
 .../selftests/bpf/libarena/src/asan.bpf.c     | 463 +++++++++++
 .../selftests/bpf/libarena/src/buddy.bpf.c    | 784 ++++++++++++++++++
 .../selftests/bpf/libarena/src/bump.bpf.c     | 196 +++++
 .../selftests/bpf/libarena/src/stack.bpf.c    | 338 ++++++++
 .../selftests/bpf/progs/arena_spin_lock.c     |   2 +-
 28 files changed, 3905 insertions(+), 4 deletions(-)
 rename tools/testing/selftests/bpf/{progs => }/bpf_arena_spin_lock.h (99%)
 create mode 100644 tools/testing/selftests/bpf/libarena/Makefile
 create mode 100644 tools/testing/selftests/bpf/libarena/include/asan.h
 create mode 100644 tools/testing/selftests/bpf/libarena/include/buddy.h
 create mode 100644 tools/testing/selftests/bpf/libarena/include/bump.h
 create mode 100644 tools/testing/selftests/bpf/libarena/include/common.h
 create mode 100644 tools/testing/selftests/bpf/libarena/include/stack.h
 create mode 100644 tools/testing/selftests/bpf/libarena/include/userapi.h
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/selftest.c
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/selftest.h
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_buddy.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_bump.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_common.h
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_buddy.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_bump.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/src/asan.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/src/buddy.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/src/bump.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/src/stack.bpf.c

-- 
2.49.0

[PATCH v2 01/13] bpf: Add bpf_stream_print_stack stack dumping kfunc

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add a new kfunc called bpf_stream_print_stack to be used by programs
that need to print out their current BPF stack. The kfunc is essentially
a wrapper around the existing bpf_stream_dump_stack functionality used
to generate stack traces for error events like may_goto violations and
BPF-side arena page faults.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 kernel/bpf/helpers.c        |  1 +
 kernel/bpf/stream.c         | 13 +++++++++++++
 tools/lib/bpf/bpf_helpers.h |  2 ++
 3 files changed, 16 insertions(+)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index b54ec0e945aa..c30a9f68af6b 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -4562,6 +4562,7 @@ BTF_ID_FLAGS(func, bpf_strncasestr);
 BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU)
 #endif
 BTF_ID_FLAGS(func, bpf_stream_vprintk, KF_IMPLICIT_ARGS)
+BTF_ID_FLAGS(func, bpf_stream_print_stack, KF_IMPLICIT_ARGS)
 BTF_ID_FLAGS(func, bpf_task_work_schedule_signal, KF_IMPLICIT_ARGS)
 BTF_ID_FLAGS(func, bpf_task_work_schedule_resume, KF_IMPLICIT_ARGS)
 BTF_ID_FLAGS(func, bpf_dynptr_from_file)
diff --git a/kernel/bpf/stream.c b/kernel/bpf/stream.c
index 24730df55e69..6e2cbe5f34e7 100644
--- a/kernel/bpf/stream.c
+++ b/kernel/bpf/stream.c
@@ -245,6 +245,19 @@ __bpf_kfunc int bpf_stream_vprintk(int stream_id, const char *fmt__str, const vo
 	return ret;
 }
 
+/* Directly trigger a stack dump from the program. */
+__bpf_kfunc void bpf_stream_print_stack(struct bpf_prog_aux *aux)
+{
+	struct bpf_stream_stage ss;
+	struct bpf_prog *prog;
+
+	prog = aux->main_prog_aux->prog;
+
+	bpf_stream_stage(ss, prog, BPF_STDERR, ({
+		bpf_stream_dump_stack(ss);
+	}));
+}
+
 __bpf_kfunc_end_defs();
 
 /* Added kfunc to common_btf_ids */
diff --git a/tools/lib/bpf/bpf_helpers.h b/tools/lib/bpf/bpf_helpers.h
index c145da05a67c..6d8ae3887618 100644
--- a/tools/lib/bpf/bpf_helpers.h
+++ b/tools/lib/bpf/bpf_helpers.h
@@ -343,6 +343,8 @@ extern int bpf_stream_vprintk(int stream_id, const char *fmt__str, const void *a
 /* Helper macro to print out debug messages */
 #define bpf_printk(fmt, args...) ___bpf_pick_printk(args)(fmt, ##args)
 
+extern void bpf_stream_print_stack(void) __weak __ksym;
+
 struct bpf_iter_num;
 
 extern int bpf_iter_num_new(struct bpf_iter_num *it, int start, int end) __weak __ksym;
-- 
2.49.0

Re: [PATCH v2 01/13] bpf: Add bpf_stream_print_stack stack dumping kfunc

[Mykyta Yatsenko]

On 1/27/26 18:15, Emil Tsalapatis wrote:
> From: Emil Tsalapatis <etsal@meta.com>
>
> Add a new kfunc called bpf_stream_print_stack to be used by programs
> that need to print out their current BPF stack. The kfunc is essentially
> a wrapper around the existing bpf_stream_dump_stack functionality used
> to generate stack traces for error events like may_goto violations and
> BPF-side arena page faults.
>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---
>   kernel/bpf/helpers.c        |  1 +
>   kernel/bpf/stream.c         | 13 +++++++++++++
>   tools/lib/bpf/bpf_helpers.h |  2 ++
>   3 files changed, 16 insertions(+)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index b54ec0e945aa..c30a9f68af6b 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -4562,6 +4562,7 @@ BTF_ID_FLAGS(func, bpf_strncasestr);
>   BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU)
>   #endif
>   BTF_ID_FLAGS(func, bpf_stream_vprintk, KF_IMPLICIT_ARGS)
> +BTF_ID_FLAGS(func, bpf_stream_print_stack, KF_IMPLICIT_ARGS)
>   BTF_ID_FLAGS(func, bpf_task_work_schedule_signal, KF_IMPLICIT_ARGS)
>   BTF_ID_FLAGS(func, bpf_task_work_schedule_resume, KF_IMPLICIT_ARGS)
>   BTF_ID_FLAGS(func, bpf_dynptr_from_file)
> diff --git a/kernel/bpf/stream.c b/kernel/bpf/stream.c
> index 24730df55e69..6e2cbe5f34e7 100644
> --- a/kernel/bpf/stream.c
> +++ b/kernel/bpf/stream.c
> @@ -245,6 +245,19 @@ __bpf_kfunc int bpf_stream_vprintk(int stream_id, const char *fmt__str, const vo
>   	return ret;
>   }
>   
> +/* Directly trigger a stack dump from the program. */
> +__bpf_kfunc void bpf_stream_print_stack(struct bpf_prog_aux *aux)
> +{
> +	struct bpf_stream_stage ss;
> +	struct bpf_prog *prog;
> +
> +	prog = aux->main_prog_aux->prog;
> +
> +	bpf_stream_stage(ss, prog, BPF_STDERR, ({
> +		bpf_stream_dump_stack(ss);
> +	}));
> +}
> +
>   __bpf_kfunc_end_defs();
>   
>   /* Added kfunc to common_btf_ids */
> diff --git a/tools/lib/bpf/bpf_helpers.h b/tools/lib/bpf/bpf_helpers.h
> index c145da05a67c..6d8ae3887618 100644
> --- a/tools/lib/bpf/bpf_helpers.h
> +++ b/tools/lib/bpf/bpf_helpers.h
> @@ -343,6 +343,8 @@ extern int bpf_stream_vprintk(int stream_id, const char *fmt__str, const void *a
>   /* Helper macro to print out debug messages */
>   #define bpf_printk(fmt, args...) ___bpf_pick_printk(args)(fmt, ##args)
>   
> +extern void bpf_stream_print_stack(void) __weak __ksym;
> +
Is this needed? bpf_stream_print_stack() should be available via 
vmlinux.h, shouldn't it?
>   struct bpf_iter_num;
>   
>   extern int bpf_iter_num_new(struct bpf_iter_num *it, int start, int end) __weak __ksym;

Re: [PATCH v2 01/13] bpf: Add bpf_stream_print_stack stack dumping kfunc

[Emil Tsalapatis]

On Tue Jan 27, 2026 at 2:17 PM EST, Mykyta Yatsenko wrote:
> On 1/27/26 18:15, Emil Tsalapatis wrote:
>> From: Emil Tsalapatis <etsal@meta.com>
>>
>> Add a new kfunc called bpf_stream_print_stack to be used by programs
>> that need to print out their current BPF stack. The kfunc is essentially
>> a wrapper around the existing bpf_stream_dump_stack functionality used
>> to generate stack traces for error events like may_goto violations and
>> BPF-side arena page faults.
>>
>> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
>> ---
>>   kernel/bpf/helpers.c        |  1 +
>>   kernel/bpf/stream.c         | 13 +++++++++++++
>>   tools/lib/bpf/bpf_helpers.h |  2 ++
>>   3 files changed, 16 insertions(+)
>>
>> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
>> index b54ec0e945aa..c30a9f68af6b 100644
>> --- a/kernel/bpf/helpers.c
>> +++ b/kernel/bpf/helpers.c
>> @@ -4562,6 +4562,7 @@ BTF_ID_FLAGS(func, bpf_strncasestr);
>>   BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU)
>>   #endif
>>   BTF_ID_FLAGS(func, bpf_stream_vprintk, KF_IMPLICIT_ARGS)
>> +BTF_ID_FLAGS(func, bpf_stream_print_stack, KF_IMPLICIT_ARGS)
>>   BTF_ID_FLAGS(func, bpf_task_work_schedule_signal, KF_IMPLICIT_ARGS)
>>   BTF_ID_FLAGS(func, bpf_task_work_schedule_resume, KF_IMPLICIT_ARGS)
>>   BTF_ID_FLAGS(func, bpf_dynptr_from_file)
>> diff --git a/kernel/bpf/stream.c b/kernel/bpf/stream.c
>> index 24730df55e69..6e2cbe5f34e7 100644
>> --- a/kernel/bpf/stream.c
>> +++ b/kernel/bpf/stream.c
>> @@ -245,6 +245,19 @@ __bpf_kfunc int bpf_stream_vprintk(int stream_id, const char *fmt__str, const vo
>>   	return ret;
>>   }
>>   
>> +/* Directly trigger a stack dump from the program. */
>> +__bpf_kfunc void bpf_stream_print_stack(struct bpf_prog_aux *aux)
>> +{
>> +	struct bpf_stream_stage ss;
>> +	struct bpf_prog *prog;
>> +
>> +	prog = aux->main_prog_aux->prog;
>> +
>> +	bpf_stream_stage(ss, prog, BPF_STDERR, ({
>> +		bpf_stream_dump_stack(ss);
>> +	}));
>> +}
>> +
>>   __bpf_kfunc_end_defs();
>>   
>>   /* Added kfunc to common_btf_ids */
>> diff --git a/tools/lib/bpf/bpf_helpers.h b/tools/lib/bpf/bpf_helpers.h
>> index c145da05a67c..6d8ae3887618 100644
>> --- a/tools/lib/bpf/bpf_helpers.h
>> +++ b/tools/lib/bpf/bpf_helpers.h
>> @@ -343,6 +343,8 @@ extern int bpf_stream_vprintk(int stream_id, const char *fmt__str, const void *a
>>   /* Helper macro to print out debug messages */
>>   #define bpf_printk(fmt, args...) ___bpf_pick_printk(args)(fmt, ##args)
>>   
>> +extern void bpf_stream_print_stack(void) __weak __ksym;
>> +
> Is this needed? bpf_stream_print_stack() should be available via 
> vmlinux.h, shouldn't it?

Good call, I'll remove it in the next version.

>>   struct bpf_iter_num;
>>   
>>   extern int bpf_iter_num_new(struct bpf_iter_num *it, int start, int end) __weak __ksym;

Re: [PATCH v2 01/13] bpf: Add bpf_stream_print_stack stack dumping kfunc

[Kumar Kartikeya Dwivedi]

On Tue, 27 Jan 2026 at 19:16, Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> From: Emil Tsalapatis <etsal@meta.com>
>
> Add a new kfunc called bpf_stream_print_stack to be used by programs
> that need to print out their current BPF stack. The kfunc is essentially
> a wrapper around the existing bpf_stream_dump_stack functionality used
> to generate stack traces for error events like may_goto violations and
> BPF-side arena page faults.
>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---
>  kernel/bpf/helpers.c        |  1 +
>  kernel/bpf/stream.c         | 13 +++++++++++++
>  tools/lib/bpf/bpf_helpers.h |  2 ++
>  3 files changed, 16 insertions(+)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index b54ec0e945aa..c30a9f68af6b 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -4562,6 +4562,7 @@ BTF_ID_FLAGS(func, bpf_strncasestr);
>  BTF_ID_FLAGS(func, bpf_cgroup_read_xattr, KF_RCU)
>  #endif
>  BTF_ID_FLAGS(func, bpf_stream_vprintk, KF_IMPLICIT_ARGS)
> +BTF_ID_FLAGS(func, bpf_stream_print_stack, KF_IMPLICIT_ARGS)
>  BTF_ID_FLAGS(func, bpf_task_work_schedule_signal, KF_IMPLICIT_ARGS)
>  BTF_ID_FLAGS(func, bpf_task_work_schedule_resume, KF_IMPLICIT_ARGS)
>  BTF_ID_FLAGS(func, bpf_dynptr_from_file)
> diff --git a/kernel/bpf/stream.c b/kernel/bpf/stream.c
> index 24730df55e69..6e2cbe5f34e7 100644
> --- a/kernel/bpf/stream.c
> +++ b/kernel/bpf/stream.c
> @@ -245,6 +245,19 @@ __bpf_kfunc int bpf_stream_vprintk(int stream_id, const char *fmt__str, const vo
>         return ret;
>  }
>
> +/* Directly trigger a stack dump from the program. */
> +__bpf_kfunc void bpf_stream_print_stack(struct bpf_prog_aux *aux)
> +{
> +       struct bpf_stream_stage ss;
> +       struct bpf_prog *prog;
> +
> +       prog = aux->main_prog_aux->prog;
> +
> +       bpf_stream_stage(ss, prog, BPF_STDERR, ({

I think it would be better not to hardcode the stream, and take an argument.

> +               bpf_stream_dump_stack(ss);
> +       }));
> +}
> +
>  __bpf_kfunc_end_defs();
>
>  /* Added kfunc to common_btf_ids */
> diff --git a/tools/lib/bpf/bpf_helpers.h b/tools/lib/bpf/bpf_helpers.h
> index c145da05a67c..6d8ae3887618 100644
> --- a/tools/lib/bpf/bpf_helpers.h
> +++ b/tools/lib/bpf/bpf_helpers.h
> @@ -343,6 +343,8 @@ extern int bpf_stream_vprintk(int stream_id, const char *fmt__str, const void *a
>  /* Helper macro to print out debug messages */
>  #define bpf_printk(fmt, args...) ___bpf_pick_printk(args)(fmt, ##args)
>
> +extern void bpf_stream_print_stack(void) __weak __ksym;
> +
>  struct bpf_iter_num;
>
>  extern int bpf_iter_num_new(struct bpf_iter_num *it, int start, int end) __weak __ksym;
> --
> 2.49.0
>

[PATCH v2 02/13] bpf: Allow BPF stream kfuncs while holding a lock

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

The BPF stream kfuncs bpf_stream_vprintk and bpf_stream_print_stack
do not sleep and so are safe to call while holding a lock. Amend
the verifier to allow that.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 kernel/bpf/verifier.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index c2f2650db9fd..b7970537eb41 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12485,6 +12485,8 @@ enum special_kfunc_type {
 	KF_bpf_arena_free_pages,
 	KF_bpf_arena_reserve_pages,
 	KF_bpf_session_is_return,
+	KF_bpf_stream_vprintk,
+	KF_bpf_stream_print_stack,
 };
 
 BTF_ID_LIST(special_kfunc_list)
@@ -12563,6 +12565,8 @@ BTF_ID(func, bpf_arena_alloc_pages)
 BTF_ID(func, bpf_arena_free_pages)
 BTF_ID(func, bpf_arena_reserve_pages)
 BTF_ID(func, bpf_session_is_return)
+BTF_ID(func, bpf_stream_vprintk)
+BTF_ID(func, bpf_stream_print_stack)
 
 static bool is_task_work_add_kfunc(u32 func_id)
 {
@@ -13007,10 +13011,17 @@ static bool is_bpf_arena_kfunc(u32 btf_id)
 	       btf_id == special_kfunc_list[KF_bpf_arena_reserve_pages];
 }
 
+static bool is_bpf_stream_kfunc(u32 btf_id)
+{
+	return btf_id == special_kfunc_list[KF_bpf_stream_vprintk] ||
+	       btf_id == special_kfunc_list[KF_bpf_stream_print_stack];
+}
+
 static bool kfunc_spin_allowed(u32 btf_id)
 {
 	return is_bpf_graph_api_kfunc(btf_id) || is_bpf_iter_num_api_kfunc(btf_id) ||
-	       is_bpf_res_spin_lock_kfunc(btf_id) || is_bpf_arena_kfunc(btf_id);
+	       is_bpf_res_spin_lock_kfunc(btf_id) || is_bpf_arena_kfunc(btf_id) ||
+	       is_bpf_stream_kfunc(btf_id);
 }
 
 static bool is_sync_callback_calling_kfunc(u32 btf_id)
-- 
2.49.0

Re: [PATCH v2 02/13] bpf: Allow BPF stream kfuncs while holding a lock

[Kumar Kartikeya Dwivedi]

On Tue, 27 Jan 2026 at 19:16, Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> From: Emil Tsalapatis <etsal@meta.com>
>
> The BPF stream kfuncs bpf_stream_vprintk and bpf_stream_print_stack
> do not sleep and so are safe to call while holding a lock. Amend
> the verifier to allow that.
>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---

Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

>  [...]

[PATCH v2 03/13] selftests: bpf: Move bpf_arena_spin_lock.h to the top level

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

The bpf_arena_spin_lock.h header is useful for all programs and not
just the selftests. Move it to the top level of the BPF selftests
to make it more readily accessible.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 tools/testing/selftests/bpf/{progs => }/bpf_arena_spin_lock.h | 4 ++--
 tools/testing/selftests/bpf/progs/arena_spin_lock.c           | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename tools/testing/selftests/bpf/{progs => }/bpf_arena_spin_lock.h (99%)

diff --git a/tools/testing/selftests/bpf/progs/bpf_arena_spin_lock.h b/tools/testing/selftests/bpf/bpf_arena_spin_lock.h
similarity index 99%
rename from tools/testing/selftests/bpf/progs/bpf_arena_spin_lock.h
rename to tools/testing/selftests/bpf/bpf_arena_spin_lock.h
index f90531cf3ee5..680c9e6cb35d 100644
--- a/tools/testing/selftests/bpf/progs/bpf_arena_spin_lock.h
+++ b/tools/testing/selftests/bpf/bpf_arena_spin_lock.h
@@ -107,7 +107,7 @@ struct arena_qnode {
 #define _Q_LOCKED_VAL		(1U << _Q_LOCKED_OFFSET)
 #define _Q_PENDING_VAL		(1U << _Q_PENDING_OFFSET)
 
-struct arena_qnode __arena qnodes[_Q_MAX_CPUS][_Q_MAX_NODES];
+struct arena_qnode __weak __arena __hidden qnodes[_Q_MAX_CPUS][_Q_MAX_NODES];
 
 static inline u32 encode_tail(int cpu, int idx)
 {
@@ -240,7 +240,7 @@ static __always_inline int arena_spin_trylock(arena_spinlock_t __arena *lock)
 	return likely(atomic_try_cmpxchg_acquire(&lock->val, &val, _Q_LOCKED_VAL));
 }
 
-__noinline
+__noinline __weak
 int arena_spin_lock_slowpath(arena_spinlock_t __arena __arg_arena *lock, u32 val)
 {
 	struct arena_mcs_spinlock __arena *prev, *next, *node0, *node;
diff --git a/tools/testing/selftests/bpf/progs/arena_spin_lock.c b/tools/testing/selftests/bpf/progs/arena_spin_lock.c
index 086b57a426cf..6c04e7707644 100644
--- a/tools/testing/selftests/bpf/progs/arena_spin_lock.c
+++ b/tools/testing/selftests/bpf/progs/arena_spin_lock.c
@@ -4,7 +4,7 @@
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_helpers.h>
 #include "bpf_misc.h"
-#include "bpf_arena_spin_lock.h"
+#include "../bpf_arena_spin_lock.h"
 
 struct {
 	__uint(type, BPF_MAP_TYPE_ARENA);
-- 
2.49.0

Re: [PATCH v2 03/13] selftests: bpf: Move bpf_arena_spin_lock.h to the top level

[Kumar Kartikeya Dwivedi]

On Tue, 27 Jan 2026 at 19:16, Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> From: Emil Tsalapatis <etsal@meta.com>
>
> The bpf_arena_spin_lock.h header is useful for all programs and not
> just the selftests. Move it to the top level of the BPF selftests
> to make it more readily accessible.

"Since this header will be used in multiple object files that may be
linked together, mark global variables and global functions as __weak
to avoid linker errors."

>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---

Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

>  [...]
>

[PATCH v2 04/13] selftests: bpf: Make WRITE_ONCE macro in bpf_atomic.h conditional

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

The WRITE_ONCE macro is identically defined both in bpf_atomic.h
and in bpf_arena_common.h. The bpf_arena_common.h definition is
guarded with an ifndef to allow for inclusion after bpf_atomic.h,
but the opposite does not hold. Add an extra guard to avoid requiring
a specific order for the headers.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 tools/testing/selftests/bpf/bpf_atomic.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/testing/selftests/bpf/bpf_atomic.h b/tools/testing/selftests/bpf/bpf_atomic.h
index c550e5711967..d89a22d63c1c 100644
--- a/tools/testing/selftests/bpf/bpf_atomic.h
+++ b/tools/testing/selftests/bpf/bpf_atomic.h
@@ -42,7 +42,9 @@ extern bool CONFIG_X86_64 __kconfig __weak;
 
 #define READ_ONCE(x) (*(volatile typeof(x) *)&(x))
 
+#ifndef WRITE_ONCE
 #define WRITE_ONCE(x, val) ((*(volatile typeof(x) *)&(x)) = (val))
+#endif
 
 #define cmpxchg(p, old, new) __sync_val_compare_and_swap((p), old, new)
 
-- 
2.49.0

Re: [PATCH v2 04/13] selftests: bpf: Make WRITE_ONCE macro in bpf_atomic.h conditional

[Mykyta Yatsenko]

On 1/27/26 18:16, Emil Tsalapatis wrote:
> From: Emil Tsalapatis <etsal@meta.com>
>
> The WRITE_ONCE macro is identically defined both in bpf_atomic.h
> and in bpf_arena_common.h. The bpf_arena_common.h definition is
> guarded with an ifndef to allow for inclusion after bpf_atomic.h,
> but the opposite does not hold. Add an extra guard to avoid requiring
> a specific order for the headers.
>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---
>   tools/testing/selftests/bpf/bpf_atomic.h | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/bpf_atomic.h b/tools/testing/selftests/bpf/bpf_atomic.h
> index c550e5711967..d89a22d63c1c 100644
> --- a/tools/testing/selftests/bpf/bpf_atomic.h
> +++ b/tools/testing/selftests/bpf/bpf_atomic.h
> @@ -42,7 +42,9 @@ extern bool CONFIG_X86_64 __kconfig __weak;
>   
>   #define READ_ONCE(x) (*(volatile typeof(x) *)&(x))
>   
> +#ifndef WRITE_ONCE
>   #define WRITE_ONCE(x, val) ((*(volatile typeof(x) *)&(x)) = (val))
> +#endif
I wonder if we can avoid duplicating this macros, for example by
including bpf_atomic.h in the bpf_arena_common.h.
>   
>   #define cmpxchg(p, old, new) __sync_val_compare_and_swap((p), old, new)
>   

Re: [PATCH v2 04/13] selftests: bpf: Make WRITE_ONCE macro in bpf_atomic.h conditional

[Emil Tsalapatis]

On Tue Jan 27, 2026 at 2:26 PM EST, Mykyta Yatsenko wrote:
> On 1/27/26 18:16, Emil Tsalapatis wrote:
>> From: Emil Tsalapatis <etsal@meta.com>
>>
>> The WRITE_ONCE macro is identically defined both in bpf_atomic.h
>> and in bpf_arena_common.h. The bpf_arena_common.h definition is
>> guarded with an ifndef to allow for inclusion after bpf_atomic.h,
>> but the opposite does not hold. Add an extra guard to avoid requiring
>> a specific order for the headers.
>>
>> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
>> ---
>>   tools/testing/selftests/bpf/bpf_atomic.h | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/tools/testing/selftests/bpf/bpf_atomic.h b/tools/testing/selftests/bpf/bpf_atomic.h
>> index c550e5711967..d89a22d63c1c 100644
>> --- a/tools/testing/selftests/bpf/bpf_atomic.h
>> +++ b/tools/testing/selftests/bpf/bpf_atomic.h
>> @@ -42,7 +42,9 @@ extern bool CONFIG_X86_64 __kconfig __weak;
>>   
>>   #define READ_ONCE(x) (*(volatile typeof(x) *)&(x))
>>   
>> +#ifndef WRITE_ONCE
>>   #define WRITE_ONCE(x, val) ((*(volatile typeof(x) *)&(x)) = (val))
>> +#endif
> I wonder if we can avoid duplicating this macros, for example by
> including bpf_atomic.h in the bpf_arena_common.h.

I kept both definitions because the headers correspond to unrelated
features (atomics and arenas). Including bpf_atomic.h in
bpf_arena_common.h would work, and we'd need to update just a single
test that includes bpf_atomic.h directly (lpm_trie_bench). However,
any program that wanted to include atomics would also have to include
arena-related definitions. If that sounds reasonable I'll update the
diff on the next version.

>>   
>>   #define cmpxchg(p, old, new) __sync_val_compare_and_swap((p), old, new)
>>   

Re: [PATCH v2 04/13] selftests: bpf: Make WRITE_ONCE macro in bpf_atomic.h conditional

[Kumar Kartikeya Dwivedi]

On Wed, 28 Jan 2026 at 00:41, Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> On Tue Jan 27, 2026 at 2:26 PM EST, Mykyta Yatsenko wrote:
> > On 1/27/26 18:16, Emil Tsalapatis wrote:
> >> From: Emil Tsalapatis <etsal@meta.com>
> >>
> >> The WRITE_ONCE macro is identically defined both in bpf_atomic.h
> >> and in bpf_arena_common.h. The bpf_arena_common.h definition is
> >> guarded with an ifndef to allow for inclusion after bpf_atomic.h,
> >> but the opposite does not hold. Add an extra guard to avoid requiring
> >> a specific order for the headers.
> >>
> >> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> >> ---
> >>   tools/testing/selftests/bpf/bpf_atomic.h | 2 ++
> >>   1 file changed, 2 insertions(+)
> >>
> >> diff --git a/tools/testing/selftests/bpf/bpf_atomic.h b/tools/testing/selftests/bpf/bpf_atomic.h
> >> index c550e5711967..d89a22d63c1c 100644
> >> --- a/tools/testing/selftests/bpf/bpf_atomic.h
> >> +++ b/tools/testing/selftests/bpf/bpf_atomic.h
> >> @@ -42,7 +42,9 @@ extern bool CONFIG_X86_64 __kconfig __weak;
> >>
> >>   #define READ_ONCE(x) (*(volatile typeof(x) *)&(x))
> >>
> >> +#ifndef WRITE_ONCE
> >>   #define WRITE_ONCE(x, val) ((*(volatile typeof(x) *)&(x)) = (val))
> >> +#endif
> > I wonder if we can avoid duplicating this macros, for example by
> > including bpf_atomic.h in the bpf_arena_common.h.
>
> I kept both definitions because the headers correspond to unrelated
> features (atomics and arenas). Including bpf_atomic.h in
> bpf_arena_common.h would work, and we'd need to update just a single
> test that includes bpf_atomic.h directly (lpm_trie_bench). However,
> any program that wanted to include atomics would also have to include
> arena-related definitions. If that sounds reasonable I'll update the
> diff on the next version.

+1 to reusing bpf_atomic.h, it's supposed to work fine regardless of
arena or normal memory.

>
> >>
> >>   #define cmpxchg(p, old, new) __sync_val_compare_and_swap((p), old, new)
> >>
>

[PATCH v2 05/13] selftests: bpf: Add basic libarena scaffolding

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add initial code for an arena-based BPF library. The current commit
introduces a test runner and Makefile for the library. Library code
can be added just by including the source file in the library's src/
subdirectory. Future commits will introduce the library code itself.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 tools/testing/selftests/bpf/.gitignore        |   1 +
 tools/testing/selftests/bpf/Makefile          |  12 +
 tools/testing/selftests/bpf/libarena/Makefile |  47 ++++
 .../selftests/bpf/libarena/include/common.h   | 118 +++++++++
 .../selftests/bpf/libarena/include/userapi.h  |  22 ++
 .../bpf/libarena/selftests/selftest.c         | 243 ++++++++++++++++++
 .../bpf/libarena/selftests/selftest.h         |  17 ++
 7 files changed, 460 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/libarena/Makefile
 create mode 100644 tools/testing/selftests/bpf/libarena/include/common.h
 create mode 100644 tools/testing/selftests/bpf/libarena/include/userapi.h
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/selftest.c
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/selftest.h

diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
index b8bf51b7a0b0..96b4a7e37427 100644
--- a/tools/testing/selftests/bpf/.gitignore
+++ b/tools/testing/selftests/bpf/.gitignore
@@ -48,3 +48,4 @@ verification_cert.h
 *.BTF
 *.BTF_ids
 *.BTF.base
+libarena/test_libarena
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 9488d076c740..49b275a7bfa1 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -915,3 +915,15 @@ override define INSTALL_RULE
 		rsync -a $(OUTPUT)/$$DIR/*.bpf.o $(INSTALL_PATH)/$$DIR;\
 	done
 endef
+
+test_libarena: $(INCLUDE_DIR)/vmlinux.h $(BPFOBJ)
+	+$(MAKE) -C libarena all \
+		BPFTOOL="$(BPFTOOL)" \
+		INCLUDE_DIR="$(HOST_INCLUDE_DIR)" \
+		LIBBPF_INCLUDE="$(HOST_INCLUDE_DIR)" \
+		BPFOBJ="$(BPFOBJ)" \
+		LDLIBS="$(LDLIBS) -lzstd" \
+		CLANG="$(CLANG)" \
+		BPF_CFLAGS="$(BPF_CFLAGS) $(CLANG_CFLAGS)" \
+		BPF_TARGET_ENDIAN="$(BPF_TARGET_ENDIAN)" \
+		Q="$(Q)"
diff --git a/tools/testing/selftests/bpf/libarena/Makefile b/tools/testing/selftests/bpf/libarena/Makefile
new file mode 100644
index 000000000000..70901bb5237f
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/Makefile
@@ -0,0 +1,47 @@
+.PHONY: clean
+
+LIBARENA=$(abspath .)
+
+
+LIBARENA_SOURCES = $(wildcard $(LIBARENA)/src/*.bpf.c) $(wildcard $(LIBARENA)/selftests/*.bpf.c)
+LIBARENA_OBJECTS = $(notdir $(LIBARENA_SOURCES:.bpf.c=.bpf.o))
+
+INCLUDES = -I$(LIBARENA)/include -I$(LIBARENA)/..
+ifneq ($(INCLUDE_DIR),)
+INCLUDES += -I$(INCLUDE_DIR)
+endif
+ifneq ($(LIBBPF_INCLUDE),)
+INCLUDES += -I$(LIBBPF_INCLUDE)
+endif
+
+# ENABLE_ATOMICS_TESTS required because we use arena spinlocks
+override BPF_CFLAGS += -DENABLE_ATOMICS_TESTS
+override BPF_CFLAGS += -O2 -Wno-incompatible-pointer-types-discards-qualifiers
+override BPF_CFLAGS += $(INCLUDES)
+
+CFLAGS = -O2 -no-pie
+CFLAGS += $(INCLUDES)
+
+vpath %.bpf.c $(LIBARENA)/src $(LIBARENA)/selftests
+vpath %.c $(LIBARENA)/src $(LIBARENA)/selftests
+
+all: test_libarena
+
+test_libarena: selftest.c $(BPFOBJ) selftest.skel.h
+	$(call msg,BINARY,libarena,$@)
+	$(Q)$(CLANG) $(LDLIBS) $(CFLAGS) $< $(BPFOBJ) -o $@
+
+selftest.skel.h: main.bpf.o
+	$(call msg,GEN-SKEL,libarena,$@)
+	$(Q)$(BPFTOOL) gen skeleton $< name "selftest" > $@
+
+main.bpf.o: $(LIBARENA_OBJECTS)
+	$(call msg,GEN-OBJ,libarena,$@)
+	$(Q)$(BPFTOOL) gen object $@ $^
+
+%.bpf.o: %.bpf.c
+	$(call msg,CLNG-BPF,libarena,$@)
+	$(Q)$(CLANG) $(BPF_CFLAGS) $(BPF_TARGET_ENDIAN) -c $< -o $@
+
+clean:
+	$(Q)rm -f *.skel.h *.bpf.o test_libarena
diff --git a/tools/testing/selftests/bpf/libarena/include/common.h b/tools/testing/selftests/bpf/libarena/include/common.h
new file mode 100644
index 000000000000..12fab01d60f9
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/include/common.h
@@ -0,0 +1,118 @@
+#pragma once
+
+#ifdef __BPF__
+
+/* Suppresses definition conflicts between bpf_experimental.h and vmlinux.h. */
+#define BPF_NO_KFUNC_PROTOTYPES
+#include <vmlinux.h>
+
+#include "bpf_experimental.h"
+#include "bpf_arena_common.h"
+#include "bpf_arena_spin_lock.h"
+
+#include <asm-generic/errno.h>
+
+#ifndef __BPF_FEATURE_ADDR_SPACE_CAST
+#error "Arena allocators require bpf_addr_space_cast feature"
+#endif
+
+#define arena_stdout(fmt, ...) bpf_stream_printk(1, (fmt), ##__VA_ARGS__)
+#define arena_stderr(fmt, ...) bpf_stream_printk(2, (fmt), ##__VA_ARGS__)
+
+extern volatile u64 asan_violated;
+
+#ifndef div_round_up
+#define div_round_up(a, b) (((a) + (b) - 1) / (b))
+#endif
+
+#ifndef round_up
+#define round_up(a, b) ((((a) + (b) - 1) / (b)) * b)
+#endif
+
+#ifndef __maybe_unused
+#define __maybe_unused __attribute__((__unused__))
+#endif
+
+#define private(name) SEC(".data." #name) __hidden __attribute__((aligned(8)))
+
+/* How many pages do we reserve at the beginning of the arena segment? */
+#define RESERVE_ALLOC (8)
+
+#define ARENA_PAGES (1UL << (32 - __builtin_ffs(__PAGE_SIZE) + 1))
+
+struct {
+	__uint(type, BPF_MAP_TYPE_ARENA);
+	__uint(map_flags, BPF_F_MMAPABLE);
+	__uint(max_entries, ARENA_PAGES); /* number of pages */
+#if defined(__TARGET_ARCH_arm64) || defined(__aarch64__)
+        __ulong(map_extra, (1ull << 32)); /* start of mmap() region */
+#else
+        __ulong(map_extra, (1ull << 44)); /* start of mmap() region */
+#endif
+} arena __weak SEC(".maps");
+
+#endif /* __BPF__ */
+
+struct arena_get_base_args {
+	void __arena *arena_base;
+};
+
+#ifdef __BPF__
+
+static inline
+int arena_fls(__u64 word)
+{
+	unsigned int num = 0;
+
+	if (word & 0xffffffff00000000ULL) {
+		num += 32;
+		word >>= 32;
+	}
+
+	if (word & 0xffff0000) {
+		num += 16;
+		word >>= 16;
+	}
+
+	if (word & 0xff00) {
+		num += 8;
+		word >>= 8;
+	}
+
+	if (word & 0xf0) {
+		num += 4;
+		word >>= 4;
+	}
+
+	if (word & 0xc) {
+		num += 2;
+		word >>= 2;
+	}
+
+	if (word & 0x2) {
+		num += 1;
+	}
+
+	return num;
+}
+
+/*
+ * Userspace API, required for setting up the arena 
+ * address space before starting the allocator.
+ */
+
+SEC("syscall") __weak
+int arena_get_base(struct arena_get_base_args *args)
+{
+	args->arena_base = arena_base(&arena);
+
+	return 0;
+}
+
+SEC("syscall") __weak
+int arena_alloc_reserve(void)
+{
+	return bpf_arena_reserve_pages(&arena, NULL, RESERVE_ALLOC);
+}
+
+#endif /* __BPF__ */
diff --git a/tools/testing/selftests/bpf/libarena/include/userapi.h b/tools/testing/selftests/bpf/libarena/include/userapi.h
new file mode 100644
index 000000000000..bd5e7042a44f
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/include/userapi.h
@@ -0,0 +1,22 @@
+#pragma once
+
+/* 
+ * Header for the userspace C programs that load
+ * and initialize the BPF code.
+ */
+
+#define __arena
+
+typedef uint8_t u8;
+typedef uint16_t u16;
+typedef uint32_t u32;
+typedef uint64_t u64;
+typedef int8_t s8;
+typedef int16_t s16;
+typedef int32_t s32;
+typedef int64_t s64;
+
+/* Dummy "definition" for userspace. */
+#define arena_spinlock_t u64
+
+#include "common.h"
diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.c b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
new file mode 100644
index 000000000000..5b8d8b94323e
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
@@ -0,0 +1,243 @@
+/*
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This software may be used and distributed according to the terms of the
+ * GNU General Public License version 2.
+ */
+
+#define _GNU_SOURCE
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <bpf/libbpf.h>
+#include <bpf/bpf.h>
+
+#include <sys/mman.h>
+#include <sys/resource.h>
+#include <sys/sysinfo.h>
+
+#include <userapi.h>
+
+#include "selftest.h"
+
+#include "../selftest.skel.h"
+typedef struct selftest selftest;
+
+static bool verbose = false;
+static int testno = 1;
+
+typedef int (*selftest_func)(selftest *);
+
+static int
+selftest_fd(int prog_fd, struct bpf_test_run_opts *calleropts)
+{
+	struct bpf_test_run_opts opts, *argopts;
+	char buf[1024];
+	int progret;
+	int ret;
+
+	argopts = calleropts;
+	if (!argopts) {
+		memset(&opts, 0, sizeof(opts));
+		opts.sz = sizeof(opts);
+		argopts = &opts;
+	}
+
+	ret = bpf_prog_test_run_opts(prog_fd, argopts);
+	if (ret)
+		return ret;
+
+	if (argopts->retval)
+		fprintf(stderr, "error %d in %s\n", argopts->retval, __func__);
+
+	if (verbose) {
+	printf("BPF stdout:\n");
+		while ((ret = bpf_prog_stream_read(prog_fd, 1, buf, 1024, NULL)) > 0)
+			printf("%.*s", ret, buf);
+
+		if (ret)
+			return ret;
+
+		printf("BPF stderr:\n");
+		while ((ret = bpf_prog_stream_read(prog_fd, 2, buf, 1024, NULL)) > 0)
+			printf("%.*s", ret, buf);
+	}
+
+	return argopts->retval;
+}
+
+static int
+selftest_arena_alloc_reserve(selftest *skel)
+{
+	int prog_fd;
+	int ret;
+
+	prog_fd = bpf_program__fd(skel->progs.arena_alloc_reserve);
+	if (!prog_fd)
+		return -ENOENT;
+
+	return selftest_fd(prog_fd, NULL);
+}
+
+static int
+selftest_arena_base(selftest *skel, void **arena_base)
+{
+	struct bpf_test_run_opts opts;
+	struct arena_get_base_args args;
+	u64 globals_pages;
+	int prog_fd;
+	int ret;
+
+	args = (struct arena_get_base_args) {
+		.arena_base = NULL
+	};
+
+	opts = (struct bpf_test_run_opts) {
+		.sz = sizeof(opts),
+		.ctx_in = &args,
+		.ctx_size_in = sizeof(args),
+	};
+
+	prog_fd = bpf_program__fd(skel->progs.arena_get_base);
+	assert(prog_fd >= 0 && "no program found");
+
+	ret = selftest_fd(prog_fd, &opts);
+	if (ret)
+		return ret;
+
+	*arena_base = args.arena_base;
+
+	return 0;
+}
+
+static int
+selftest_globals_pages(selftest *skel, size_t arena_all_pages, u64 *globals_pages)
+{
+	size_t pgsize = sysconf(_SC_PAGESIZE);
+	void *arena_base;
+	u64 pages;
+	u8 *vec;
+	int ret;
+	int i;
+
+	ret = selftest_arena_base(skel, &arena_base);
+	if (ret)
+		return ret;
+
+	if (!arena_base)
+		return -EINVAL;
+
+	vec = calloc(arena_all_pages, sizeof(*vec));
+	if (!vec)
+		return -ENOMEM;
+
+	if (mincore(arena_base, arena_all_pages * pgsize, vec)) {
+		perror("mincore");
+		free(vec);
+		return -1;
+	}
+
+	/* Find the first nonresident page. */
+	pages = 0;
+	for (i = arena_all_pages - 1; i >= 0; i--) {
+		if (!(vec[i] & 0x1))
+			break;
+
+		pages += 1;
+	}
+
+	free(vec);
+
+	*globals_pages = pages;
+
+	return 0;
+}
+
+static int libbpf_print_fn(enum libbpf_print_level level,
+		const char *format, va_list args)
+{
+	if (level == LIBBPF_DEBUG)
+		return 0;
+	return vfprintf(stderr, format, args);
+}
+
+int run_test(selftest *skel, const struct bpf_program *prog)
+{
+	int prog_fd;
+	int ret;
+
+	ret = selftest_arena_alloc_reserve(skel);
+	if (ret)
+		return ret;
+
+	prog_fd = bpf_program__fd(prog);
+	if (!prog_fd)
+		return -ENOENT;
+
+	return selftest_fd(prog_fd, NULL);
+}
+
+#define TEST(__test)					\
+int run_##__test(void)					\
+{							\
+	selftest *skel;					\
+	int ret;					\
+							\
+	skel = selftest__open_and_load();		\
+	if (!skel)					\
+		goto error;				\
+							\
+	ret = selftest__attach(skel);			\
+	if (ret)					\
+		goto error;				\
+							\
+	ret = run_test(skel, skel->progs.__test);	\
+	if (ret)					\
+		goto error;				\
+							\
+	selftest__destroy(skel);			\
+							\
+	printf("ok %d - %s\n", testno++, #__test);	\
+	return 0;					\
+							\
+error:							\
+	printf("not ok %d - %s\n", testno++, #__test);	\
+	return ret;					\
+}
+
+static void
+banner(const char *progpath)
+{
+	char *name = basename(progpath);
+
+	printf("=== %s ===\n", "libarena selftests");
+}
+
+int main(int argc, char *argv[])
+{
+	int ret;
+
+	struct rlimit rlim = {
+		.rlim_cur = RLIM_INFINITY,
+		.rlim_max = RLIM_INFINITY,
+	};
+
+	banner(argv[0]);
+
+	for (int i = 1; i < argc; i++) {
+		if (strcmp(argv[i], "-v") == 0 || strcmp(argv[i], "--verbose") == 0)
+			verbose = true;
+	}
+
+	ret = setrlimit(RLIMIT_MEMLOCK, &rlim);
+	if (ret) {
+		perror("setrlimit");
+		return ret;
+	}
+
+	libbpf_set_print(libbpf_print_fn);
+
+	return 0;
+}
diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.h b/tools/testing/selftests/bpf/libarena/selftests/selftest.h
new file mode 100644
index 000000000000..6580b23355d1
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.h
@@ -0,0 +1,17 @@
+#pragma once
+
+#define ALLOC_SELFTEST(func, ...)		\
+	do {				\
+		int ret = func(__VA_ARGS__);	\
+		if (ret) {		\
+			bpf_printk("SELFTEST %s FAIL: %d", #func, ret);	\
+			return ret;	\
+		}			\
+	} while (0)
+
+#ifndef __BPF__
+
+/* Dummy "definition" for userspace. */
+#define arena_spinlock_t u64
+
+#endif /* __BPF__ */
-- 
2.49.0

Re: [PATCH v2 05/13] selftests: bpf: Add basic libarena scaffolding

[Alexei Starovoitov]

On Tue, Jan 27, 2026 at 10:16 AM Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> From: Emil Tsalapatis <etsal@meta.com>
>
> Add initial code for an arena-based BPF library. The current commit
> introduces a test runner and Makefile for the library. Library code
> can be added just by including the source file in the library's src/
> subdirectory. Future commits will introduce the library code itself.
>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---
>  tools/testing/selftests/bpf/.gitignore        |   1 +
>  tools/testing/selftests/bpf/Makefile          |  12 +
>  tools/testing/selftests/bpf/libarena/Makefile |  47 ++++
>  .../selftests/bpf/libarena/include/common.h   | 118 +++++++++
>  .../selftests/bpf/libarena/include/userapi.h  |  22 ++
>  .../bpf/libarena/selftests/selftest.c         | 243 ++++++++++++++++++
>  .../bpf/libarena/selftests/selftest.h         |  17 ++
>  7 files changed, 460 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/libarena/Makefile
>  create mode 100644 tools/testing/selftests/bpf/libarena/include/common.h
>  create mode 100644 tools/testing/selftests/bpf/libarena/include/userapi.h
>  create mode 100644 tools/testing/selftests/bpf/libarena/selftests/selftest.c
>  create mode 100644 tools/testing/selftests/bpf/libarena/selftests/selftest.h
>
> diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
> index b8bf51b7a0b0..96b4a7e37427 100644
> --- a/tools/testing/selftests/bpf/.gitignore
> +++ b/tools/testing/selftests/bpf/.gitignore
> @@ -48,3 +48,4 @@ verification_cert.h
>  *.BTF
>  *.BTF_ids
>  *.BTF.base
> +libarena/test_libarena
> diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
> index 9488d076c740..49b275a7bfa1 100644
> --- a/tools/testing/selftests/bpf/Makefile
> +++ b/tools/testing/selftests/bpf/Makefile
> @@ -915,3 +915,15 @@ override define INSTALL_RULE
>                 rsync -a $(OUTPUT)/$$DIR/*.bpf.o $(INSTALL_PATH)/$$DIR;\
>         done
>  endef
> +
> +test_libarena: $(INCLUDE_DIR)/vmlinux.h $(BPFOBJ)
> +       +$(MAKE) -C libarena all \
> +               BPFTOOL="$(BPFTOOL)" \
> +               INCLUDE_DIR="$(HOST_INCLUDE_DIR)" \
> +               LIBBPF_INCLUDE="$(HOST_INCLUDE_DIR)" \
> +               BPFOBJ="$(BPFOBJ)" \
> +               LDLIBS="$(LDLIBS) -lzstd" \
> +               CLANG="$(CLANG)" \
> +               BPF_CFLAGS="$(BPF_CFLAGS) $(CLANG_CFLAGS)" \
> +               BPF_TARGET_ENDIAN="$(BPF_TARGET_ENDIAN)" \
> +               Q="$(Q)"
> diff --git a/tools/testing/selftests/bpf/libarena/Makefile b/tools/testing/selftests/bpf/libarena/Makefile
> new file mode 100644
> index 000000000000..70901bb5237f
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/libarena/Makefile
> @@ -0,0 +1,47 @@
> +.PHONY: clean
> +
> +LIBARENA=$(abspath .)
> +
> +
> +LIBARENA_SOURCES = $(wildcard $(LIBARENA)/src/*.bpf.c) $(wildcard $(LIBARENA)/selftests/*.bpf.c)
> +LIBARENA_OBJECTS = $(notdir $(LIBARENA_SOURCES:.bpf.c=.bpf.o))
> +
> +INCLUDES = -I$(LIBARENA)/include -I$(LIBARENA)/..
> +ifneq ($(INCLUDE_DIR),)
> +INCLUDES += -I$(INCLUDE_DIR)
> +endif
> +ifneq ($(LIBBPF_INCLUDE),)
> +INCLUDES += -I$(LIBBPF_INCLUDE)
> +endif
> +
> +# ENABLE_ATOMICS_TESTS required because we use arena spinlocks
> +override BPF_CFLAGS += -DENABLE_ATOMICS_TESTS
> +override BPF_CFLAGS += -O2 -Wno-incompatible-pointer-types-discards-qualifiers
> +override BPF_CFLAGS += $(INCLUDES)
> +
> +CFLAGS = -O2 -no-pie
> +CFLAGS += $(INCLUDES)
> +
> +vpath %.bpf.c $(LIBARENA)/src $(LIBARENA)/selftests
> +vpath %.c $(LIBARENA)/src $(LIBARENA)/selftests
> +
> +all: test_libarena
> +
> +test_libarena: selftest.c $(BPFOBJ) selftest.skel.h
> +       $(call msg,BINARY,libarena,$@)
> +       $(Q)$(CLANG) $(LDLIBS) $(CFLAGS) $< $(BPFOBJ) -o $@
> +
> +selftest.skel.h: main.bpf.o
> +       $(call msg,GEN-SKEL,libarena,$@)
> +       $(Q)$(BPFTOOL) gen skeleton $< name "selftest" > $@
> +
> +main.bpf.o: $(LIBARENA_OBJECTS)
> +       $(call msg,GEN-OBJ,libarena,$@)
> +       $(Q)$(BPFTOOL) gen object $@ $^
> +
> +%.bpf.o: %.bpf.c
> +       $(call msg,CLNG-BPF,libarena,$@)
> +       $(Q)$(CLANG) $(BPF_CFLAGS) $(BPF_TARGET_ENDIAN) -c $< -o $@
> +
> +clean:
> +       $(Q)rm -f *.skel.h *.bpf.o test_libarena
> diff --git a/tools/testing/selftests/bpf/libarena/include/common.h b/tools/testing/selftests/bpf/libarena/include/common.h
> new file mode 100644
> index 000000000000..12fab01d60f9
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/libarena/include/common.h
> @@ -0,0 +1,118 @@
> +#pragma once

Make sure there is SPDX and copyright in all new files.

> +
> +#ifdef __BPF__
> +
> +/* Suppresses definition conflicts between bpf_experimental.h and vmlinux.h. */
> +#define BPF_NO_KFUNC_PROTOTYPES

That makes little sense to me.
bpf_experimental.h already includes vmlinux.h
There are no conflicts.

> +#include <vmlinux.h>
> +
> +#include "bpf_experimental.h"

pw-bot: cr

Re: [PATCH v2 05/13] selftests: bpf: Add basic libarena scaffolding

[Kumar Kartikeya Dwivedi]

On Tue, 27 Jan 2026 at 19:16, Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> From: Emil Tsalapatis <etsal@meta.com>
>
> Add initial code for an arena-based BPF library. The current commit
> introduces a test runner and Makefile for the library. Library code
> can be added just by including the source file in the library's src/
> subdirectory. Future commits will introduce the library code itself.
>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---

I tried running the tests, but didn't see any splat in BPF stdout or stderr.
Based on the tests I expected to see something.
Not sure whether I am doing something wrong (I'm using clang from LLVM tip).

I am also wondering whether having this separate runner is the right way to go.
Instead, we should be testing properly whether ASAN splat is generated
like stream stack traces are tested.
So it would make more sense to integrate the selftests for all
allocators in test_progs infra (and use regex in __stdout/__stderr
tags).
You can adjust the makefile to only compile asan variants for specific tests.

Also, throughout tests, some errors or assertions are emitted through
bpf_printk. It would probably be better to emit everything in streams.

>  [...]

[PATCH v2 06/13] selftests: bpf: Add arena ASAN runtime to libarena

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add an address sanitizer (ASAN) runtime to the arena library. The
ASAN runtime implements the functions injected into BPF binaries
by LLVM sanitization is supported and enabled.

The runtime also includes functions called explicitly by memory
allocation code to mark memory as poisoned/unpoisoned to ASAN.
This code is a no-op when sanitization is turned off.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 tools/testing/selftests/bpf/.gitignore        |   1 +
 .../selftests/bpf/libarena/include/asan.h     | 133 +++++
 .../selftests/bpf/libarena/src/asan.bpf.c     | 463 ++++++++++++++++++
 3 files changed, 597 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/libarena/include/asan.h
 create mode 100644 tools/testing/selftests/bpf/libarena/src/asan.bpf.c

diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
index 96b4a7e37427..3d176d3b2cc1 100644
--- a/tools/testing/selftests/bpf/.gitignore
+++ b/tools/testing/selftests/bpf/.gitignore
@@ -49,3 +49,4 @@ verification_cert.h
 *.BTF_ids
 *.BTF.base
 libarena/test_libarena
+libarena/test_libarena_asan
diff --git a/tools/testing/selftests/bpf/libarena/include/asan.h b/tools/testing/selftests/bpf/libarena/include/asan.h
new file mode 100644
index 000000000000..be50b23fb491
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/include/asan.h
@@ -0,0 +1,133 @@
+#pragma once
+
+struct asan_init_args {
+	u64 arena_all_pages;
+	u64 arena_globals_pages;
+};
+
+int asan_init(struct asan_init_args *args);
+
+/* Parameters usable by userspace. */
+extern volatile u64 __asan_shadow_memory_dynamic_address;
+extern volatile bool asan_reported;
+extern volatile bool asan_inited;
+extern volatile bool asan_report_once;
+extern volatile bool asan_emit_stack;
+
+#ifdef __BPF__
+
+#define ASAN_SHADOW_SHIFT 3
+#define ASAN_SHADOW_SCALE (1ULL << ASAN_SHADOW_SHIFT)
+#define ASAN_GRANULE_MASK ((1ULL << ASAN_SHADOW_SHIFT) - 1)
+#define ASAN_GRANULE(addr) ((s8)((u32)(u64)((addr)) & ASAN_GRANULE_MASK))
+
+#define __noasan __attribute__((no_sanitize("address"))) 
+
+#ifdef BPF_ARENA_ASAN
+
+/* 
+ * Defined as char * to get 1-byte granularity for pointer arithmetic.
+ */
+typedef s8 __arena s8a;
+
+/*
+ * Address to shadow map translation.
+ */
+static inline 
+s8a *mem_to_shadow(void __arena __arg_arena *addr)
+{
+	return (s8a *)(((u32)(u64)addr >> ASAN_SHADOW_SHIFT) + __asan_shadow_memory_dynamic_address);
+}
+
+/*
+ * Helper for directly reading the shadow map.
+ */
+static inline __noasan
+s8 asan_shadow_value(void __arena __arg_arena *addr) 
+{
+	return *(s8a *)mem_to_shadow(addr);
+}
+
+__weak __noasan
+bool asan_ready(void)
+{
+	return __asan_shadow_memory_dynamic_address;
+}
+
+/*
+ * Shadow map manipulation helpers.
+ */
+int asan_poison(void __arena *addr, s8 val, size_t size);
+int asan_unpoison(void __arena *addr, size_t size);
+bool asan_shadow_set(void __arena *addr);
+s8 asan_shadow_value(void __arena *addr);
+
+/*
+ * Dummy calls to ensure the ASAN runtime's BTF information is present
+ * in every object file when compiling the runtime and local BPF code
+ * separately. The runtime calls are injected into the LLVM IR file 
+ */
+#define DECLARE_ASAN_LOAD_STORE_SIZE(size)				\
+	void __asan_store##size(void *addr);				\
+	void __asan_store##size##_noabort(void *addr);	\
+	void __asan_load##size(void *addr);				\
+	void __asan_load##size##_noabort(void *addr);	\
+	void __asan_report_store##size(void *addr);			\
+	void __asan_report_store##size##_noabort(void *addr);		\
+	void __asan_report_load##size(void *addr);			\
+	void __asan_report_load##size##_noabort(void *addr);		
+
+DECLARE_ASAN_LOAD_STORE_SIZE(1);
+DECLARE_ASAN_LOAD_STORE_SIZE(2);
+DECLARE_ASAN_LOAD_STORE_SIZE(4);
+DECLARE_ASAN_LOAD_STORE_SIZE(8);
+
+#define DECLARE_ASAN_LOAD_STORE(size)				\
+	void __asan_store##size(void *addr);			\
+	void __asan_store##size##_noabort(void *addr);		\
+	void __asan_load##size(void *addr);			\
+	void __asan_load##size##_noabort(void *addr);		\
+	void __asan_report_store##size(void *addr);		\
+	void __asan_report_store##size##_noabort(void *addr);	\
+	void __asan_report_load##size(void *addr);		\
+	void __asan_report_load##size##_noabort(void *addr);		
+
+#define ASAN_DUMMY_CALLS_SIZE(size, arg)		\
+do {							\
+	__asan_store##size((arg));			\
+	__asan_store##size##_noabort((arg));		\
+	__asan_load##size((arg));			\
+	__asan_load##size##_noabort((arg));		\
+	__asan_report_store##size((arg));		\
+	__asan_report_store##size##_noabort((arg));	\
+	__asan_report_load##size((arg));		\
+	__asan_report_load##size##_noabort((arg));	\
+} while (0)	
+
+#define ASAN_DUMMY_CALLS_ALL(arg)	\
+do { 					\
+	ASAN_DUMMY_CALLS_SIZE(1, (arg));	\
+	ASAN_DUMMY_CALLS_SIZE(2, (arg));	\
+	ASAN_DUMMY_CALLS_SIZE(4, (arg));	\
+	ASAN_DUMMY_CALLS_SIZE(8, (arg));	\
+} while (0)
+
+__weak __attribute__((no_sanitize_address))
+int asan_dummy_call() {
+	/* Use the shadow map base to prevent it from being optimized out. */
+	if (__asan_shadow_memory_dynamic_address) 
+		ASAN_DUMMY_CALLS_ALL(NULL);
+
+	return 0;
+}
+#else /* BPF_ARENA_ASAN */
+
+static inline int asan_poison(void __arena *addr, s8 val, size_t size) { return 0; }
+static inline int asan_unpoison(void __arena *addr, size_t size) { return 0; }
+static inline bool asan_shadow_set(void __arena *addr) { return 0; }
+static inline s8 asan_shadow_value(void __arena *addr) { return 0; }
+__weak bool asan_ready(void) { return true; }
+
+#endif /* BPF_ARENA_ASAN */
+
+#endif /* __BPF__ */
diff --git a/tools/testing/selftests/bpf/libarena/src/asan.bpf.c b/tools/testing/selftests/bpf/libarena/src/asan.bpf.c
new file mode 100644
index 000000000000..34b62c6e0aae
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/src/asan.bpf.c
@@ -0,0 +1,463 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2024-2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2024-2025 Emil Tsalapatis <etsal@meta.com>
+ */
+#include <common.h>
+#include <asan.h>
+
+#ifdef BPF_ARENA_ASAN
+
+#pragma clang attribute push(__attribute__((no_sanitize("address"))), \
+			     apply_to = function)
+
+#define SHADOW_ALL_ZEROES ((u64)-1)
+
+/*
+ * Canary variable for ASAN violations. Set to the offending address.
+ */
+volatile u64 asan_violated = 0;
+
+/*
+ * Shadow map occupancy map.
+ */
+volatile u64 __asan_shadow_memory_dynamic_address;
+
+volatile bool asan_reported = false;
+volatile bool asan_inited = false;
+
+/*
+ * Set during program load.
+ */
+volatile bool asan_report_once = false;
+volatile bool asan_emit_stack = false;
+
+/*
+ * BPF does not currently support the memset/memcpy/memcmp intrinsics.
+ */
+__always_inline int asan_memset(s8a __arg_arena *dst, s8 val, size_t size)
+{
+	int i;
+
+	/*
+	 * Switching this to a may_goto confuses the verifier and
+	 * prevents verification on bpf-next as of late December 2025.
+	 */
+	bpf_for(i, 0, size) {
+		dst[i] = val;
+	}
+
+	return 0;
+}
+
+/* Validate a 1-byte access, always within a single byte. */
+static __always_inline bool memory_is_poisoned_1(s8a *addr)
+{
+	s8 shadow_value = asan_shadow_value(addr);
+
+	/* Byte is 0, access is valid. */
+	if (likely(!shadow_value))
+		return false;
+
+	/* 
+	 * Byte is non-zero. Access is valid if granule offset in [0, shadow_value),
+	 * so the memory is poisoned if shadow_value is negative or smaller than
+	 * the granule's value.
+	 */
+
+	return ASAN_GRANULE(addr) >= shadow_value;
+}
+
+/* Validate a 2- 4-, 8-byte access, spans up to 2 bytes. */
+static __always_inline bool memory_is_poisoned_2_4_8(s8a *addr, u64 size)
+{
+	u64 end = (u64)addr + size - 1;
+
+	/*
+	 * Region fully within a single byte (addition didn't
+	 * overflow above ASAN_GRANULE).
+	 */
+	if (likely(ASAN_GRANULE(end) >= size - 1))
+		return memory_is_poisoned_1((s8a *)end);
+
+	/*
+	 * Otherwise first byte must be fully unpoisoned, and second byte
+	 * must be unpoisoned up to the end of the accessed region.
+	 */
+
+	return asan_shadow_value(addr) || memory_is_poisoned_1((s8a *)end);
+}
+
+/*
+ * Explicit ASAN check.
+ */
+__weak bool asan_shadow_set(void __arena __arg_arena *addr)
+{
+	return memory_is_poisoned_1(addr);
+}
+
+static __always_inline u64 first_nonzero_byte(u64 addr, size_t size)
+{
+	while (size && can_loop) {
+		if (unlikely(*(s8a *)addr))
+			return addr;
+		addr += 1;
+		size -= 1;
+	}
+
+	return SHADOW_ALL_ZEROES;
+}
+
+static __always_inline bool memory_is_poisoned_n(s8a *addr, u64 size)
+{
+	u64 ret;
+	u64 start;
+	u64 end;
+
+	/* Size of [start, end] is end - start + 1. */
+	start = (u64)mem_to_shadow(addr);
+	end = (u64)mem_to_shadow(addr + size - 1);
+
+	ret = first_nonzero_byte(start, (end - start) + 1);
+	if (likely(ret == SHADOW_ALL_ZEROES))
+		return false;
+
+	return __builtin_expect(ret != end || ASAN_GRANULE(addr + size - 1) >=
+						      *(s8a *)end, false);
+}
+
+static __always_inline int asan_report(s8a __arg_arena *addr, size_t sz,
+				       bool write)
+{
+	/* Only report the first ASAN violation. */
+	if (asan_reported && asan_report_once)
+		return 0;
+
+	asan_reported = true;
+
+	asan_violated = (u64)addr;
+
+	if (asan_emit_stack) {
+		arena_stderr("Memory violation for address %p (0x%lx) for %s of size %ld",
+				addr, (u64)addr, write ? "write" : "read", sz);
+		bpf_stream_print_stack();
+	}
+
+	return 0;
+}
+
+static __always_inline bool check_asan_args(s8a *addr, size_t size,
+					    bool *result)
+{
+	bool valid = true;
+
+	/* Size 0 accesses are valid even if the address is invalid. */
+	if (unlikely(size == 0))
+		goto confirmed_valid;
+
+	/*
+	 * Wraparound is possible for extremely high size. Possible if the size
+	 * is a misinterpreted negative number.
+	 */
+	if (unlikely(addr + size < addr))
+		goto confirmed_invalid;
+
+	return false;
+
+confirmed_invalid:
+	valid = false;
+
+	/* FALLTHROUGH */
+confirmed_valid:
+	*result = valid;
+
+	return true;
+}
+
+static __always_inline bool check_region_inline(void *ptr, size_t size,
+						bool write)
+{
+	s8a *addr = (s8a *)(u64)ptr;
+	bool is_poisoned, is_valid;
+
+	if (check_asan_args(addr, size, &is_valid)) {
+		if (!is_valid)
+			asan_report(addr, size, write);
+		return is_valid;
+	}
+
+	switch (size) {
+	case 1:
+		is_poisoned = memory_is_poisoned_1(addr);
+		break;
+	case 2:
+	case 4:
+	case 8:
+		is_poisoned = memory_is_poisoned_2_4_8(addr, size);
+		break;
+	default:
+		is_poisoned = memory_is_poisoned_n(addr, size);
+	}
+
+	if (is_poisoned) {
+		asan_report(addr, size, write);
+		return false;
+	}
+
+	return true;
+}
+
+/*
+ * __alias is not supported for BPF so define *__noabort() variants as wrappers.
+ */
+#define DEFINE_ASAN_LOAD_STORE(size)                                           \
+	__hidden void __asan_store##size(void *addr)                           \
+	{                                                                      \
+		check_region_inline(addr, size, true);                         \
+	}                                                                      \
+	__hidden void __always_inline __asan_store##size##_noabort(void *addr) \
+	{                                                                      \
+		check_region_inline(addr, size, true);                         \
+	}                                                                      \
+	__hidden void __asan_load##size(void *addr)                            \
+	{                                                                      \
+		check_region_inline(addr, size, false);                        \
+	}                                                                      \
+	__hidden void __asan_load##size##_noabort(void *addr)                  \
+	{                                                                      \
+		check_region_inline(addr, size, false);                        \
+	}                                                                      \
+	__hidden void __asan_report_store##size(void *addr)                    \
+	{                                                                      \
+		asan_report((s8a *)addr, size, true);                          \
+	}                                                                      \
+	__hidden void __asan_report_store##size##_noabort(void *addr)          \
+	{                                                                      \
+		asan_report((s8a *)addr, size, true);                          \
+	}                                                                      \
+	__hidden void __asan_report_load##size(void *addr)                     \
+	{                                                                      \
+		asan_report((s8a *)addr, size, false);                         \
+	}                                                                      \
+	__hidden void __asan_report_load##size##_noabort(void *addr)           \
+	{                                                                      \
+		asan_report((s8a *)addr, size, false);                         \
+	}
+
+DEFINE_ASAN_LOAD_STORE(1);
+DEFINE_ASAN_LOAD_STORE(2);
+DEFINE_ASAN_LOAD_STORE(4);
+DEFINE_ASAN_LOAD_STORE(8);
+
+void __asan_storeN(void *addr, ssize_t size)
+{
+	check_region_inline(addr, size, true);
+}
+
+void __asan_loadN(void *addr, ssize_t size)
+{
+	check_region_inline(addr, size, false);
+}
+
+/*
+ * We currently do not sanitize globals.
+ */
+void __asan_register_globals(void *globals, size_t n)
+{
+}
+
+void __asan_unregister_globals(void *globals, size_t n)
+{
+}
+
+/*
+ * We do not currently have memcpy/memmove/memset intrinsics
+ * in LLVM. Do not implement sanitization.
+ */
+void *__asan_memcpy(void *d, const void *s, size_t n)
+{
+	return NULL;
+}
+
+void *__asan_memmove(void *d, const void *s, size_t n)
+{
+	return NULL;
+}
+
+void *__asan_memset(void *p, int c, size_t n)
+{
+	return NULL;
+}
+
+/*
+ * Poisoning code, used when we add more freed memory to the allocator by:
+ * 	a) pulling memory from the arena segment using bpf_arena_alloc_pages()
+ * 	b) freeing memory from application code
+ */
+__hidden __noasan int asan_poison(void __arena *addr, s8 val, size_t size)
+{
+	s8a *shadow;
+	size_t len;
+
+	/*
+	 * Poisoning from a non-granule address makes no sense: We can only allocate
+	 * memory to the application that with a granule-aligned starting address,
+	 * and bpf_arena_alloc_pages returns page-aligned memory. A non-aligned
+	 * addr then implies we're freeing a different address than the one we
+	 * allocated.
+	 */
+	if (unlikely((u64)addr & ASAN_GRANULE_MASK))
+		return -EINVAL;
+
+	/*
+	 * We cannot free an unaligned region because it'd be possible that we
+	 * cannot describe the resulting poisoning state of the granule in 
+	 * the ASAN encoding.
+	 *
+	 * Every granule represents a region of memory that looks like the
+	 * following (P for poisoned bytes, C for clear):
+	 *
+	 * <Clear>  <Poisoned>
+	 * [ C C C ... P P ]
+	 *
+	 * The value of the granule's shadow map is the number of clear bytes in
+	 * it. We cannot represent granules with the following state:
+	 *
+	 * [ P P ... C C ... P P ]
+	 *
+	 * That would be possible if we could free unaligned regions, so prevent that.
+	 * 
+	 */
+	if (unlikely(size & ASAN_GRANULE_MASK))
+		return -EINVAL;
+
+	shadow = mem_to_shadow(addr);
+	len = size >> ASAN_SHADOW_SHIFT;
+
+	asan_memset(shadow, val, len);
+
+	return 0;
+}
+
+/*
+ * Unpoisoning code for marking memory as valid during allocation calls.
+ *
+ * Very similar to asan_poison, except we need to round up instead of
+ * down, the partially poison the last granule if necessary.
+ *
+ * Partial poisoning is useful for keeping the padding poisoned. Allocations
+ * are granule-aligned, so we we're reserving granule-aligned sizes for the
+ * allocation. However, we want to still treat accesses to the padding as 
+ * invalid. Partial poisoning takes care of that. Freeing and poisoning the
+ * memory is still done in granule-aligned sizes and repoisons the already
+ * poisoned padding.
+ */
+__hidden __noasan int asan_unpoison(void __arena *addr, size_t size)
+{
+	size_t partial = size & ASAN_GRANULE_MASK;
+	s8a *shadow;
+	size_t len;
+
+	/*
+	 * We cannot allocate in the middle of the granule. The ASAN shadow
+	 * map encoding only describes regions of memory where every granule
+	 * follows this format (P for poisoned, C for clear):
+	 *
+	 * <Clear>  <Poisoned>
+	 * [ C C C ... P P ]
+	 *
+	 * This is so we can use a single number in [0, ASAN_SHADOW_SCALE)
+	 * to represent the poison state of the granule.
+	 */
+	if (unlikely((u64)addr & ASAN_GRANULE_MASK))
+		return -EINVAL;
+
+	shadow = mem_to_shadow(addr);
+	len = size >> ASAN_SHADOW_SHIFT;
+
+	asan_memset(shadow, 0, len);
+
+	/* 
+	 * If we are allocating a non-granule aligned region, we need to adjust
+	 * the last byte of the shadow map to list how many bytes in the granule
+	 * are unpoisoned. If the region is aligned, then the memset call above
+	 * was enough.
+	 */
+	if (partial)
+		shadow[len] = partial;
+
+	return 0;
+}
+
+/*
+ * Initialize ASAN state when necessary. Triggered from userspace before
+ * allocator startup.
+ */
+SEC("syscall")
+__hidden __noasan int asan_init(struct asan_init_args *args)
+{
+	u64 globals_pages = args->arena_globals_pages;
+	u64 all_pages = args->arena_all_pages;
+	u64 shadowmap, shadow_pgoff;
+	u64 shadow_pages;
+
+	if (asan_inited)
+		return 0;
+
+	/* 
+	 * Round up the shadow map size to the nearest page.
+	 */
+	shadow_pages = all_pages >> ASAN_SHADOW_SHIFT;
+	if ((all_pages & ((1 << ASAN_SHADOW_SHIFT) -1 )))
+		shadow_pages += 1;
+
+	/*
+	 * Make sure the numbers provided by userspace are sane.
+	 */
+	if (all_pages > (1ULL << 32) / __PAGE_SIZE) {
+		bpf_printk("error: arena size %lx too large", all_pages);
+		return -EINVAL;
+	}
+
+	if (globals_pages > all_pages) {
+		bpf_printk("error: globals %lx do not fit in arena %lx", globals_pages, all_pages);
+		return -EINVAL;
+	}
+
+	if (globals_pages + shadow_pages > all_pages) {
+		bpf_printk("error: globals %lx do not leave room for shadow map %lx (arena pages %lx)",
+			globals_pages, shadow_pages, all_pages);
+		return -EINVAL;
+	}
+
+	shadow_pgoff = all_pages - shadow_pages - globals_pages;
+	__asan_shadow_memory_dynamic_address = shadow_pgoff * __PAGE_SIZE;
+
+	/* 
+	 * Allocate the last (1/ASAN_GRANULE_SIZE)th of an arena's pages for the map
+	 * We find the offset and size from the arena map.
+	 *
+	 * The allocated map pages are zeroed out, meaning all memory is marked as valid
+	 * even if it's not allocated already. This is expected: Since the actual memory
+	 * pages are not allocated, accesses to it will trigger page faults and will be
+	 * reported through BPF streams. Any pages allocated through bpf_arena_alloc_pages
+	 * should be poisoned by the allocator right after the call succeeds.
+	 */
+	shadowmap = (u64)bpf_arena_alloc_pages(
+		&arena, (void __arena *)__asan_shadow_memory_dynamic_address,
+		shadow_pages, NUMA_NO_NODE, 0);
+	if (!shadowmap) {
+		arena_stderr("Could not allocate shadow map\n");
+		return -ENOMEM;
+	}
+
+	asan_inited = true;
+
+	return 0;
+}
+
+#pragma clang attribute pop
+
+#endif /* BPF_ARENA_ASAN */
+
+__weak char _license[] SEC("license") = "GPL";
-- 
2.49.0

Re: [PATCH v2 06/13] selftests: bpf: Add arena ASAN runtime to libarena

[Alexei Starovoitov]

On Tue, Jan 27, 2026 at 10:16 AM Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> From: Emil Tsalapatis <etsal@meta.com>
>
> Add an address sanitizer (ASAN) runtime to the arena library. The
> ASAN runtime implements the functions injected into BPF binaries
> by LLVM sanitization is supported and enabled.
>
> The runtime also includes functions called explicitly by memory
> allocation code to mark memory as poisoned/unpoisoned to ASAN.
> This code is a no-op when sanitization is turned off.
>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---
>  tools/testing/selftests/bpf/.gitignore        |   1 +
>  .../selftests/bpf/libarena/include/asan.h     | 133 +++++
>  .../selftests/bpf/libarena/src/asan.bpf.c     | 463 ++++++++++++++++++
>  3 files changed, 597 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/libarena/include/asan.h
>  create mode 100644 tools/testing/selftests/bpf/libarena/src/asan.bpf.c
>
> diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
> index 96b4a7e37427..3d176d3b2cc1 100644
> --- a/tools/testing/selftests/bpf/.gitignore
> +++ b/tools/testing/selftests/bpf/.gitignore
> @@ -49,3 +49,4 @@ verification_cert.h
>  *.BTF_ids
>  *.BTF.base
>  libarena/test_libarena
> +libarena/test_libarena_asan
> diff --git a/tools/testing/selftests/bpf/libarena/include/asan.h b/tools/testing/selftests/bpf/libarena/include/asan.h
> new file mode 100644
> index 000000000000..be50b23fb491
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/libarena/include/asan.h
> @@ -0,0 +1,133 @@
> +#pragma once
> +
> +struct asan_init_args {
> +       u64 arena_all_pages;
> +       u64 arena_globals_pages;
> +};
> +
> +int asan_init(struct asan_init_args *args);
> +
> +/* Parameters usable by userspace. */
> +extern volatile u64 __asan_shadow_memory_dynamic_address;
> +extern volatile bool asan_reported;
> +extern volatile bool asan_inited;
> +extern volatile bool asan_report_once;
> +extern volatile bool asan_emit_stack;
> +
> +#ifdef __BPF__
> +
> +#define ASAN_SHADOW_SHIFT 3
> +#define ASAN_SHADOW_SCALE (1ULL << ASAN_SHADOW_SHIFT)
> +#define ASAN_GRANULE_MASK ((1ULL << ASAN_SHADOW_SHIFT) - 1)
> +#define ASAN_GRANULE(addr) ((s8)((u32)(u64)((addr)) & ASAN_GRANULE_MASK))
> +
> +#define __noasan __attribute__((no_sanitize("address")))
> +
> +#ifdef BPF_ARENA_ASAN
> +
> +/*
> + * Defined as char * to get 1-byte granularity for pointer arithmetic.
> + */
> +typedef s8 __arena s8a;
> +
> +/*
> + * Address to shadow map translation.
> + */
> +static inline
> +s8a *mem_to_shadow(void __arena __arg_arena *addr)
> +{
> +       return (s8a *)(((u32)(u64)addr >> ASAN_SHADOW_SHIFT) + __asan_shadow_memory_dynamic_address);
> +}
> +
> +/*
> + * Helper for directly reading the shadow map.
> + */
> +static inline __noasan
> +s8 asan_shadow_value(void __arena __arg_arena *addr)
> +{
> +       return *(s8a *)mem_to_shadow(addr);
> +}
> +
> +__weak __noasan
> +bool asan_ready(void)
> +{
> +       return __asan_shadow_memory_dynamic_address;
> +}
> +
> +/*
> + * Shadow map manipulation helpers.
> + */
> +int asan_poison(void __arena *addr, s8 val, size_t size);
> +int asan_unpoison(void __arena *addr, size_t size);
> +bool asan_shadow_set(void __arena *addr);
> +s8 asan_shadow_value(void __arena *addr);
> +
> +/*
> + * Dummy calls to ensure the ASAN runtime's BTF information is present
> + * in every object file when compiling the runtime and local BPF code
> + * separately. The runtime calls are injected into the LLVM IR file
> + */
> +#define DECLARE_ASAN_LOAD_STORE_SIZE(size)                             \
> +       void __asan_store##size(void *addr);                            \
> +       void __asan_store##size##_noabort(void *addr);  \
> +       void __asan_load##size(void *addr);                             \
> +       void __asan_load##size##_noabort(void *addr);   \
> +       void __asan_report_store##size(void *addr);                     \
> +       void __asan_report_store##size##_noabort(void *addr);           \
> +       void __asan_report_load##size(void *addr);                      \
> +       void __asan_report_load##size##_noabort(void *addr);
> +
> +DECLARE_ASAN_LOAD_STORE_SIZE(1);
> +DECLARE_ASAN_LOAD_STORE_SIZE(2);
> +DECLARE_ASAN_LOAD_STORE_SIZE(4);
> +DECLARE_ASAN_LOAD_STORE_SIZE(8);
> +
> +#define DECLARE_ASAN_LOAD_STORE(size)                          \
> +       void __asan_store##size(void *addr);                    \
> +       void __asan_store##size##_noabort(void *addr);          \
> +       void __asan_load##size(void *addr);                     \
> +       void __asan_load##size##_noabort(void *addr);           \
> +       void __asan_report_store##size(void *addr);             \
> +       void __asan_report_store##size##_noabort(void *addr);   \
> +       void __asan_report_load##size(void *addr);              \
> +       void __asan_report_load##size##_noabort(void *addr);
> +
> +#define ASAN_DUMMY_CALLS_SIZE(size, arg)               \
> +do {                                                   \
> +       __asan_store##size((arg));                      \
> +       __asan_store##size##_noabort((arg));            \
> +       __asan_load##size((arg));                       \
> +       __asan_load##size##_noabort((arg));             \
> +       __asan_report_store##size((arg));               \
> +       __asan_report_store##size##_noabort((arg));     \
> +       __asan_report_load##size((arg));                \
> +       __asan_report_load##size##_noabort((arg));      \
> +} while (0)
> +
> +#define ASAN_DUMMY_CALLS_ALL(arg)      \
> +do {                                   \
> +       ASAN_DUMMY_CALLS_SIZE(1, (arg));        \
> +       ASAN_DUMMY_CALLS_SIZE(2, (arg));        \
> +       ASAN_DUMMY_CALLS_SIZE(4, (arg));        \
> +       ASAN_DUMMY_CALLS_SIZE(8, (arg));        \
> +} while (0)
> +
> +__weak __attribute__((no_sanitize_address))
> +int asan_dummy_call() {
> +       /* Use the shadow map base to prevent it from being optimized out. */
> +       if (__asan_shadow_memory_dynamic_address)
> +               ASAN_DUMMY_CALLS_ALL(NULL);
> +
> +       return 0;
> +}
> +#else /* BPF_ARENA_ASAN */
> +
> +static inline int asan_poison(void __arena *addr, s8 val, size_t size) { return 0; }
> +static inline int asan_unpoison(void __arena *addr, size_t size) { return 0; }
> +static inline bool asan_shadow_set(void __arena *addr) { return 0; }
> +static inline s8 asan_shadow_value(void __arena *addr) { return 0; }
> +__weak bool asan_ready(void) { return true; }
> +
> +#endif /* BPF_ARENA_ASAN */
> +
> +#endif /* __BPF__ */
> diff --git a/tools/testing/selftests/bpf/libarena/src/asan.bpf.c b/tools/testing/selftests/bpf/libarena/src/asan.bpf.c
> new file mode 100644
> index 000000000000..34b62c6e0aae
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/libarena/src/asan.bpf.c
> @@ -0,0 +1,463 @@
> +/*
> + * SPDX-License-Identifier: GPL-2.0
> + * Copyright (c) 2024-2025 Meta Platforms, Inc. and affiliates.
> + * Copyright (c) 2024-2025 Emil Tsalapatis <etsal@meta.com>
> + */
> +#include <common.h>
> +#include <asan.h>
> +
> +#ifdef BPF_ARENA_ASAN
> +
> +#pragma clang attribute push(__attribute__((no_sanitize("address"))), \
> +                            apply_to = function)
> +
> +#define SHADOW_ALL_ZEROES ((u64)-1)
> +
> +/*
> + * Canary variable for ASAN violations. Set to the offending address.
> + */
> +volatile u64 asan_violated = 0;
> +
> +/*
> + * Shadow map occupancy map.
> + */
> +volatile u64 __asan_shadow_memory_dynamic_address;
> +
> +volatile bool asan_reported = false;
> +volatile bool asan_inited = false;
> +
> +/*
> + * Set during program load.
> + */
> +volatile bool asan_report_once = false;
> +volatile bool asan_emit_stack = false;
> +
> +/*
> + * BPF does not currently support the memset/memcpy/memcmp intrinsics.
> + */
> +__always_inline int asan_memset(s8a __arg_arena *dst, s8 val, size_t size)
> +{
> +       int i;
> +
> +       /*
> +        * Switching this to a may_goto confuses the verifier and
> +        * prevents verification on bpf-next as of late December 2025.
> +        */
> +       bpf_for(i, 0, size) {
> +               dst[i] = val;
> +       }

Have you tried
int zero = 0;
for (int i = zero; i < size; i++)

like existing arena selftest do?

> +       return 0;
> +}
> +
> +/* Validate a 1-byte access, always within a single byte. */
> +static __always_inline bool memory_is_poisoned_1(s8a *addr)
> +{
> +       s8 shadow_value = asan_shadow_value(addr);
> +
> +       /* Byte is 0, access is valid. */
> +       if (likely(!shadow_value))
> +               return false;
> +
> +       /*
> +        * Byte is non-zero. Access is valid if granule offset in [0, shadow_value),
> +        * so the memory is poisoned if shadow_value is negative or smaller than
> +        * the granule's value.
> +        */
> +
> +       return ASAN_GRANULE(addr) >= shadow_value;
> +}
> +
> +/* Validate a 2- 4-, 8-byte access, spans up to 2 bytes. */
> +static __always_inline bool memory_is_poisoned_2_4_8(s8a *addr, u64 size)
> +{
> +       u64 end = (u64)addr + size - 1;
> +
> +       /*
> +        * Region fully within a single byte (addition didn't
> +        * overflow above ASAN_GRANULE).
> +        */
> +       if (likely(ASAN_GRANULE(end) >= size - 1))
> +               return memory_is_poisoned_1((s8a *)end);
> +
> +       /*
> +        * Otherwise first byte must be fully unpoisoned, and second byte
> +        * must be unpoisoned up to the end of the accessed region.
> +        */
> +
> +       return asan_shadow_value(addr) || memory_is_poisoned_1((s8a *)end);
> +}
> +
> +/*
> + * Explicit ASAN check.
> + */
> +__weak bool asan_shadow_set(void __arena __arg_arena *addr)
> +{
> +       return memory_is_poisoned_1(addr);
> +}
> +
> +static __always_inline u64 first_nonzero_byte(u64 addr, size_t size)
> +{

I'd think this one and asan_report() can weak noinline instead
to reduce the load on the verifier.
Have you tried making some of them global?

> +       while (size && can_loop) {
> +               if (unlikely(*(s8a *)addr))
> +                       return addr;
> +               addr += 1;
> +               size -= 1;
> +       }
> +
> +       return SHADOW_ALL_ZEROES;
> +}
> +
> +static __always_inline bool memory_is_poisoned_n(s8a *addr, u64 size)
> +{
> +       u64 ret;
> +       u64 start;
> +       u64 end;
> +
> +       /* Size of [start, end] is end - start + 1. */
> +       start = (u64)mem_to_shadow(addr);
> +       end = (u64)mem_to_shadow(addr + size - 1);
> +
> +       ret = first_nonzero_byte(start, (end - start) + 1);
> +       if (likely(ret == SHADOW_ALL_ZEROES))
> +               return false;
> +
> +       return __builtin_expect(ret != end || ASAN_GRANULE(addr + size - 1) >=
> +                                                     *(s8a *)end, false);

that's the same as unlikely(), right? Why open code?

> +
> +static __always_inline int asan_report(s8a __arg_arena *addr, size_t sz,
> +                                      bool write)
> +{
> +       /* Only report the first ASAN violation. */
> +       if (asan_reported && asan_report_once)
> +               return 0;
> +
> +       asan_reported = true;
> +
> +       asan_violated = (u64)addr;
> +
> +       if (asan_emit_stack) {
> +               arena_stderr("Memory violation for address %p (0x%lx) for %s of size %ld",
> +                               addr, (u64)addr, write ? "write" : "read", sz);
> +               bpf_stream_print_stack();
> +       }
> +
> +       return 0;
> +}
> +
> +static __always_inline bool check_asan_args(s8a *addr, size_t size,
> +                                           bool *result)
> +{
> +       bool valid = true;
> +
> +       /* Size 0 accesses are valid even if the address is invalid. */
> +       if (unlikely(size == 0))
> +               goto confirmed_valid;
> +
> +       /*
> +        * Wraparound is possible for extremely high size. Possible if the size
> +        * is a misinterpreted negative number.
> +        */
> +       if (unlikely(addr + size < addr))
> +               goto confirmed_invalid;
> +
> +       return false;
> +
> +confirmed_invalid:
> +       valid = false;
> +
> +       /* FALLTHROUGH */
> +confirmed_valid:
> +       *result = valid;
> +
> +       return true;
> +}
> +
> +static __always_inline bool check_region_inline(void *ptr, size_t size,
> +                                               bool write)
> +{
> +       s8a *addr = (s8a *)(u64)ptr;
> +       bool is_poisoned, is_valid;
> +
> +       if (check_asan_args(addr, size, &is_valid)) {
> +               if (!is_valid)
> +                       asan_report(addr, size, write);
> +               return is_valid;
> +       }
> +
> +       switch (size) {
> +       case 1:
> +               is_poisoned = memory_is_poisoned_1(addr);
> +               break;
> +       case 2:
> +       case 4:
> +       case 8:
> +               is_poisoned = memory_is_poisoned_2_4_8(addr, size);
> +               break;
> +       default:
> +               is_poisoned = memory_is_poisoned_n(addr, size);
> +       }
> +
> +       if (is_poisoned) {
> +               asan_report(addr, size, write);
> +               return false;
> +       }
> +
> +       return true;
> +}
> +
> +/*
> + * __alias is not supported for BPF so define *__noabort() variants as wrappers.
> + */
> +#define DEFINE_ASAN_LOAD_STORE(size)                                           \
> +       __hidden void __asan_store##size(void *addr)                           \
> +       {                                                                      \
> +               check_region_inline(addr, size, true);                         \
> +       }                                                                      \
> +       __hidden void __always_inline __asan_store##size##_noabort(void *addr) \
> +       {                                                                      \
> +               check_region_inline(addr, size, true);                         \
> +       }                                                                      \
> +       __hidden void __asan_load##size(void *addr)                            \
> +       {                                                                      \
> +               check_region_inline(addr, size, false);                        \
> +       }                                                                      \
> +       __hidden void __asan_load##size##_noabort(void *addr)                  \
> +       {                                                                      \
> +               check_region_inline(addr, size, false);                        \
> +       }                                                                      \
> +       __hidden void __asan_report_store##size(void *addr)                    \
> +       {                                                                      \
> +               asan_report((s8a *)addr, size, true);                          \
> +       }                                                                      \
> +       __hidden void __asan_report_store##size##_noabort(void *addr)          \
> +       {                                                                      \
> +               asan_report((s8a *)addr, size, true);                          \
> +       }                                                                      \
> +       __hidden void __asan_report_load##size(void *addr)                     \
> +       {                                                                      \
> +               asan_report((s8a *)addr, size, false);                         \
> +       }                                                                      \
> +       __hidden void __asan_report_load##size##_noabort(void *addr)           \
> +       {                                                                      \
> +               asan_report((s8a *)addr, size, false);                         \
> +       }
> +
> +DEFINE_ASAN_LOAD_STORE(1);
> +DEFINE_ASAN_LOAD_STORE(2);
> +DEFINE_ASAN_LOAD_STORE(4);
> +DEFINE_ASAN_LOAD_STORE(8);
> +
> +void __asan_storeN(void *addr, ssize_t size)
> +{
> +       check_region_inline(addr, size, true);
> +}
> +
> +void __asan_loadN(void *addr, ssize_t size)
> +{
> +       check_region_inline(addr, size, false);
> +}
> +
> +/*
> + * We currently do not sanitize globals.
> + */
> +void __asan_register_globals(void *globals, size_t n)
> +{
> +}
> +
> +void __asan_unregister_globals(void *globals, size_t n)
> +{
> +}
> +
> +/*
> + * We do not currently have memcpy/memmove/memset intrinsics
> + * in LLVM. Do not implement sanitization.
> + */
> +void *__asan_memcpy(void *d, const void *s, size_t n)
> +{
> +       return NULL;
> +}
> +
> +void *__asan_memmove(void *d, const void *s, size_t n)
> +{
> +       return NULL;
> +}
> +
> +void *__asan_memset(void *p, int c, size_t n)
> +{
> +       return NULL;
> +}
> +
> +/*
> + * Poisoning code, used when we add more freed memory to the allocator by:
> + *     a) pulling memory from the arena segment using bpf_arena_alloc_pages()
> + *     b) freeing memory from application code
> + */
> +__hidden __noasan int asan_poison(void __arena *addr, s8 val, size_t size)
> +{
> +       s8a *shadow;
> +       size_t len;
> +
> +       /*
> +        * Poisoning from a non-granule address makes no sense: We can only allocate
> +        * memory to the application that with a granule-aligned starting address,
> +        * and bpf_arena_alloc_pages returns page-aligned memory. A non-aligned
> +        * addr then implies we're freeing a different address than the one we
> +        * allocated.
> +        */
> +       if (unlikely((u64)addr & ASAN_GRANULE_MASK))
> +               return -EINVAL;
> +
> +       /*
> +        * We cannot free an unaligned region because it'd be possible that we
> +        * cannot describe the resulting poisoning state of the granule in
> +        * the ASAN encoding.
> +        *
> +        * Every granule represents a region of memory that looks like the
> +        * following (P for poisoned bytes, C for clear):
> +        *
> +        * <Clear>  <Poisoned>
> +        * [ C C C ... P P ]
> +        *
> +        * The value of the granule's shadow map is the number of clear bytes in
> +        * it. We cannot represent granules with the following state:
> +        *
> +        * [ P P ... C C ... P P ]
> +        *
> +        * That would be possible if we could free unaligned regions, so prevent that.
> +        *
> +        */
> +       if (unlikely(size & ASAN_GRANULE_MASK))
> +               return -EINVAL;

kasan_poison() in the kernel has the same logic without the comments.
The comments are nice, but please make a big comment somewhere
that the algorithm is the same as KASAN. Is it actually?
So reviewers don't need to triple check the bit math.

> +
> +       shadow = mem_to_shadow(addr);
> +       len = size >> ASAN_SHADOW_SHIFT;
> +
> +       asan_memset(shadow, val, len);
> +
> +       return 0;
> +}

[PATCH v2 07/13] selftests: bpf: Add ASAN support for libarena selftests

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Expand the arena library selftest infrastructure to support
address sanitization. Add the compiler flags necessary to
compile the library under ASAN when supported.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 tools/testing/selftests/bpf/Makefile          | 14 +++-
 tools/testing/selftests/bpf/libarena/Makefile | 26 ++++++-
 .../selftests/bpf/libarena/include/userapi.h  |  1 +
 .../bpf/libarena/selftests/selftest.c         | 69 ++++++++++++++++++-
 .../bpf/libarena/selftests/st_asan_common.h   | 49 +++++++++++++
 5 files changed, 155 insertions(+), 4 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_common.h

diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 49b275a7bfa1..2b59a5c2235b 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -917,7 +917,19 @@ override define INSTALL_RULE
 endef
 
 test_libarena: $(INCLUDE_DIR)/vmlinux.h $(BPFOBJ)
-	+$(MAKE) -C libarena all \
+	+$(MAKE) -C libarena $@ \
+		BPFTOOL="$(BPFTOOL)" \
+		INCLUDE_DIR="$(HOST_INCLUDE_DIR)" \
+		LIBBPF_INCLUDE="$(HOST_INCLUDE_DIR)" \
+		BPFOBJ="$(BPFOBJ)" \
+		LDLIBS="$(LDLIBS) -lzstd" \
+		CLANG="$(CLANG)" \
+		BPF_CFLAGS="$(BPF_CFLAGS) $(CLANG_CFLAGS)" \
+		BPF_TARGET_ENDIAN="$(BPF_TARGET_ENDIAN)" \
+		Q="$(Q)"
+
+test_libarena_asan: $(INCLUDE_DIR)/vmlinux.h $(BPFOBJ)
+	+$(MAKE) -C libarena $@ \
 		BPFTOOL="$(BPFTOOL)" \
 		INCLUDE_DIR="$(HOST_INCLUDE_DIR)" \
 		LIBBPF_INCLUDE="$(HOST_INCLUDE_DIR)" \
diff --git a/tools/testing/selftests/bpf/libarena/Makefile b/tools/testing/selftests/bpf/libarena/Makefile
index 70901bb5237f..1ec1a83c0c04 100644
--- a/tools/testing/selftests/bpf/libarena/Makefile
+++ b/tools/testing/selftests/bpf/libarena/Makefile
@@ -5,6 +5,7 @@ LIBARENA=$(abspath .)
 
 LIBARENA_SOURCES = $(wildcard $(LIBARENA)/src/*.bpf.c) $(wildcard $(LIBARENA)/selftests/*.bpf.c)
 LIBARENA_OBJECTS = $(notdir $(LIBARENA_SOURCES:.bpf.c=.bpf.o))
+LIBARENA_OBJECTS_ASAN = $(notdir $(LIBARENA_SOURCES:.bpf.c=_asan.bpf.o))
 
 INCLUDES = -I$(LIBARENA)/include -I$(LIBARENA)/..
 ifneq ($(INCLUDE_DIR),)
@@ -14,6 +15,13 @@ ifneq ($(LIBBPF_INCLUDE),)
 INCLUDES += -I$(LIBBPF_INCLUDE)
 endif
 
+ASAN_FLAGS = -fsanitize=kernel-address -fno-stack-protector -fno-builtin
+ASAN_FLAGS += -mllvm -asan-instrument-address-spaces=1 -mllvm -asan-shadow-addr-space=1
+ASAN_FLAGS += -mllvm -asan-use-stack-safety=0 -mllvm -asan-stack=0
+ASAN_FLAGS += -mllvm -asan-kernel=1
+ASAN_FLAGS += -mllvm -asan-constructor-kind=none
+ASAN_FLAGS += -mllvm -asan-destructor-kind=none
+
 # ENABLE_ATOMICS_TESTS required because we use arena spinlocks
 override BPF_CFLAGS += -DENABLE_ATOMICS_TESTS
 override BPF_CFLAGS += -O2 -Wno-incompatible-pointer-types-discards-qualifiers
@@ -25,23 +33,37 @@ CFLAGS += $(INCLUDES)
 vpath %.bpf.c $(LIBARENA)/src $(LIBARENA)/selftests
 vpath %.c $(LIBARENA)/src $(LIBARENA)/selftests
 
-all: test_libarena
+test_libarena_asan: selftest.c $(BPFOBJ) selftest_asan.skel.h
+	$(call msg,BINARY,libarena,$@)
+	$(Q)$(CLANG) $(LDLIBS) $(CFLAGS) -DBPF_ARENA_ASAN $< $(BPFOBJ) -o $@
 
 test_libarena: selftest.c $(BPFOBJ) selftest.skel.h
 	$(call msg,BINARY,libarena,$@)
 	$(Q)$(CLANG) $(LDLIBS) $(CFLAGS) $< $(BPFOBJ) -o $@
 
+selftest_asan.skel.h: main_asan.bpf.o
+	$(call msg,GEN-SKEL,libarena,$@)
+	$(Q)$(BPFTOOL) gen skeleton $< name "selftest_asan" > $@
+
 selftest.skel.h: main.bpf.o
 	$(call msg,GEN-SKEL,libarena,$@)
 	$(Q)$(BPFTOOL) gen skeleton $< name "selftest" > $@
 
+main_asan.bpf.o: $(LIBARENA_OBJECTS_ASAN)
+	$(call msg,GEN-OBJ,libarena,$@)
+	$(Q)$(BPFTOOL) gen object $@ $^
+
 main.bpf.o: $(LIBARENA_OBJECTS)
 	$(call msg,GEN-OBJ,libarena,$@)
 	$(Q)$(BPFTOOL) gen object $@ $^
 
+%_asan.bpf.o: %.bpf.c
+	$(call msg,CLNG-BPF,libarena,$@)
+	$(Q)$(CLANG) $(BPF_CFLAGS) $(ASAN_FLAGS) -DBPF_ARENA_ASAN $(BPF_TARGET_ENDIAN) -c $< -mcpu=v3 -o $@
+
 %.bpf.o: %.bpf.c
 	$(call msg,CLNG-BPF,libarena,$@)
 	$(Q)$(CLANG) $(BPF_CFLAGS) $(BPF_TARGET_ENDIAN) -c $< -o $@
 
 clean:
-	$(Q)rm -f *.skel.h *.bpf.o test_libarena
+	$(Q)rm -f *.skel.h *.bpf.o test_libarena test_libarena_asan
diff --git a/tools/testing/selftests/bpf/libarena/include/userapi.h b/tools/testing/selftests/bpf/libarena/include/userapi.h
index bd5e7042a44f..c294b6818bed 100644
--- a/tools/testing/selftests/bpf/libarena/include/userapi.h
+++ b/tools/testing/selftests/bpf/libarena/include/userapi.h
@@ -20,3 +20,4 @@ typedef int64_t s64;
 #define arena_spinlock_t u64
 
 #include "common.h"
+#include "asan.h"
diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.c b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
index 5b8d8b94323e..f63324a1cdde 100644
--- a/tools/testing/selftests/bpf/libarena/selftests/selftest.c
+++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
@@ -22,8 +22,20 @@
 
 #include "selftest.h"
 
+#include <asan.h>
+
+#ifdef BPF_ARENA_ASAN
+#include "../selftest_asan.skel.h"
+typedef struct selftest_asan selftest;
+#define selftest__open selftest_asan__open
+#define selftest__open_and_load selftest_asan__open_and_load
+#define selftest__load selftest_asan__load
+#define selftest__attach selftest_asan__attach
+#define selftest__destroy selftest_asan__destroy
+#else
 #include "../selftest.skel.h"
 typedef struct selftest selftest;
+#endif
 
 static bool verbose = false;
 static int testno = 1;
@@ -155,6 +167,48 @@ selftest_globals_pages(selftest *skel, size_t arena_all_pages, u64 *globals_page
 	return 0;
 }
 
+#if BPF_ARENA_ASAN
+static int
+selftest_asan_init(selftest *skel)
+{
+	struct bpf_test_run_opts opts;
+	size_t arena_all_pages = 1ULL << 20;
+	struct asan_init_args args;
+	u64 globals_pages;
+	int prog_fd;
+	int ret;
+
+	ret = selftest_globals_pages(skel, arena_all_pages, &globals_pages);
+	if (ret)
+		return ret;
+
+	/* Taken from the arena map header. */
+	args = (struct asan_init_args) {
+		.arena_all_pages = arena_all_pages,
+		.arena_globals_pages = globals_pages,
+	};
+
+	opts = (struct bpf_test_run_opts) {
+		.sz = sizeof(opts),
+		.ctx_in = &args,
+		.ctx_size_in = sizeof(args),
+	};
+
+	prog_fd = bpf_program__fd(skel->progs.asan_init);
+	assert(prog_fd >= 0 && "no program found");
+	return selftest_fd(prog_fd, &opts);
+}
+
+#else /* BPF_ARENA_ASAN */
+
+static int
+selftest_asan_init(selftest *skel)
+{
+	return 0;
+}
+
+#endif /* BPF_ARENA_ASAN */
+
 static int libbpf_print_fn(enum libbpf_print_level level,
 		const char *format, va_list args)
 {
@@ -172,6 +226,10 @@ int run_test(selftest *skel, const struct bpf_program *prog)
 	if (ret)
 		return ret;
 
+	ret = selftest_asan_init(skel);
+	if (ret)
+		return ret;
+
 	prog_fd = bpf_program__fd(prog);
 	if (!prog_fd)
 		return -ENOENT;
@@ -211,8 +269,17 @@ static void
 banner(const char *progpath)
 {
 	char *name = basename(progpath);
+	bool is_asan;
+
+	/* 
+	 * Check if our BPF programs are ASAN-capable by inspecting the prog name.
+	 * Command line arguments are guaranteed to be NULL-terminated, use strlen. 
+	 * Calculate the hardcoded name's length at compile time.
+	 */
+	printf("%s\n", name);
+	is_asan = strstr(name, "_asan");
 
-	printf("=== %s ===\n", "libarena selftests");
+	printf("=== %s %s===\n", "libarena selftests", is_asan ? "(asan) " : "");
 }
 
 int main(int argc, char *argv[])
diff --git a/tools/testing/selftests/bpf/libarena/selftests/st_asan_common.h b/tools/testing/selftests/bpf/libarena/selftests/st_asan_common.h
new file mode 100644
index 000000000000..d8a6316bba47
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/selftests/st_asan_common.h
@@ -0,0 +1,49 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+#pragma once
+
+#define ST_PAGES 64
+
+#define ASAN_MAP_STATE(addr)                                                 \
+	do {                                                                 \
+		bpf_printk("%s:%d ASAN %lx -> (val: %x gran: %x set: [%s])", \
+			   __func__, __LINE__, addr,                         \
+			   asan_shadow_value((addr)), ASAN_GRANULE(addr),    \
+			   asan_shadow_set((addr)) ? "yes" : "no");          \
+	} while (0)
+
+/*
+ * Emit an error and force the current function to exit if the ASAN
+ * violation state is unexpected. Reset the violation state after.
+ */
+#define ASAN_VALIDATE_ADDR(cond, addr)                                       \
+	do {                                                                 \
+		asm volatile("" ::: "memory");                               \
+		if ((asan_violated != 0) != (cond)) {                        \
+			bpf_printk("%s:%d ASAN asan_violated %lx", __func__, \
+				   __LINE__, (u64)asan_violated);            \
+			ASAN_MAP_STATE((addr));                              \
+			return -EINVAL;                                      \
+		}                                                            \
+		asan_violated = 0;                                           \
+	} while (0)
+
+#define ASAN_VALIDATE()                                                 \
+	do {                                                            \
+		if ((asan_violated)) {                                  \
+			bpf_printk("%s:%d Found ASAN violation at %lx", \
+				   __func__, __LINE__, asan_violated);  \
+			return -EINVAL;                                 \
+		}                                                       \
+	} while (0)
+
+struct blob {
+	volatile u8 mem[59];
+	u8 oob;
+};
+
+
-- 
2.49.0

Re: [PATCH v2 07/13] selftests: bpf: Add ASAN support for libarena selftests

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 1655 bytes --]

> diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.c b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
> index 5b8d8b94323e..f63324a1cdde 100644
> --- a/tools/testing/selftests/bpf/libarena/selftests/selftest.c
> +++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.c

[ ... ]

> @@ -211,8 +269,17 @@ static void
>  banner(const char *progpath)
>  {
>  	char *name = basename(progpath);
> +	bool is_asan;
> +
> +	/*
> +	 * Check if our BPF programs are ASAN-capable by inspecting the prog name.
> +	 * Command line arguments are guaranteed to be NULL-terminated, use strlen.
> +	 * Calculate the hardcoded name's length at compile time.
> +	 */
> +	printf("%s\n", name);
> +	is_asan = strstr(name, "_asan");

This isn't a bug, but the comment mentions strlen and compile-time length
calculation, while the actual code uses strstr(). Should the comment be
updated to match the implementation?

> +
> +	printf("=== %s %s===\n", "libarena selftests", is_asan ? "(asan) " : "");
>  }


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21409286496

AI-authorship-score: low
AI-authorship-explanation: Code follows standard kernel patterns with a comment/code mismatch typical of iterative human development rather than AI generation.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: Minor documentation issue where comment mentions strlen and compile-time calculation but code uses strstr; does not affect functionality.

Re: [PATCH v2 07/13] selftests: bpf: Add ASAN support for libarena selftests

[Emil Tsalapatis]

On Tue Jan 27, 2026 at 1:38 PM EST, bot+bpf-ci wrote:
>> diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.c b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
>> index 5b8d8b94323e..f63324a1cdde 100644
>> --- a/tools/testing/selftests/bpf/libarena/selftests/selftest.c
>> +++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
>
> [ ... ]
>
>> @@ -211,8 +269,17 @@ static void
>>  banner(const char *progpath)
>>  {
>>  	char *name = basename(progpath);
>> +	bool is_asan;
>> +
>> +	/*
>> +	 * Check if our BPF programs are ASAN-capable by inspecting the prog name.
>> +	 * Command line arguments are guaranteed to be NULL-terminated, use strlen.
>> +	 * Calculate the hardcoded name's length at compile time.
>> +	 */
>> +	printf("%s\n", name);
>> +	is_asan = strstr(name, "_asan");
>
> This isn't a bug, but the comment mentions strlen and compile-time length
> calculation, while the actual code uses strstr(). Should the comment be
> updated to match the implementation?
>

Ack, will update.

>> +
>> +	printf("=== %s %s===\n", "libarena selftests", is_asan ? "(asan) " : "");
>>  }
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21409286496
>
> AI-authorship-score: low
> AI-authorship-explanation: Code follows standard kernel patterns with a comment/code mismatch typical of iterative human development rather than AI generation.
> issues-found: 1
> issue-severity-score: low
> issue-severity-explanation: Minor documentation issue where comment mentions strlen and compile-time calculation but code uses strstr; does not affect functionality.

[PATCH v2 08/13] selftest: bpf: Add bump allocator for libarena

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add an arena-based bump allocator to the arenalib. The allocator
is aimed towards data allocated at program startup whose lifetime
is that of the BPF program. An example is CPU-related information
for sched-ext scheduler.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 .../selftests/bpf/libarena/include/bump.h     |  26 +++
 .../selftests/bpf/libarena/src/bump.bpf.c     | 196 ++++++++++++++++++
 2 files changed, 222 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/libarena/include/bump.h
 create mode 100644 tools/testing/selftests/bpf/libarena/src/bump.bpf.c

diff --git a/tools/testing/selftests/bpf/libarena/include/bump.h b/tools/testing/selftests/bpf/libarena/include/bump.h
new file mode 100644
index 000000000000..ac643f29acc0
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/include/bump.h
@@ -0,0 +1,26 @@
+#pragma once
+
+#ifdef __BPF__
+
+u64 bump_alloc_internal(size_t bytes, size_t alignment);
+#define bump_alloc(bytes, alignment) ((void __arena *)bump_alloc_internal((bytes), (alignment)))
+int bump_init(size_t contig_pages);
+int bump_destroy(void);
+int bump_memlimit(u64 lim_memusage);
+
+#endif /* __BPF__ */
+
+#define BUMP_ALLOCS_MAX (64)
+
+struct bump {
+	size_t max_contig_bytes;
+	void __arena *memory;
+	size_t off;
+	size_t lim_memusage;
+	size_t cur_memusage;
+
+	void __arena *past_allocs[BUMP_ALLOCS_MAX];
+
+	size_t past_allocs_ind;
+};
+
diff --git a/tools/testing/selftests/bpf/libarena/src/bump.bpf.c b/tools/testing/selftests/bpf/libarena/src/bump.bpf.c
new file mode 100644
index 000000000000..721c668475a6
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/src/bump.bpf.c
@@ -0,0 +1,196 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2024-2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2024-2025 Tejun Heo <tj@kernel.org>
+ * Copyright (c) 2024-2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+/*
+ * Static allocation module used to allocate arena memory for
+ * whose lifetime is that of the BPF program. Data is rarely
+ * allocated, mostly at program init, and never freed. The
+ * memory returned by this code is typeless so it avoids us
+ * having to define an allocator for each type.
+ */
+
+#include <common.h>
+#include <asan.h>
+#include <bump.h>
+
+/* Maximum memory that can be allocated by the arena. */
+#define ARENA_MAX_MEMORY (1ULL << 20)
+
+private(STATIC_ALLOC_LOCK) struct bpf_spin_lock static_lock;
+
+private(STATIC_ALLOC) struct bump bump;
+
+const s8 STATIC_POISON_UNINIT = 0xff;
+
+__weak u64 bump_alloc_internal(size_t bytes, size_t alignment)
+{
+	void __arena *memory;
+	size_t	alloc_bytes;
+	size_t	alloc_pages;
+	void __arena *ptr;
+	size_t padding;
+	size_t ind;
+	u64 addr;
+
+	/* 
+	 * Allocated addresses must be aligned to the nearest granule,
+	 * and since we're stack allocating this implies that allocations
+	 * sizes are also aligned.
+	 */
+	alignment = round_up(alignment, 1 << ASAN_SHADOW_SHIFT);
+
+	bpf_spin_lock(&static_lock);
+
+	/* Round up the current offset. */
+	addr = (__u64)bump.memory + bump.off;
+
+	padding	= round_up(addr, alignment) - addr;
+	alloc_bytes = bytes + padding;
+
+	if (alloc_bytes > bump.max_contig_bytes) {
+		bpf_spin_unlock(&static_lock);
+		bpf_printk("invalid request %ld, max is %ld\n", alloc_bytes,
+			   bump.max_contig_bytes);
+		return (u64)NULL;
+	}
+
+	/*
+	 * The code assumes that the maximum static allocation
+	 * size is significantly larger than the typical allocation
+	 * size, so it does not attempt to alleviate memory
+	 * fragmentation.
+	 */
+	if (bump.off + alloc_bytes > bump.max_contig_bytes) {
+		if (bump.cur_memusage + bump.max_contig_bytes >
+		    bump.lim_memusage) {
+			bpf_spin_unlock(&static_lock);
+			bpf_printk("allocator memory limit exceeded");
+			return (u64)NULL;
+		}
+
+		alloc_pages = bump.max_contig_bytes / __PAGE_SIZE;
+
+		memory = bpf_arena_alloc_pages(&arena, NULL, alloc_pages,
+						    NUMA_NO_NODE, 0);
+		if (!memory) {
+			bpf_spin_unlock(&static_lock);
+			bpf_printk("failed to allocate memory");
+			return (u64)NULL;
+		}
+
+		/* Keep a list of allocated blocks to free on allocator destruction. */
+		ind = bump.past_allocs_ind++ % BUMP_ALLOCS_MAX;
+		bump.past_allocs[ind] = memory;
+
+		asan_poison(memory, STATIC_POISON_UNINIT, bump.max_contig_bytes);
+
+		/*
+		 * Switch to new memory block, reset offset,
+		 * and recalculate base address.
+		 */
+		bump.memory = memory;
+		bump.off = 0;
+		addr = (__u64)bump.memory;
+
+		/*
+		 * We changed the base address. Recompute the padding.
+		 */
+		padding	= round_up(addr, alignment) - addr;
+		alloc_bytes = bytes + padding;
+
+		bump.cur_memusage += bump.max_contig_bytes;
+	}
+
+	ptr = (void __arena *)(addr + padding);
+	asan_unpoison(ptr, bytes);
+
+	bump.off += alloc_bytes;
+
+	bpf_spin_unlock(&static_lock);
+
+	return (u64)ptr;
+}
+
+__weak int bump_destroy(void)
+{
+	size_t alloc_pages = bump.max_contig_bytes / __PAGE_SIZE;
+	void __arena *mem;
+	size_t lim;
+	int i;
+
+	/* Free all allocated blocks. */
+
+	lim = bump.past_allocs_ind < BUMP_ALLOCS_MAX ? 
+		bump.past_allocs_ind : BUMP_ALLOCS_MAX;
+
+	for (i = 0; i < lim && can_loop; i++) {
+		mem = bump.past_allocs[i];
+		asan_unpoison(mem, bump.max_contig_bytes);
+		bpf_arena_free_pages(&arena, mem, alloc_pages);
+	}
+
+	return 0;
+}
+
+__weak int bump_init(size_t contig_pages)
+{
+	size_t contig_bytes = contig_pages * __PAGE_SIZE;
+	void __arena *memory;
+	size_t ind;
+	int ret;
+
+	memory = bpf_arena_alloc_pages(&arena, NULL, contig_pages, NUMA_NO_NODE,
+				       0);
+	if (!memory) {
+		bpf_printk("Failed to allocate %d pages", contig_pages);
+		return -ENOMEM;
+	}
+
+	ret = asan_poison(memory, STATIC_POISON_UNINIT, contig_bytes);
+	if (ret)
+		bpf_printk("Error %d: by poisoning", ret);
+
+	bump.max_contig_bytes = contig_bytes;
+	bump.off = 0;
+	bump.memory = memory;
+	bump.lim_memusage = ARENA_MAX_MEMORY;
+	bump.cur_memusage = contig_bytes;
+
+	ind = bump.past_allocs_ind++ % BUMP_ALLOCS_MAX;
+	bump.past_allocs[ind] = memory;
+
+	return 0;
+}
+
+__weak int bump_memlimit(u64 lim_memusage)
+{
+	bpf_spin_lock(&static_lock);
+
+	if (lim_memusage > BUMP_ALLOCS_MAX * bump.max_contig_bytes)
+		goto error;
+
+	/* We always allocate at a page granularity. */
+	if (lim_memusage % __PAGE_SIZE)
+		goto error;
+
+	/* Have we already overshot the limit? */
+	if (lim_memusage < bump.cur_memusage)
+		goto error;
+
+	bump.lim_memusage = lim_memusage;
+
+	bpf_spin_unlock(&static_lock);
+
+	return 0;
+
+error:
+	bpf_spin_unlock(&static_lock);
+
+	return -EINVAL;
+}
+
+__weak char _license[] SEC("license") = "GPL";
-- 
2.49.0

Re: [PATCH v2 08/13] selftest: bpf: Add bump allocator for libarena

[Alexei Starovoitov]

On Tue, Jan 27, 2026 at 10:16 AM Emil Tsalapatis <emil@etsalapatis.com> wrote:
> +
> +private(STATIC_ALLOC_LOCK) struct bpf_spin_lock static_lock;
> +
> +private(STATIC_ALLOC) struct bump bump;
> +
> +const s8 STATIC_POISON_UNINIT = 0xff;
> +
> +__weak u64 bump_alloc_internal(size_t bytes, size_t alignment)
> +{
> +       void __arena *memory;
> +       size_t  alloc_bytes;
> +       size_t  alloc_pages;
> +       void __arena *ptr;
> +       size_t padding;
> +       size_t ind;
> +       u64 addr;
> +
> +       /*
> +        * Allocated addresses must be aligned to the nearest granule,
> +        * and since we're stack allocating this implies that allocations
> +        * sizes are also aligned.
> +        */
> +       alignment = round_up(alignment, 1 << ASAN_SHADOW_SHIFT);
> +
> +       bpf_spin_lock(&static_lock);

In the stack allocator you're using arena_spin_lock and I'm
assuming it works fine there. Why use the old one here?

[PATCH v2 09/13] selftests: bpf: Add libarena selftests for the bump allocator

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add testing for the libarena bump allocator. The testing covers
the behavior of the allocator both by itself and in combination
with ASAN to test that there are no false positives or negatives.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 .../bpf/libarena/selftests/selftest.c         |  12 +
 .../bpf/libarena/selftests/st_asan_bump.bpf.c | 193 ++++++++++++
 .../bpf/libarena/selftests/st_bump.bpf.c      | 281 ++++++++++++++++++
 3 files changed, 486 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_bump.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_bump.bpf.c

diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.c b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
index f63324a1cdde..a0fd7a2e6c46 100644
--- a/tools/testing/selftests/bpf/libarena/selftests/selftest.c
+++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
@@ -265,6 +265,12 @@ error:							\
 	return ret;					\
 }
 
+TEST(bump_selftest);
+
+#ifdef BPF_ARENA_ASAN
+TEST(asan_test_bump);
+#endif
+
 static void
 banner(const char *progpath)
 {
@@ -306,5 +312,11 @@ int main(int argc, char *argv[])
 
 	libbpf_set_print(libbpf_print_fn);
 
+	run_bump_selftest();
+
+#ifdef BPF_ARENA_ASAN
+	run_asan_test_bump();
+#endif
+
 	return 0;
 }
diff --git a/tools/testing/selftests/bpf/libarena/selftests/st_asan_bump.bpf.c b/tools/testing/selftests/bpf/libarena/selftests/st_asan_bump.bpf.c
new file mode 100644
index 000000000000..c67c482c3996
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/selftests/st_asan_bump.bpf.c
@@ -0,0 +1,193 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+#include <common.h>
+
+#include <asan.h>
+#include <bump.h>
+
+#include "selftest.h"
+
+#ifdef BPF_ARENA_ASAN
+
+#include "st_asan_common.h"
+
+int asan_test_bump_blob_one(void)
+{
+	volatile struct blob __arena *blob;
+	const size_t alignment = 1;
+
+	blob = bump_alloc(sizeof(*blob) - 1, alignment);
+	if (!blob)
+		return -ENOMEM;
+
+	blob->mem[0] = 0xba;
+	ASAN_VALIDATE_ADDR(false, &blob->mem[0]);
+
+	blob->oob = 0;
+	ASAN_VALIDATE_ADDR(true, &blob->oob);
+
+	blob = (volatile struct blob __arena *)&blob->oob;
+	blob->mem[0] = 0xba;
+	ASAN_VALIDATE_ADDR(true, &blob->mem[0]);
+
+	blob->oob = 4;
+	ASAN_VALIDATE_ADDR(true, &blob->oob);
+
+	/*
+	 * Go even further, cast the OOB variable into
+	 * another struct blob and access its own oob.
+	 */
+	blob = (volatile struct blob __arena *)&blob->oob;
+	blob->oob = 5;
+	ASAN_VALIDATE_ADDR(true, &blob->oob);
+
+	return 0;
+}
+
+int asan_test_bump_blob(void)
+{
+	const int iters = 20;
+	int ret, i;
+
+	ret = bump_init(ST_PAGES);
+	if (ret) {
+		bpf_printk("bump_init failed with %d", ret);
+		return ret;
+	}
+
+	for (i = 0; i < iters && can_loop; i++) {
+		ret = asan_test_bump_blob_one();
+		if (ret) {
+			bpf_printk("%s:%d Failed on iteration %d", __func__,
+				   __LINE__, i);
+			return ret;
+		}
+	}
+
+	bump_destroy();
+
+	ASAN_VALIDATE();
+
+	return 0;
+}
+
+int asan_test_bump_array_one(void)
+{
+	size_t bytes = 37;
+	size_t overrun = 13;
+	size_t alignment = 1;
+	char __arena *mem;
+	int i;
+
+	mem = bump_alloc(sizeof(*mem) * bytes, alignment);
+	if (!mem)
+		return -ENOMEM;
+
+	for (i = 0; i < bytes + overrun && can_loop; i++) {
+		mem[i] = 0xba;
+		ASAN_VALIDATE_ADDR(i >= bytes, &mem[i]);
+	}
+
+	ASAN_VALIDATE();
+
+	return 0;
+}
+
+int asan_test_bump_array(void)
+{
+	const size_t iters = 20;
+	int ret, i;
+
+	ret = bump_init(ST_PAGES);
+	if (ret) {
+		bpf_printk("bump_init failed with %d", ret);
+		return ret;
+	}
+
+	for (i = 0; i < iters && can_loop; i++) {
+		ret = asan_test_bump_array_one();
+		if (ret) {
+			bpf_printk("%s:%d Failed on iteration %d", __func__,
+				   __LINE__, i);
+			return ret;
+		}
+	}
+
+	bump_destroy();
+
+	return 0;
+}
+
+int asan_test_bump_all(void)
+{
+	const int iters = 50;
+	int ret, i;
+
+	ret = bump_init(ST_PAGES);
+	if (ret) {
+		bpf_printk("bump_init failed with %d", ret);
+		return ret;
+	}
+
+	for (i = 0; i < iters && can_loop; i++) {
+		ret = asan_test_bump_array_one();
+		if (ret) {
+			bpf_printk("%s:%d Failed on iteration %d", __func__,
+				   __LINE__, i);
+			return ret;
+		}
+
+		ret = asan_test_bump_blob_one();
+		if (ret) {
+			bpf_printk("%s:%d Failed on iteration %d", __func__,
+				   __LINE__, i);
+			return ret;
+		}
+	}
+
+	bump_destroy();
+
+	return 0;
+}
+
+SEC("syscall")
+int asan_test_bump(void)
+{
+	int ret;
+
+	ret = asan_test_bump_blob();
+	if (ret) {
+		bpf_printk("%s:%d test failed", __func__, __LINE__);
+		return ret;
+	}
+
+	ret = asan_test_bump_array();
+	if (ret) {
+		bpf_printk("%s:%d test failed", __func__, __LINE__);
+		return ret;
+	}
+
+	ret = asan_test_bump_all();
+	if (ret) {
+		bpf_printk("%s:%d test failed", __func__, __LINE__);
+		return ret;
+	}
+
+	return 0;
+}
+
+#else
+
+SEC("syscall")
+int asan_test_bump(void)
+{
+	return -EOPNOTSUPP;
+}
+
+#endif /* BPF_ARENA_ASAN */
+
+__weak char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/libarena/selftests/st_bump.bpf.c b/tools/testing/selftests/bpf/libarena/selftests/st_bump.bpf.c
new file mode 100644
index 000000000000..64f506490a14
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/selftests/st_bump.bpf.c
@@ -0,0 +1,281 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+#include <common.h>
+#include <asan.h>
+#include <bump.h>
+
+#include "selftest.h"
+
+#define ST_MAX_PAGES 8
+
+#define PAGE_SHIFT __builtin_ctz(__PAGE_SIZE)
+
+#define ST_MAX_BYTES (ST_MAX_PAGES * __PAGE_SIZE)
+#define ST_BYTES_MAX_SHIFT __builtin_ctz(ST_MAX_BYTES)
+
+#define ST_MIN_ALIGN_SHIFT (7)
+#define ST_MAX_ALIGN_SHIFT (ST_BYTES_MAX_SHIFT - 2)
+
+#define ST_CYCLES 5
+
+#define ST_PATTERN1 0xAA
+#define ST_PATTERN2 0x55
+
+static inline void st_memset(void __arena *mem, u8 byte, size_t size)
+{
+	u8 __arena *bytes = (u8 __arena *)mem;
+	int i;
+
+	bpf_for(i, 0, size) {
+		bytes[i] = byte;
+	}
+}
+
+static inline bool st_isset(void __arena *mem, u8 byte, size_t size)
+{
+	u8 __arena *bytes = (u8 __arena *)mem;
+	int i;
+
+	for (i = 0; i < size && can_loop; i++) {
+		if (bytes[i] != byte)
+			return false;
+	}
+
+	return true;
+}
+
+/*
+ * Defining oft-repeated snippets as macros to avoid having to propagate
+ * errors to the caller. Both GCC and Clang support statement expressions.
+ */
+
+#define ALLOC_OR_FAIL(bytes, alignment)                                 \
+	({                                                              \
+		void __arena *mem;                                      \
+		mem = bump_alloc((bytes), (alignment));                 \
+		if (!mem) {                                             \
+			bpf_printk("%s:%d bump_alloc failed", __func__, \
+				   __LINE__);                           \
+			bump_destroy();                                 \
+			return -ENOMEM;                                 \
+		}                                                       \
+		mem;                                                    \
+	})
+
+#define INIT_OR_FAIL(bytes)                                             \
+	do {                                                            \
+		if (bump_init(((bytes) / __PAGE_SIZE))) {			\
+			bpf_printk("%s:%d bump_init failed", __func__,	\
+				   __LINE__);                           \
+			return -ENOMEM;                                 \
+		}                                                       \
+	} while (0)
+
+#define CHECK_OR_FAIL(mem, val, size)                                \
+	do {                                                         \
+		if (!st_isset((mem), (val), (size))) {                \
+			bpf_printk("%s:%d val %d missing", __func__, \
+				   __LINE__);                        \
+			return -EINVAL;                              \
+		}                                                    \
+	} while (0)
+
+#define CMP_OR_FAIL(mem1, mem2, size)                                \
+	do {                                                         \
+		if (st_memcmp((mem1), (mem2), (size))) {             \
+			bpf_printk("%s:%d regions differ", __func__, \
+				   __LINE__);                        \
+			return -EINVAL;                              \
+		}                                                    \
+	} while (0)
+
+#define ALIGNED_OR_FAIL(mem, alignment)                                 \
+	do {                                                            \
+		if ((u64)(mem) & ((alignment) - 1)) {                   \
+			bpf_printk("%s:%d invalid alignment", __func__, \
+				   __LINE__);                           \
+			return -EINVAL;                                 \
+		}                                                       \
+	} while (0)
+
+/*
+ * Basic test: 
+ *
+ * - Create the allocator
+ * - Make a single allocation,
+ * - Ensure proper alignment
+ * - Ensure allocation succeeds and values are all 0s.
+ * - Destroy the allocator. Ensure the allocator returns
+ * zeroed out memory.
+ */
+static int bump_selftest_alloc_single(u64 bytes, u64 alignment)
+{
+	u8 __arena *barray;
+	void __arena *mem;
+	int i;
+
+	for (i = 0; i < ST_CYCLES && can_loop; i++) {
+		INIT_OR_FAIL(bytes);
+
+		mem = ALLOC_OR_FAIL(bytes, alignment);
+
+		/* Alignment is assumed to be 2^n. */
+		ALIGNED_OR_FAIL(mem, alignment);
+
+		barray = (u8 __arena *)mem;
+		CHECK_OR_FAIL(barray, 0, bytes);
+
+		/* Check whether we're touching unallocated memory. */
+		st_memset(barray, ST_PATTERN1, bytes);
+		CHECK_OR_FAIL(barray, ST_PATTERN1, bytes);
+
+		bump_destroy();
+	}
+
+	return 0;
+}
+
+__weak
+int bump_selftest_alloc_multiple(u64 bytes, u64 alignment)
+{
+	void __arena *mem1, *mem2;
+	int ret;
+
+	/* Initialize the allocator */
+	ret = bump_init(ST_MAX_PAGES);
+	if (ret) {
+		bpf_printk("bump_init failed with %d", ret);
+		return ret;
+	}
+
+	mem1 = ALLOC_OR_FAIL(bytes, alignment);
+	st_memset(mem1, ST_PATTERN1, bytes);
+
+	mem2 = ALLOC_OR_FAIL(bytes, alignment);
+	st_memset(mem2, ST_PATTERN2, bytes);
+
+	ALIGNED_OR_FAIL(mem1, alignment);
+	ALIGNED_OR_FAIL(mem2, alignment);
+
+	/* Verify first block still has pattern1 */
+	CHECK_OR_FAIL(mem1, ST_PATTERN1, bytes);
+	CHECK_OR_FAIL(mem2, ST_PATTERN2, bytes);
+
+	bump_destroy();
+	return 0;
+}
+
+__weak
+int bump_selftest_alloc_aligned(void)
+{
+	void __arena *mem;
+	u64 alignment;
+	int round;
+
+	INIT_OR_FAIL(ST_MAX_PAGES * __PAGE_SIZE);
+
+	/* 
+	 * Allocate 1 byte at a time to test allocator alignment. 
+	 * Test ascending and descending allocation orders.
+	 */
+	for (round = 0; round < 2 && can_loop; round++) {
+		for (alignment = 1; alignment <= __PAGE_SIZE && can_loop;
+		     alignment <<= 1) {
+			mem = ALLOC_OR_FAIL(1, alignment);
+			ALIGNED_OR_FAIL(mem, alignment);
+		}
+
+		for (alignment = __PAGE_SIZE; alignment >= 1 && can_loop;
+		     alignment >>= 1) {
+			mem = ALLOC_OR_FAIL(1, alignment);
+			ALIGNED_OR_FAIL(mem, alignment);
+		}
+	}
+
+	bump_destroy();
+
+	return 0;
+}
+
+__weak
+int bump_selftest_alloc_exhaustion(u64 bytes, u64 alignment)
+{
+	size_t allocs = bytes / alignment;
+	void __arena *mem;
+	int i;
+
+	INIT_OR_FAIL(ST_MAX_PAGES * __PAGE_SIZE);
+
+	if (bump_memlimit(bytes)) {
+		bpf_printk("%s:%d bump_memlimit failed", __func__,
+			   __LINE__);
+		return -EINVAL;
+	}
+
+	/* Make an unfullfilable allocation. */
+	mem = bump_alloc(bytes + 1, 1);
+	if (mem) {
+		bpf_printk("%s:%d bump_alloc succeeded", __func__,
+			   __LINE__);
+		bump_destroy();
+		return -EINVAL;
+	}
+
+	/*
+	 * Amounts to allocations of size alignment, but also
+	 * checks that alignment padding is properly accounted for.
+	 */
+	for (i = 0; i < allocs && can_loop; i++)
+		ALLOC_OR_FAIL(1, alignment);
+
+	/* Even a single byte allocation should fail. */
+	mem = bump_alloc(1, alignment);
+	if (mem) {
+		bpf_printk("%s:%d bump_alloc succeeded", __func__,
+			   __LINE__);
+		bump_destroy();
+		return -EINVAL;
+	}
+
+	bump_destroy();
+	return 0;
+}
+
+#define BUMP_ALLOC_SELFTEST(suffix, ...) \
+	ALLOC_SELFTEST(bump_selftest_##suffix, __VA_ARGS__)
+
+
+SEC("syscall")
+int bump_selftest(void)
+{
+	int shift, ashift;
+	u64 alignment;
+	u64 bytes;
+
+	/* Each test manages its own allocator lifecycle. */
+
+	bpf_for(shift, PAGE_SHIFT, ST_BYTES_MAX_SHIFT + 1) {
+		bytes = 1ULL << shift;
+		bpf_for(ashift, PAGE_SHIFT, shift + 1) {
+			alignment = 1ULL << ashift;
+			BUMP_ALLOC_SELFTEST(alloc_single, bytes, alignment);
+			BUMP_ALLOC_SELFTEST(alloc_multiple, bytes, alignment);
+		}
+	}
+
+	BUMP_ALLOC_SELFTEST(alloc_aligned);
+
+	bytes = 1ULL << ST_BYTES_MAX_SHIFT;
+	bpf_for(ashift, ST_MIN_ALIGN_SHIFT, ST_MAX_ALIGN_SHIFT + 1) {
+		alignment = 1ULL << ashift;
+		BUMP_ALLOC_SELFTEST(alloc_exhaustion, bytes, alignment);
+	}
+
+	return 0;
+}
+
+__weak char _license[] SEC("license") = "GPL";
-- 
2.49.0

[PATCH v2 10/13] selftest: bpf: Add libarena stack allocator

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add a page-oriented stack allocator to libarena. The allocator
is targeted towards large, page-aligned allocations for BPF
programs and can serve as an intermediate location for pages
freed by custom allocators like slab allocators to avoid constantly
allocating and freeing arena pages.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 .../selftests/bpf/libarena/include/stack.h    |  44 +++
 .../selftests/bpf/libarena/src/stack.bpf.c    | 338 ++++++++++++++++++
 2 files changed, 382 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/libarena/include/stack.h
 create mode 100644 tools/testing/selftests/bpf/libarena/src/stack.bpf.c

diff --git a/tools/testing/selftests/bpf/libarena/include/stack.h b/tools/testing/selftests/bpf/libarena/include/stack.h
new file mode 100644
index 000000000000..9f9d8fb47935
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/include/stack.h
@@ -0,0 +1,44 @@
+#pragma once
+
+struct stk_seg;
+typedef struct stk_seg __arena stk_seg_t;
+
+/*
+ * We devote a single page to stk_seg, and size
+ * the void * array so it fits exactly in it.
+ * Account for prev/next pointers (2 * sizeof(void *)).
+ */
+#define STK_SEG_MAX ((__PAGE_SIZE - 2 * sizeof(void *)) / sizeof(void *))
+
+struct stk_seg {
+	void __arena	*elems[STK_SEG_MAX];
+	stk_seg_t	*prev;
+	stk_seg_t	*next;
+};
+
+/*
+ * Extensible stack struct.
+ */
+struct stk {
+	arena_spinlock_t __arena *lock;
+
+	stk_seg_t *first;	/* First stack segment. */
+	stk_seg_t *last;
+
+	stk_seg_t *current;	/* Current stack segment. */
+	__u64 cind;
+
+	__u64 capacity;		/* Free slots in the stack. */
+	__u64 available;	/* Available items in the stack. */
+	__u64 data_size;
+	__u64 nr_pages_per_alloc;
+};
+
+
+u64 stk_alloc(struct stk *stack);
+int stk_init(struct stk *stackp, arena_spinlock_t __arena *lock,
+		__u64 data_size, __u64 nr_pages_per_alloc);
+void stk_destroy(struct stk *stack);
+int stk_free_internal(struct stk *stack, __u64 elem);
+
+#define stk_free(stack, elem) stk_free_internal(stack, (__u64)elem)
diff --git a/tools/testing/selftests/bpf/libarena/src/stack.bpf.c b/tools/testing/selftests/bpf/libarena/src/stack.bpf.c
new file mode 100644
index 000000000000..068cdd75bffc
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/src/stack.bpf.c
@@ -0,0 +1,338 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2024-2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2024-2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+#include <common.h>
+#include <asan.h>
+#include <stack.h>
+
+/*
+ * Necessary for cond_break/can_loop's semantics. According to kernel commit
+ * 011832b, the loop counter variable must be seen as imprecise and bounded
+ * by the verifier. Initializing it from a constant (e.g., i = 0;), then,
+ * makes it precise and prevents may_goto from helping with converging the
+ * loop. For these loops we must initialize the loop counter from a variable
+ * whose value the verifier cannot reason about when checking the program, so
+ * that the loop counter's value is imprecise.
+ */
+static __u64 zero = 0;
+
+enum {
+	STACK_POISONED = (s8)0xef,
+};
+
+__hidden int stk_init(struct stk *stack,
+			  arena_spinlock_t __arg_arena __arena *lock,
+			  __u64 data_size, __u64 nr_pages_per_alloc)
+{
+	if (!stack)
+		return -EINVAL;
+
+	stack->data_size = data_size;
+	stack->nr_pages_per_alloc = nr_pages_per_alloc;
+	stack->lock = lock;
+
+	return 0;
+}
+
+__hidden void stk_destroy(struct stk *stack)
+{
+	stk_seg_t *seg, *next;
+	__u64 nr_pages;
+
+	/* Operation happens unlocked since we are called last. */
+
+	if (!stack)
+		return;
+
+	nr_pages = stack->nr_pages_per_alloc;
+
+	for (seg = stack->first; seg && can_loop; seg = next) {
+		next = seg->next;
+		asan_unpoison(seg, sizeof(*seg));
+		bpf_arena_free_pages(&arena, seg, nr_pages);
+	}
+
+	stack->first = NULL;
+	stack->last = NULL;
+
+	stack->current = NULL;
+	stack->cind = 0;
+
+	stack->capacity = 0;
+	stack->available = 0;
+	stack->data_size = 0;
+	stack->nr_pages_per_alloc = 0;
+}
+
+static int stk_push(struct stk *stack, void __arena *elem)
+{
+	stk_seg_t *stk_seg = stack->current;
+	int ridx = stack->cind;
+
+	stack->current->elems[stack->cind] = elem;
+
+	ridx += 1;
+
+	/* Possibly loop into the next segment. */
+	if (ridx == STK_SEG_MAX) {
+		ridx = 0;
+		stk_seg = stk_seg->next;
+		if (!stk_seg)
+			return -ENOSPC;
+	}
+
+	stack->current = stk_seg;
+	stack->cind = ridx;
+
+	stack->capacity -= 1;
+	stack->available += 1;
+
+	return 0;
+}
+
+static void __arena *stk_pop(struct stk *stack)
+{
+	stk_seg_t *stk_seg = stack->current;
+	void __arena *elem;
+	int ridx = stack->cind;
+
+	/* Possibly loop into previous segment. */
+	if (ridx == 0) {
+		ridx = STK_SEG_MAX;
+		stk_seg = stack->current->prev;
+		/* Possibly loop back into the last segment. */
+		if (!stk_seg)
+			return NULL;
+	}
+
+	ridx -= 1;
+
+	stack->current = stk_seg;
+	stack->cind = ridx;
+
+	elem = stack->current->elems[stack->cind];
+
+	stack->capacity += 1;
+	stack->available -= 1;
+
+	return elem;
+}
+
+static int stk_seg_to_data(struct stk *stack, size_t nelems)
+{
+	int ret, i;
+	u64 data;
+
+	/* Do we have enough empty segments for the conversion? */
+	if (!stack->first || stack->first == stack->last)
+		return -ENOMEM;
+
+	data = (u64)stack->last;
+
+	stack->last->prev->next = NULL;
+	stack->last = stack->last->prev;
+
+	/* We removed a segment. */
+	stack->capacity -= STK_SEG_MAX;
+
+	for (i = zero; i < nelems && can_loop; i++) {
+		asan_poison((void __arena *)data, STACK_POISONED,
+			    sizeof(struct stk_seg));
+
+		/* This operation should never fail. */
+		ret = stk_push(stack, (void __arena *)data);
+		if (ret)
+			return ret;
+
+		data += stack->data_size;
+	}
+
+	return 0;
+}
+
+static void stk_extend(struct stk *stack, stk_seg_t *stk_seg)
+{
+	if (stack->last)
+		stack->last->next = stk_seg;
+
+	stk_seg->prev = stack->last;
+	stk_seg->next = NULL;
+
+	stack->last = stk_seg;
+	stack->capacity += STK_SEG_MAX;
+
+	if (!stack->first)
+		stack->current = stack->first = stk_seg;
+
+	/*
+	 * Do not adjust the current segment/idx because we did not add
+	 * any elements. The new segment will be pushed into during the next
+	 * allocation.
+	 */
+}
+
+static int stk_free_unlocked(struct stk *stack, void __arena *elem)
+{
+	if (!stack)
+		return -EINVAL;
+
+	asan_poison(elem, STACK_POISONED, stack->data_size);
+
+	/* If no more room, repurpose the allocation into a segment. */
+	if (stack->capacity == 0) {
+		asan_unpoison(elem, sizeof(struct stk_seg));
+
+		stk_extend(stack, (stk_seg_t *)elem);
+		return 0;
+	}
+
+	return stk_push(stack, elem);
+}
+
+__weak int stk_free_internal(struct stk *stack, __u64 elem)
+{
+	int ret;
+
+	if (!stack)
+		return -EINVAL;
+
+	ret = arena_spin_lock(stack->lock);
+	if (ret)
+		return ret;
+
+	ret = stk_free_unlocked(stack, (void __arena *)elem);
+
+	arena_spin_unlock(stack->lock);
+
+	return ret;
+}
+
+static int stk_get_arena_memory(struct stk *stack, __u64 nr_pages, stk_seg_t **data_seg, stk_seg_t **stk_seg)
+{
+	size_t nstk_segs;
+	u64 mem;
+
+	_Static_assert(sizeof(struct stk_seg) <= __PAGE_SIZE,
+		       "segment must fit into a page");
+
+	/*
+	 * The code allocates new memory only as segments. The allocation and
+	 * free code freely typecasts the segment buffer into data that can be
+	 * allocated, and vice versa to avoid either ending up with too many
+	 * empty segments under memory pressure, or having no space in the segment
+	 * buffer for a buffer currently being freed.
+	 */
+
+	if (!stack)
+		return -EINVAL;
+
+	nstk_segs = stk_seg ? 2 : 1;
+
+	mem = (__u64)bpf_arena_alloc_pages(&arena, NULL, nstk_segs * nr_pages,
+					   NUMA_NO_NODE, 0);
+	if (!mem)
+		return -ENOMEM;
+
+	/* Poison the entire data segment allocated */
+	*data_seg = (stk_seg_t *)mem;
+	asan_poison((void __arena *)mem, STACK_POISONED, nr_pages * __PAGE_SIZE);
+
+	if (!stk_seg)
+		return 0;
+
+	/* Skip the segment metadata when poisoning. */
+	*stk_seg = (stk_seg_t *)(mem + nr_pages * __PAGE_SIZE);
+	asan_poison((void __arena *)(mem + sizeof(**stk_seg)), STACK_POISONED,
+		nr_pages * __PAGE_SIZE);
+
+	return 0;
+}
+
+static int stk_fill_new_elems(struct stk *stack)
+{
+	stk_seg_t *data_seg, *stk_seg;
+	bool need_stk_seg;
+	__u64 nr_pages;
+	size_t nelems;
+	int ret, i;
+	u64 mem;
+
+	nr_pages = stack->nr_pages_per_alloc;
+	nelems = (nr_pages * __PAGE_SIZE) / stack->data_size;
+	if (nelems > STK_SEG_MAX) {
+		return -EINVAL;
+	}
+
+	/*
+	 * If we have more than two empty segments available,
+	 * try to repurpose one of them into an allocation.
+	 */
+	ret = stk_seg_to_data(stack, nelems);
+	if (!ret)
+		return 0;
+
+	need_stk_seg = stack->capacity < nelems;
+
+	/* Get memory for a new data segment, and possibly a stack segment if necessary. */
+	ret = stk_get_arena_memory(stack, nr_pages, &data_seg, need_stk_seg ? &stk_seg : NULL);
+	if (ret)
+		return ret;
+
+	if (need_stk_seg)
+		stk_extend(stack, stk_seg);
+
+	mem = (u64)data_seg;
+	for (i = zero; i < nelems && can_loop; i++) {
+		ret = stk_push(stack, (void __arena *)mem);
+		if (ret)
+			return ret;
+		mem += stack->data_size;
+	}
+
+	return 0;
+}
+
+static inline __u64 stk_alloc_unlocked(struct stk *stack)
+{
+	void __arena *elem;
+	int ret;
+
+	/* If segment buffer is empty, we have to populate it. */
+	if (stack->available == 0) {
+		/* The call drops the lock on error. */
+		ret = stk_fill_new_elems(stack);
+		if (ret)
+			return 0ULL;
+	}
+
+	/* An elem value of 0 implies error, drop the lock. */
+	elem = stk_pop(stack);
+	if (elem)
+		asan_unpoison(elem, stack->data_size);
+
+	return (__u64)elem;
+}
+
+__weak __u64 stk_alloc(struct stk *stack)
+{
+	u64 elem;
+
+	if (!stack) {
+		bpf_printk("using uninitialized stack allocator");
+		return 0ULL;
+	}
+
+	if (arena_spin_lock(stack->lock))
+		return 0ULL;
+
+	elem = stk_alloc_unlocked(stack);
+
+	arena_spin_unlock(stack->lock);
+
+	return (u64)elem;
+}
+
+__weak char _license[] SEC("license") = "GPL";
-- 
2.49.0

Re: [PATCH v2 10/13] selftest: bpf: Add libarena stack allocator

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 3373 bytes --]

> diff --git a/tools/testing/selftests/bpf/libarena/src/stack.bpf.c b/tools/testing/selftests/bpf/libarena/src/stack.bpf.c
> new file mode 100644
> index 000000000000..068cdd75bffc
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/libarena/src/stack.bpf.c

[ ... ]

> +static int stk_seg_to_data(struct stk *stack, size_t nelems)
> +{
> +	int ret, i;
> +	u64 data;
> +
> +	/* Do we have enough empty segments for the conversion? */
> +	if (!stack->first || stack->first == stack->last)
> +		return -ENOMEM;
> +
> +	data = (u64)stack->last;
> +
> +	stack->last->prev->next = NULL;
> +	stack->last = stack->last->prev;
> +
> +	/* We removed a segment. */
> +	stack->capacity -= STK_SEG_MAX;
> +
> +	for (i = zero; i < nelems && can_loop; i++) {
> +		asan_poison((void __arena *)data, STACK_POISONED,
> +			    sizeof(struct stk_seg));

Should this be using stack->data_size instead of sizeof(struct stk_seg)?

The loop advances data by stack->data_size on each iteration, but poisons
sizeof(struct stk_seg) bytes. If data_size differs from sizeof(struct stk_seg),
the ASAN shadow map will be incorrectly populated. When data_size is smaller,
this over-poisons and can corrupt the shadow map for adjacent elements.

> +
> +		/* This operation should never fail. */
> +		ret = stk_push(stack, (void __arena *)data);
> +		if (ret)
> +			return ret;
> +
> +		data += stack->data_size;
> +	}
> +
> +	return 0;
> +}

[ ... ]

> +static int stk_get_arena_memory(struct stk *stack, __u64 nr_pages, stk_seg_t **data_seg, stk_seg_t **stk_seg)
> +{
> +	size_t nstk_segs;
> +	u64 mem;
> +
> +	_Static_assert(sizeof(struct stk_seg) <= __PAGE_SIZE,
> +		       "segment must fit into a page");

[ ... ]

> +	/* Poison the entire data segment allocated */
> +	*data_seg = (stk_seg_t *)mem;
> +	asan_poison((void __arena *)mem, STACK_POISONED, nr_pages * __PAGE_SIZE);
> +
> +	if (!stk_seg)
> +		return 0;
> +
> +	/* Skip the segment metadata when poisoning. */
> +	*stk_seg = (stk_seg_t *)(mem + nr_pages * __PAGE_SIZE);
> +	asan_poison((void __arena *)(mem + sizeof(**stk_seg)), STACK_POISONED,
> +		nr_pages * __PAGE_SIZE);

Is the base address for this asan_poison call correct? The stack segment is
located at (mem + nr_pages * __PAGE_SIZE), but the poison starts at
(mem + sizeof(**stk_seg)). With nr_pages=4, the stack segment starts at
offset 16384 from mem, but this poisons starting at offset 4096.

The comment says to skip the segment metadata, so the intended poisoning
should start at the stack segment address plus sizeof(**stk_seg), not at
mem plus sizeof(**stk_seg). This appears to poison part of the data segment
and the beginning of the stack segment incorrectly.

> +
> +	return 0;
> +}


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21409286496

AI-authorship-score: low
AI-authorship-explanation: Code shows typical human patterns with domain-specific BPF arena knowledge and standard kernel coding style; bugs found are typical human errors rather than AI-generated patterns
issues-found: 2
issue-severity-score: low
issue-severity-explanation: Two ASAN poisoning issues in selftest code that could cause incorrect shadow map population but do not affect production kernel behavior

[PATCH v2 11/13] selftests: bpf: Add selftests for the libarena stack allocator

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add ASAN selftests for the stack allocators to ensure proper
ASAN integration.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 .../bpf/libarena/selftests/selftest.c         |   2 +
 .../libarena/selftests/st_asan_stack.bpf.c    | 253 ++++++++++++++++++
 2 files changed, 255 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c

diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.c b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
index a0fd7a2e6c46..3e4b8754889f 100644
--- a/tools/testing/selftests/bpf/libarena/selftests/selftest.c
+++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
@@ -269,6 +269,7 @@ TEST(bump_selftest);
 
 #ifdef BPF_ARENA_ASAN
 TEST(asan_test_bump);
+TEST(asan_test_stack);
 #endif
 
 static void
@@ -316,6 +317,7 @@ int main(int argc, char *argv[])
 
 #ifdef BPF_ARENA_ASAN
 	run_asan_test_bump();
+	run_asan_test_stack();
 #endif
 
 	return 0;
diff --git a/tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c b/tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c
new file mode 100644
index 000000000000..a4c1780e4247
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c
@@ -0,0 +1,253 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+#include <common.h>
+
+#include <asan.h>
+#include <stack.h>
+
+#include "selftest.h"
+
+#ifdef BPF_ARENA_ASAN
+
+#include "st_asan_common.h"
+
+#define STACK_PAGES_PER_ALLOC (4)
+#define STACK_ALLOCS (4)
+
+/* 
+ * Keep this test-related array in BSS to avoid
+ * overly burdening the function stack.
+ */
+u64 __arena stk_blks[STACK_ALLOCS];
+
+/*
+ * Spinlock used by the stack allocator.
+ */
+private(ST_STACK) struct stk st_stack;
+u64 __arena st_asan_stack_lock;
+
+static __maybe_unused void stk_blks_dump(void)
+{
+	int i;
+
+	for (i = 0; i < STACK_ALLOCS && can_loop; i++)
+		bpf_printk("[%d] 0x%lx", i, stk_blks[i]);
+}
+
+struct qsort_limits {
+	int lo;
+	int hi;
+};
+
+__always_inline void swap(unsigned int i, unsigned int j)
+{
+	u64 tmp;
+
+	tmp = stk_blks[i];
+	stk_blks[i] = stk_blks[j];
+	stk_blks[j] = tmp;
+}
+
+static __always_inline int qsort_partition(unsigned int lo, unsigned hi)
+{
+	unsigned int i;
+	u64 pivotval;
+	int pivot;
+
+	if (lo >= STACK_ALLOCS || hi >= STACK_ALLOCS) {
+		bpf_printk("%s:%d invalid lo/hi indices %d/%d", __func__,
+			   __LINE__, lo, hi);
+		return 0;
+	}
+
+	pivotval = stk_blks[hi];
+	pivot = lo;
+
+	for (i = lo; i < hi && can_loop; i++) {
+		if (stk_blks[i] > pivotval)
+			continue;
+
+		swap(i, pivot);
+		pivot += 1;
+	}
+
+	swap(pivot, hi);
+
+	return pivot;
+}
+
+static __always_inline int qsort_stack_blocks(void)
+{
+	struct qsort_limits stack[STACK_ALLOCS];
+	struct qsort_limits limits;
+	int stackind = 0;
+	int pivot;
+
+	limits = (struct qsort_limits){ 0, STACK_ALLOCS - 1 };
+	stack[stackind++] = limits;
+
+	while (stackind > 0 && can_loop) {
+		if (stackind <= 0 || stackind > STACK_ALLOCS) {
+			bpf_printk("%s:%d invalid stack index %d", __func__,
+				   __LINE__, stackind);
+			return 0;
+		}
+
+		limits = stack[--stackind];
+		if (limits.lo >= limits.hi)
+			continue;
+
+		pivot = qsort_partition(limits.lo, limits.hi);
+		stack[stackind++] = (struct qsort_limits){
+			.lo = limits.lo,
+			.hi = pivot - 1,
+		};
+
+		if (stackind <= 0 || stackind >= STACK_ALLOCS) {
+			bpf_printk("%s:%d invalid stack index", __func__,
+				   __LINE__);
+			return 0;
+		}
+
+		stack[stackind++] = (struct qsort_limits){
+			.lo = pivot + 1,
+			.hi = limits.hi,
+		};
+	}
+
+	return 0;
+}
+
+int asan_test_stack_uaf_oob_single(u8 __arena __arg_arena *alloced,
+				   u8 __arena __arg_arena *freed)
+{
+	const size_t overshoot = 5;
+	int i;
+
+	/* Use after free check. */
+	stk_free(&st_stack, freed);
+
+	bpf_for(i, 0, __PAGE_SIZE) {
+		freed[i] = 0xba;
+		ASAN_VALIDATE_ADDR(true, &freed[i]);
+	}
+
+	/* 
+	 * Out of bounds check. Assuming the blocks before were
+	 * allocated consecutively, past the end of the block
+	 * the memory is guaranteed to be freed.
+	 */
+	bpf_for(i, 0, __PAGE_SIZE + overshoot) {
+		alloced[i] = 0xba;
+		ASAN_VALIDATE_ADDR(i >= __PAGE_SIZE, &alloced[i]);
+	}
+
+	return 0;
+}
+
+static int asan_sort_stack_blocks()
+{
+	int i;
+
+	qsort_stack_blocks();
+
+	if (!stk_blks[0]) {
+		bpf_printk("NULL stack block pointer");
+		return -EINVAL;
+	}
+
+	for (i = 1; i < STACK_ALLOCS; i++) {
+		if (!stk_blks[i]) {
+			bpf_printk("missing block");
+			return -EINVAL;
+		}
+
+		if (stk_blks[i] != stk_blks[i - 1] + __PAGE_SIZE) {
+			bpf_printk("allocations not consecutive");
+			return -EINVAL;
+		}
+	}
+
+	return 0;
+}
+
+static __always_inline int asan_test_stack_uaf_oob(void)
+{
+	u64 base = (u64)(-1);
+	const u64 alloc_size = 4096;
+	u64 block;
+	int ret, i;
+
+	/* Set the stack to support 4KiB allocations. */
+	ret = stk_init(&st_stack, (arena_spinlock_t __arena *)&st_asan_stack_lock,
+			   alloc_size, STACK_PAGES_PER_ALLOC);
+	if (ret) {
+		bpf_printk("stk_init failed with %d", ret);
+		return ret;
+	}
+
+	bpf_for(i, 0, STACK_ALLOCS) {
+		block = (u64)stk_alloc(&st_stack);
+		if (!block) {
+			bpf_printk("allocation %d failed", i);
+			return -ENOMEM;
+		}
+
+		stk_blks[i] = block;
+		base = block < base ? block : base;
+	}
+
+	ret = asan_sort_stack_blocks();
+	if (ret)
+		return ret;
+
+	for (i = 0; i < STACK_ALLOCS && can_loop; i += 2) {
+		if (i + 1 >= STACK_ALLOCS)
+			break;
+
+		if (stk_blks[i] + alloc_size != stk_blks[i + 1]) {
+			bpf_printk("Stack allocations not consecutive");
+			return -EINVAL;
+		}
+
+		ret = asan_test_stack_uaf_oob_single(
+			(u8 __arena *)stk_blks[i],
+			(u8 __arena *)stk_blks[i + 1]);
+		if (ret)
+			return ret;
+	}
+
+	stk_destroy(&st_stack);
+
+	return 0;
+}
+
+SEC("syscall")
+int asan_test_stack(void)
+{
+	int ret;
+
+	ret = asan_test_stack_uaf_oob();
+	if (ret) {
+		bpf_printk("%s:%d test failed", __func__, __LINE__);
+		return ret;
+	}
+
+	return 0;
+}
+
+#else
+
+SEC("syscall")
+int asan_test_stack(void)
+{
+	return -EOPNOTSUPP;
+}
+
+#endif /* BPF_ARENA_ASAN */
+
+__weak char _license[] SEC("license") = "GPL";
-- 
2.49.0

Re: [PATCH v2 11/13] selftests: bpf: Add selftests for the libarena stack allocator

[Alexei Starovoitov]

On Tue, Jan 27, 2026 at 10:16 AM Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> From: Emil Tsalapatis <etsal@meta.com>
>
> Add ASAN selftests for the stack allocators to ensure proper
> ASAN integration.
>
> Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
> ---
>  .../bpf/libarena/selftests/selftest.c         |   2 +
>  .../libarena/selftests/st_asan_stack.bpf.c    | 253 ++++++++++++++++++
>  2 files changed, 255 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c
>
> diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.c b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
> index a0fd7a2e6c46..3e4b8754889f 100644
> --- a/tools/testing/selftests/bpf/libarena/selftests/selftest.c
> +++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
> @@ -269,6 +269,7 @@ TEST(bump_selftest);
>
>  #ifdef BPF_ARENA_ASAN
>  TEST(asan_test_bump);
> +TEST(asan_test_stack);
>  #endif
>
>  static void
> @@ -316,6 +317,7 @@ int main(int argc, char *argv[])
>
>  #ifdef BPF_ARENA_ASAN
>         run_asan_test_bump();
> +       run_asan_test_stack();
>  #endif
>
>         return 0;
> diff --git a/tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c b/tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c
> new file mode 100644
> index 000000000000..a4c1780e4247
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/libarena/selftests/st_asan_stack.bpf.c
> @@ -0,0 +1,253 @@
> +/*
> + * SPDX-License-Identifier: GPL-2.0
> + * Copyright (c) 2025 Meta Platforms, Inc. and affiliates.
> + * Copyright (c) 2025 Emil Tsalapatis <etsal@meta.com>
> + */
> +
> +#include <common.h>
> +
> +#include <asan.h>
> +#include <stack.h>
> +
> +#include "selftest.h"
> +
> +#ifdef BPF_ARENA_ASAN
> +
> +#include "st_asan_common.h"
> +
> +#define STACK_PAGES_PER_ALLOC (4)
> +#define STACK_ALLOCS (4)
> +
> +/*
> + * Keep this test-related array in BSS to avoid
> + * overly burdening the function stack.
> + */
> +u64 __arena stk_blks[STACK_ALLOCS];
> +
> +/*
> + * Spinlock used by the stack allocator.
> + */
> +private(ST_STACK) struct stk st_stack;
> +u64 __arena st_asan_stack_lock;
> +
> +static __maybe_unused void stk_blks_dump(void)
> +{
> +       int i;
> +
> +       for (i = 0; i < STACK_ALLOCS && can_loop; i++)
> +               bpf_printk("[%d] 0x%lx", i, stk_blks[i]);
> +}
> +
> +struct qsort_limits {
> +       int lo;
> +       int hi;
> +};
> +
> +__always_inline void swap(unsigned int i, unsigned int j)
> +{
> +       u64 tmp;
> +
> +       tmp = stk_blks[i];
> +       stk_blks[i] = stk_blks[j];
> +       stk_blks[j] = tmp;
> +}
> +
> +static __always_inline int qsort_partition(unsigned int lo, unsigned hi)
> +{
> +       unsigned int i;
> +       u64 pivotval;
> +       int pivot;
> +
> +       if (lo >= STACK_ALLOCS || hi >= STACK_ALLOCS) {
> +               bpf_printk("%s:%d invalid lo/hi indices %d/%d", __func__,
> +                          __LINE__, lo, hi);
> +               return 0;
> +       }
> +
> +       pivotval = stk_blks[hi];
> +       pivot = lo;
> +
> +       for (i = lo; i < hi && can_loop; i++) {
> +               if (stk_blks[i] > pivotval)
> +                       continue;
> +
> +               swap(i, pivot);
> +               pivot += 1;
> +       }
> +
> +       swap(pivot, hi);
> +
> +       return pivot;
> +}
> +
> +static __always_inline int qsort_stack_blocks(void)

Amount of always_inline here and throughout looks excessive.
Especially for a heavy function like qsort.

Try removing all of them and add only where it's absolutely
necessary and add a comment why.
Like in core asan_loadN() functions it's clear why you want
full inline there, but in selftest... ?

[PATCH v2 12/13] selftests: bpf: Add buddy allocator for libarena

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add a byte-oriented buddy allocator for libarena. The buddy
allocator provides an alloc/free interface for small arena
allocations (down to 16 bytes).

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 .../selftests/bpf/libarena/include/buddy.h    |  62 ++
 .../selftests/bpf/libarena/src/buddy.bpf.c    | 784 ++++++++++++++++++
 2 files changed, 846 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/libarena/include/buddy.h
 create mode 100644 tools/testing/selftests/bpf/libarena/src/buddy.bpf.c

diff --git a/tools/testing/selftests/bpf/libarena/include/buddy.h b/tools/testing/selftests/bpf/libarena/include/buddy.h
new file mode 100644
index 000000000000..6154169a0f9c
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/include/buddy.h
@@ -0,0 +1,62 @@
+#pragma once
+
+/* Buddy allocator-related structs. */
+
+struct buddy_chunk;
+typedef struct buddy_chunk __arena buddy_chunk_t;
+
+struct buddy_header;
+typedef struct buddy_header __arena buddy_header_t;
+
+enum buddy_consts {
+	BUDDY_MIN_ALLOC_SHIFT	= 4,
+	BUDDY_MIN_ALLOC_BYTES	= 1 << BUDDY_MIN_ALLOC_SHIFT,
+	BUDDY_CHUNK_NUM_ORDERS	= 1 << 4,	/* 4 bits per order */
+	BUDDY_CHUNK_BYTES	= BUDDY_MIN_ALLOC_BYTES << BUDDY_CHUNK_NUM_ORDERS,
+	BUDDY_HEADER_OFF	= 8, /* header byte offset, see buddy.bpf.c for details */
+	BUDDY_CHUNK_PAGES	= BUDDY_CHUNK_BYTES / __PAGE_SIZE,
+	BUDDY_CHUNK_ITEMS	= 1 << BUDDY_CHUNK_NUM_ORDERS,
+	BUDDY_CHUNK_OFFSET_MASK	= BUDDY_CHUNK_BYTES - 1,
+	BUDDY_VADDR_OFFSET	= BUDDY_CHUNK_BYTES,	/* Start aligning at chunk */
+	BUDDY_VADDR_SIZE	= BUDDY_CHUNK_BYTES << 10 /* 1024 chunks maximum */
+};
+
+struct buddy_header {
+	u32 prev_index;	/* "Pointer" to the previous available allocation of the same size. */
+	u32 next_index; /* Same for the next allocation. */
+};
+
+/*
+ * We bring memory into the allocator 1MiB at a time.
+ */
+struct buddy_chunk {
+	/* The order of the current allocation for a item. 4 bits per order. */
+	u8		orders[BUDDY_CHUNK_ITEMS / 2];
+	/* 
+	 * Bit to denote whether chunk is allocated. Size of the allocated/free
+	 * chunk found from the orders array.
+	 */
+	u8		allocated[BUDDY_CHUNK_ITEMS / 8];
+	/* Freelists for O(1) allocation. */
+	u64		freelists[BUDDY_CHUNK_NUM_ORDERS];
+	buddy_chunk_t	*prev;
+	buddy_chunk_t	*next;
+};
+
+struct buddy {
+	buddy_chunk_t *first_chunk;		/* Pointer to the chunk linked list. */
+	arena_spinlock_t __arena *lock;		/* Allocator lock */
+	u64 vaddr;				/* Allocation into reserved vaddr */
+};
+
+#ifdef __BPF__
+
+int buddy_init(struct buddy *buddy, arena_spinlock_t __arena *lock);
+int buddy_destroy(struct buddy *buddy);
+int buddy_free_internal(struct buddy *buddy, u64 free);
+#define buddy_free(buddy, ptr) do { buddy_free_internal((buddy), (u64)(ptr)); } while (0)
+u64 buddy_alloc_internal(struct buddy *buddy, size_t size);
+#define buddy_alloc(alloc, size) ((void __arena *)buddy_alloc_internal((alloc), (size)))
+
+
+#endif /* __BPF__  */
diff --git a/tools/testing/selftests/bpf/libarena/src/buddy.bpf.c b/tools/testing/selftests/bpf/libarena/src/buddy.bpf.c
new file mode 100644
index 000000000000..f43e1db209be
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/src/buddy.bpf.c
@@ -0,0 +1,784 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2024-2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2024-2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+#include <common.h>
+#include <asan.h>
+#include <buddy.h>
+
+volatile int zero = 0;
+
+enum {
+	BUDDY_POISONED = (s8)0xef,
+};
+
+static inline int buddy_lock(struct buddy *buddy)
+{
+	return arena_spin_lock(buddy->lock);
+}
+
+static inline void buddy_unlock(struct buddy *buddy)
+{
+	arena_spin_unlock(buddy->lock);
+}
+
+/*
+ * Reserve part of the arena address space for the allocator. We use
+ * this to get aligned addresses for the chunks, since the arena
+ * page alloc kfuncs do not support alignment.
+ */
+static int buddy_reserve_arena_vaddr(struct buddy *buddy)
+{
+	buddy->vaddr = 0;
+
+	return bpf_arena_reserve_pages(&arena,
+				       (void __arena *)BUDDY_VADDR_OFFSET,
+				       BUDDY_VADDR_SIZE / __PAGE_SIZE);
+}
+
+/*
+ * Free up any unused address space. Used only during teardown.
+ */
+static void buddy_unreserve_arena_vaddr(struct buddy *buddy)
+{
+	bpf_arena_free_pages(
+		&arena, (void __arena *)(BUDDY_VADDR_OFFSET + buddy->vaddr),
+		(BUDDY_VADDR_SIZE - buddy->vaddr) / __PAGE_SIZE);
+
+	buddy->vaddr = 0;
+}
+
+/* 
+ * Carve out part of the reserved address space and hand it over
+ * to the buddy allocator.
+ *
+ * We are assuming the buddy allocator is the only allocator in the
+ * system, so there is no race between this function unreserving a
+ * page range and the 
+ */
+static int buddy_alloc_arena_vaddr(struct buddy *buddy, u64 *vaddrp)
+{
+	u64 vaddr, old, new;
+
+	do {
+		vaddr = buddy->vaddr;
+		new = vaddr + BUDDY_CHUNK_BYTES;
+
+		if (new > BUDDY_VADDR_SIZE)
+			return -EINVAL;
+
+		old = __sync_val_compare_and_swap(&buddy->vaddr, vaddr, new);
+	} while (old != vaddr && can_loop);
+
+	if (old != vaddr)
+		return -EINVAL;
+
+	*vaddrp = BUDDY_VADDR_OFFSET + vaddr;
+
+	return 0;
+}
+
+static u64 arena_next_pow2(__u64 n)
+{
+	n--;
+	n |= n >> 1;
+	n |= n >> 2;
+	n |= n >> 4;
+	n |= n >> 8;
+	n |= n >> 16;
+	n |= n >> 32;
+	n++;
+
+	return n;
+}
+
+__weak
+int idx_set_allocated(buddy_chunk_t __arg_arena *chunk, u64 idx, bool allocated)
+{
+	if (unlikely(idx >= BUDDY_CHUNK_ITEMS)) {
+		arena_stderr("setting order of invalid idx (%d, max %d)\n", idx,
+			     BUDDY_CHUNK_ITEMS);
+		return -EINVAL;
+	}
+
+	if (allocated)
+		chunk->allocated[idx / 8] |= 1 << (idx % 8);
+	else
+		chunk->allocated[idx / 8] &= ~(1 << (idx % 8));
+
+	return 0;
+}
+
+static int idx_is_allocated(buddy_chunk_t *chunk, u64 idx, bool *allocated)
+{
+	if (unlikely(idx >= BUDDY_CHUNK_ITEMS)) {
+		arena_stderr("setting order of invalid idx (%d, max %d)\n", idx,
+			     BUDDY_CHUNK_ITEMS);
+		return -EINVAL;
+	}
+
+	*allocated = chunk->allocated[idx / 8] & (1 << (idx % 8));
+	return 0;
+}
+
+__weak
+int idx_set_order(buddy_chunk_t __arg_arena *chunk, u64 idx, u8 order)
+{
+	u8 prev_order;
+
+	if (unlikely(order >= BUDDY_CHUNK_NUM_ORDERS)) {
+		arena_stderr("setting invalid order %u\n", order);
+		return -EINVAL;
+	}
+
+	if (unlikely(idx >= BUDDY_CHUNK_ITEMS)) {
+		arena_stderr("setting order of invalid idx (%d, max %d)\n", idx,
+			     BUDDY_CHUNK_ITEMS);
+		return -EINVAL;
+	}
+
+	/* 
+	 * We store two order instances per byte, one per nibble.
+	 * Retain the existing nibble.
+	 */
+	prev_order = chunk->orders[idx / 2];
+	if (idx & 0x1) {
+		order &= 0xf;
+		order |= (prev_order & 0xf0);
+	} else {
+		order <<= 4;
+		order |= (prev_order & 0xf);
+	}
+
+	chunk->orders[idx / 2] = order;
+
+	return 0;
+}
+
+static u8 idx_get_order(buddy_chunk_t *chunk, u64 idx)
+{
+	u8 result;
+
+	_Static_assert(BUDDY_CHUNK_NUM_ORDERS <= 16,
+		       "order must fit in 4 bits");
+
+	if (unlikely(idx >= BUDDY_CHUNK_ITEMS)) {
+		arena_stderr("setting order of invalid idx\n");
+		return BUDDY_CHUNK_NUM_ORDERS;
+	}
+
+	result = chunk->orders[idx / 2];
+
+	return (idx & 0x1) ? (result & 0xf) : (result >> 4);
+}
+
+static void __arena *idx_to_addr(buddy_chunk_t *chunk, size_t idx)
+{
+	u64 address;
+
+	if (unlikely(idx >= BUDDY_CHUNK_ITEMS)) {
+		arena_stderr("setting order of invalid idx\n");
+		return NULL;
+	}
+
+	/*
+	 * The data blocks start in the chunk after the metadata block.
+	 * We find the actual address by indexing into the region at an
+	 * BUDDY_MIN_ALLOC_BYTES granularity, the minimum allowed.
+	 * The index number already accounts for the fact that the first
+	 * blocks in the chunk are occupied by the metadata, so we do
+	 * not need to offset it.
+	 */
+
+	address = (u64)chunk + (idx * BUDDY_MIN_ALLOC_BYTES);
+
+	return (void __arena *)address;
+}
+
+static buddy_header_t *idx_to_header(buddy_chunk_t *chunk, size_t idx)
+{
+	bool allocated;
+	u64 address;
+
+	if (unlikely(idx_is_allocated(chunk, idx, &allocated))) {
+		arena_stderr("accessing invalid idx 0x%lx\n", idx);
+		return NULL;
+	}
+
+	if (unlikely(allocated)) {
+		arena_stderr("accessing allocated idx 0x%lx as header\n", idx);
+		return NULL;
+	}
+
+	address = (u64)idx_to_addr(chunk, idx);
+
+	/* 
+	 * Offset the header within the block. This avoids accidental overwrites
+	 * to the header because of off-by-one errors when using adjacent blocks.
+	 *
+	 * The offset has been chosen as a compromise between ASAN effectiveness
+	 * and allocator granularity:
+	 * 1) ASAN dictates valid data runs are 8-byte aligned.
+	 * 2) We want to keep a low minimum allocation size (currently 16).
+	 * 
+	 * As a result, we have only two possible positions for the header: Bytes
+	 * 0 and 8. Keeping the header in byte 0 means off-by-ones from the previous
+	 * block touch the header, and, since the header must be accessible, ASAN
+	 * will not trigger. Keeping the header on byte 8 means off-by-one errors from
+	 * the previous block are caught by ASAN. Negative offsets are rarer, so 
+	 * while accesses into the block from the next block are possible, they are
+	 * less probable.
+	 */
+
+	return (buddy_header_t *)(address + BUDDY_HEADER_OFF);
+}
+
+static void header_add_freelist(buddy_chunk_t  *chunk,
+				buddy_header_t *header, u64 idx, u8 order)
+{
+	buddy_header_t *tmp_header;
+
+	idx_set_order(chunk, idx, order);
+
+	header->next_index = chunk->freelists[order];
+	header->prev_index = BUDDY_CHUNK_ITEMS;
+
+	if (header->next_index != BUDDY_CHUNK_ITEMS) {
+		tmp_header = idx_to_header(chunk, header->next_index);
+		tmp_header->prev_index = idx;
+	}
+
+	chunk->freelists[order] = idx;
+}
+
+static void header_remove_freelist(buddy_chunk_t  *chunk,
+				   buddy_header_t *header, u8 order)
+{
+	buddy_header_t *tmp_header;
+
+	if (header->prev_index != BUDDY_CHUNK_ITEMS) {
+		tmp_header = idx_to_header(chunk, header->prev_index);
+		tmp_header->next_index = header->next_index;
+	}
+
+	if (header->next_index != BUDDY_CHUNK_ITEMS) {
+		tmp_header = idx_to_header(chunk, header->next_index);
+		tmp_header->prev_index = header->prev_index;
+	}
+
+	/* Pop off the list head if necessary. */
+	if (idx_to_header(chunk, chunk->freelists[order]) == header)
+		chunk->freelists[order] = header->next_index;
+
+	header->prev_index = BUDDY_CHUNK_ITEMS;
+	header->next_index = BUDDY_CHUNK_ITEMS;
+}
+
+static u64 size_to_order(size_t size)
+{
+	u64 order;
+
+	if (unlikely(!size)) {
+		arena_stderr("size 0 has no order\n");
+		return 64;
+	}
+
+	/*
+	 * To find the order of the allocation we find the first power of two
+	 * >= the requested size, take the log2, then adjust it for the minimum
+	 * allocation size by removing the minimum shift from it. Requests
+	 * smaller than the minimum allocation size are rounded up.
+	 */
+	order = arena_fls(arena_next_pow2(size));
+	if (order < BUDDY_MIN_ALLOC_SHIFT)
+		return 0;
+
+	return order - BUDDY_MIN_ALLOC_SHIFT;
+}
+
+__weak
+int add_leftovers_to_freelist(buddy_chunk_t __arg_arena *chunk, u32 cur_idx,
+		u64 min_order, u64 max_order)
+{
+	buddy_header_t *header;
+	u64 ord;
+	u32 idx;
+
+	bpf_for(ord, min_order, max_order) {
+		/* Mark the buddy as free and add it to the freelists. */
+		idx = cur_idx + (1 << ord);
+
+		header = idx_to_header(chunk, idx);
+		if (unlikely(!header))
+			return -EINVAL;
+
+		asan_unpoison(header, sizeof(*header));
+
+		idx_set_allocated(chunk, idx, false);
+		header_add_freelist(chunk, header, idx, ord);
+	}
+
+	return 0;
+}
+
+static buddy_chunk_t *buddy_chunk_get(struct buddy *buddy)
+{
+	u64 order, ord, min_order, max_order;
+	buddy_chunk_t  *chunk;
+	size_t left;
+	int power2;
+	u64 vaddr;
+	u32 idx;
+	int ret;
+
+	buddy_unlock(buddy);
+
+	ret = buddy_alloc_arena_vaddr(buddy, &vaddr);
+	if (ret)
+		return NULL;
+
+	/* Addresses must be aligned to the chunk boundary. */
+	if (vaddr % BUDDY_CHUNK_BYTES)
+		return NULL;
+
+	/* Unreserve the address space. */
+	bpf_arena_free_pages(&arena, (void __arena *)vaddr,
+			     BUDDY_CHUNK_PAGES);
+
+	chunk = bpf_arena_alloc_pages(&arena, (void __arena *)vaddr,
+				      BUDDY_CHUNK_PAGES, NUMA_NO_NODE, 0);
+	if (!chunk) {
+		arena_stderr("[ALLOC FAILED]");
+		return NULL;
+	}
+
+	if ((ret = buddy_lock(buddy))) {
+		bpf_arena_free_pages(&arena, chunk, BUDDY_CHUNK_PAGES);
+		return NULL;
+	}
+
+	asan_poison(chunk, BUDDY_POISONED, BUDDY_CHUNK_PAGES * __PAGE_SIZE);
+
+	/* Unpoison the chunk itself. */
+	asan_unpoison(chunk, sizeof(*chunk));
+
+	/* Mark all freelists as empty. */
+	bpf_for(ord, 0, BUDDY_CHUNK_NUM_ORDERS)
+		chunk->freelists[ord] = BUDDY_CHUNK_ITEMS;
+
+	/*
+	 * Initialize the chunk by carving out the first page to hold the metadata struct above,
+	 * then dumping the rest of the pages into the allocator.
+	 */
+
+	_Static_assert(BUDDY_CHUNK_PAGES * __PAGE_SIZE >=
+			       BUDDY_MIN_ALLOC_BYTES *
+				       BUDDY_CHUNK_ITEMS,
+		       "chunk must fit within the allocation");
+
+	/*
+	 * Step 2: Reserve a chunk for the chunk metadata, then breaks
+	 * the rest of the full allocation into the different buckets.
+	 * We allocating the memory by grabbing blocks of progressively
+	 * smaller sizes from the allocator, which are guaranteed to be
+	 * continuous.
+	 *
+	 * This operation also populates the allocator.
+	 *
+	 * Algorithm:
+	 *
+	 * - max_order: The last order allocation we made
+	 * - left: How many bytes are left to allocate
+	 * - cur_index: Current index into the top-level block we are 
+	 * allocating from.
+	 * 
+	 * Step:
+	 * - Find the largest power-of-2 allocation still smaller than left (infimum)
+	 * - Reserve a chunk of that size, along with its buddy
+	 * - For every order from [infimum + 1, last order), carve out a block 
+	 *   and put it into the allocator.
+	 *
+	 *  Example: Chunk size 0b1010000 (80 bytes)
+	 *
+	 *  Step 1:
+	 *
+	 *   idx  infimum			   1 << max_order
+	 *   0 	      64	128		      1 << 20	
+	 *   |________|_________|______________________|
+	 *
+	 *   Blocks set aside:
+	 *   	[0, 64)		- Completely allocated
+	 *   	[64, 128)	- Will be further split in the next iteration
+	 *   
+	 *   Blocks added to the allocator:
+	 *   	[128, 256)
+	 *   	[256, 512)
+	 *   	...
+	 *   	[1 << 18, 1 << 19)
+	 *   	[1 << 19, 1 << 20)
+	 *
+	 *  Step 2:
+	 *
+	 *   idx  infimum			   idx + 1 << max_order
+	 *   64	      80	96		   	64 + 1 << 6 = 128
+	 *   |________|_________|______________________|
+	 *
+	 *   Blocks set aside:
+	 *   	[64, 80)	- Completely allocated
+	 *   
+	 *   Blocks added to the allocator:
+	 *      [80, 96) - left == 0 so the buddy is unused and marked as freed
+	 *   	[96, 128)
+	 */
+	max_order = BUDDY_CHUNK_NUM_ORDERS;
+	left = sizeof(*chunk);
+	idx = 0;
+	while (left && can_loop) {
+		power2 = arena_fls(left);
+		if (unlikely(power2 >= BUDDY_CHUNK_NUM_ORDERS)) {
+			arena_stderr(
+				"buddy chunk metadata require allocation of order %d\n",
+				power2);
+			arena_stderr(
+				"chunk has size of 0x%lx bytes (left %lx bytes)\n",
+				sizeof(*chunk), left);
+
+			buddy_unlock(buddy);
+			return NULL;
+		}
+
+		/* Round up allocations that are too small. */
+
+		left -= (power2 >= BUDDY_MIN_ALLOC_SHIFT) ? 1 << power2 : left;
+		order = (power2 >= BUDDY_MIN_ALLOC_SHIFT) ? power2 - BUDDY_MIN_ALLOC_SHIFT : 0;
+
+		idx_set_allocated(chunk, idx, true);
+
+		/* 
+		 * Starting an order above the one we allocated, populate
+		 * the allocator with free blocks. If this is the last
+		 * allocation (left == 0), also mark the buddy as free.
+		 */
+		min_order = left ? order + 1 : order;
+		if (add_leftovers_to_freelist(chunk, idx, min_order, max_order)) {
+			buddy_unlock(buddy);
+			return NULL;
+		}
+
+		/* Adjust the index. */
+		idx += 1 << order;
+		max_order = order;
+	}
+
+	return chunk;
+}
+
+__hidden int buddy_init(struct buddy			 *buddy,
+			    arena_spinlock_t __arg_arena __arena *lock)
+{
+	buddy_chunk_t *chunk;
+	int ret;
+
+	buddy->lock = lock;
+
+	if (!asan_ready())
+		return -EINVAL;
+
+	/* 
+	 * Reserve enough address space to ensure allocations are aligned.
+	 */
+	if ((ret = buddy_reserve_arena_vaddr(buddy)))
+		return ret;
+
+	_Static_assert(BUDDY_CHUNK_PAGES > 0,
+		       "chunk must use one or more pages");
+
+	/* Chunk is already properly unpoisoned if allocated. */
+	if (buddy_lock(buddy))
+		return -EINVAL;
+
+	chunk = buddy_chunk_get(buddy);
+	if (!chunk) {
+		buddy->first_chunk = NULL;
+		return -ENOMEM;
+	}
+
+	/* Put the chunk at the beginning of the list. */
+	chunk->next = buddy->first_chunk;
+	chunk->prev = NULL;
+	buddy->first_chunk = chunk;
+
+	buddy_unlock(buddy);
+
+	return 0;
+}
+
+/*
+ * Destroy the allocator. This does not check whether there are any allocations
+ * currently in use, so any pages being accessed will start taking arena faults.
+ * We do not take a lock because we are freeing arena pages, and nobody should
+ * be using the allocator at that point in the execution.
+ */
+__weak int buddy_destroy(struct buddy *buddy)
+{
+	buddy_chunk_t *chunk, *next;
+
+	if (!buddy)
+		return -EINVAL;
+
+	/*
+	 * Traverse all buddy chunks and free them back to the arena
+	 * with the same granularity they were allocated with.
+	 */
+	for (chunk = buddy->first_chunk; chunk && can_loop; chunk = next) {
+		next = chunk->next;
+
+		/* Wholesale poison the entire block. */
+		asan_poison(chunk, BUDDY_POISONED,
+			    BUDDY_CHUNK_PAGES * __PAGE_SIZE);
+		bpf_arena_free_pages(&arena, chunk, BUDDY_CHUNK_PAGES);
+	}
+
+	/* Free up any part of the address space that did not get used. */
+	buddy_unreserve_arena_vaddr(buddy);
+
+	/* Clear all fields. */
+	buddy->first_chunk = NULL;
+
+	return 0;
+}
+
+__weak u64 buddy_chunk_alloc(buddy_chunk_t __arg_arena *chunk,
+				 int				order_req)
+{
+	buddy_header_t *header, *tmp_header, *next_header;
+	u32 idx, tmpidx, retidx;
+	u64 address;
+	u64 order = 0;
+	u64 i;
+
+	bpf_for(order, order_req, BUDDY_CHUNK_NUM_ORDERS) {
+		if (chunk->freelists[order] != BUDDY_CHUNK_ITEMS)
+			break;
+	}
+
+	if (order >= BUDDY_CHUNK_NUM_ORDERS)
+		return (u64)NULL;
+
+	retidx = chunk->freelists[order];
+	header = idx_to_header(chunk, retidx);
+	chunk->freelists[order] = header->next_index;
+
+	if (header->next_index != BUDDY_CHUNK_ITEMS) {
+		next_header = idx_to_header(chunk, header->next_index);
+		next_header->prev_index = BUDDY_CHUNK_ITEMS;
+	}
+
+	header->prev_index = BUDDY_CHUNK_ITEMS;
+	header->next_index = BUDDY_CHUNK_ITEMS;
+	if (idx_set_order(chunk, retidx, order_req))
+		return (u64)NULL;
+
+	if (idx_set_allocated(chunk, retidx, true))
+		return (u64)NULL;
+
+	/* 
+	 * Do not unpoison the address yet, will be done by the caller
+	 * because the caller has the exact allocation size requested.
+	 */
+	address = (u64)idx_to_addr(chunk, retidx);
+
+	/* If we allocated from a larger-order chunk, split the buddies. */
+	bpf_for(i, order_req, order) {
+		/*
+		 * Flip the bit for the current order (the bit is guaranteed
+		 * to be 0, so just add 1 << i). 
+		 */
+		idx = retidx + (1 << i);
+
+		/* Add the buddy of the allocation to the free list. */
+		header = idx_to_header(chunk, idx);
+		/* Unpoison the buddy header */
+		asan_unpoison(header, sizeof(*header));
+		if (idx_set_allocated(chunk, idx, false))
+			return (u64)NULL;
+
+		if (idx_set_order(chunk, idx, i))
+			return (u64)NULL;
+
+		/* Push the header to the beginning of the freelists list. */
+		tmpidx = chunk->freelists[i];
+
+		header->prev_index = BUDDY_CHUNK_ITEMS;
+		header->next_index = tmpidx;
+
+		if (tmpidx != BUDDY_CHUNK_ITEMS) {
+			tmp_header = idx_to_header(chunk, tmpidx);
+			tmp_header->prev_index = idx;
+		}
+
+		chunk->freelists[i] = idx;
+	}
+
+	return address;
+}
+
+__weak
+u64 buddy_alloc_internal(struct buddy *buddy, size_t size)
+{
+	buddy_chunk_t *chunk;
+	u64 address;
+	int order;
+
+	if (!buddy)
+		return (u64)NULL;
+
+	order = size_to_order(size);
+	if (order >= BUDDY_CHUNK_NUM_ORDERS || order < 0) {
+		arena_stderr("invalid order %d (sz %lu)\n", order, size);
+		return (u64)NULL;
+	}
+
+	if (buddy_lock(buddy))
+		return (u64)NULL;
+
+	for (chunk = buddy->first_chunk; chunk != NULL && can_loop;
+	     chunk = chunk->next) {
+		address = buddy_chunk_alloc(chunk, order);
+		if (address)
+			goto done;
+	}
+
+	/* Get a new chunk. */
+	chunk = buddy_chunk_get(buddy);
+	if (!chunk)
+		return (u64)NULL;
+
+	/* Add the chunk into the allocator and retry. */
+	chunk->next = buddy->first_chunk;
+	chunk->prev = NULL;
+	buddy->first_chunk = chunk;
+
+	address = buddy_chunk_alloc(buddy->first_chunk, order);
+
+done:
+
+	if (!address) {
+		buddy_unlock(buddy);
+		return (u64)NULL;
+	}
+
+	/* 
+	 * Unpoison exactly the amount of bytes requested. If the
+	 * data is smaller than the header, we must poison any
+	 * unused bytes that were part of the header.
+	 */
+	if (size < BUDDY_HEADER_OFF + sizeof(buddy_header_t))
+		asan_poison((u8 __arena *)address + BUDDY_HEADER_OFF,
+			    BUDDY_POISONED, sizeof(buddy_header_t));
+
+	asan_unpoison((u8 __arena *)address, size);
+
+	buddy_unlock(buddy);
+
+	return address;
+}
+
+static __always_inline int buddy_free_unlocked(struct buddy *buddy, u64 addr)
+{
+	buddy_header_t *header, *buddy_header;
+	u64 idx, buddy_idx, tmp_idx;
+	buddy_chunk_t *chunk;
+	bool allocated;
+	u8 order;
+
+	if (!buddy)
+		return -EINVAL;
+
+	if (addr & (BUDDY_MIN_ALLOC_BYTES - 1)) {
+		arena_stderr("Freeing unaligned address %llx\n", addr);
+		return 0;
+	}
+
+	/* Get (chunk, idx) out of the address. */
+	chunk = (void __arena *)(addr & ~BUDDY_CHUNK_OFFSET_MASK);
+	idx = (addr & BUDDY_CHUNK_OFFSET_MASK) / BUDDY_MIN_ALLOC_BYTES;
+
+	/* Mark the block as unallocated so we can access the header. */
+	idx_set_allocated(chunk, idx, false);
+
+	order  = idx_get_order(chunk, idx);
+	header = idx_to_header(chunk, idx);
+
+	/* The header is in the block itself, keep it unpoisoned. */
+	asan_poison((u8 __arena *)addr, BUDDY_POISONED,
+		    BUDDY_MIN_ALLOC_BYTES << order);
+	asan_unpoison(header, sizeof(*header));
+
+	/* 
+	 * Coalescing loop. Merge with free buddies of equal order.
+	 * For every coalescing step, keep the left buddy and 
+	 * drop the right buddy's header.
+	 */
+	bpf_for(order, order, BUDDY_CHUNK_NUM_ORDERS) {
+		buddy_idx = idx ^ (1 << order);
+
+		/* Check if the buddy is actually free. */
+		idx_is_allocated(chunk, buddy_idx, &allocated);
+		if (allocated)
+			break;
+
+		/* 
+		 * If buddy is not the same order as the chunk
+		 * being freed, then we're done coalescing.
+		 */
+		if (idx_get_order(chunk, buddy_idx) != order)
+			break;
+
+		buddy_header = idx_to_header(chunk, buddy_idx);
+		header_remove_freelist(chunk, buddy_header, order);
+
+		/* Keep the left header out of the two buddies, drop the other one. */
+		if (buddy_idx < idx) {
+			tmp_idx = idx;
+			idx = buddy_idx;
+			buddy_idx = tmp_idx;
+		}
+
+		/* Remove the buddy from the freelists so that we can merge it. */
+		idx_set_order(chunk, buddy_idx, order);
+
+		buddy_header = idx_to_header(chunk, buddy_idx);
+		asan_poison(buddy_header, BUDDY_POISONED,
+			    sizeof(*buddy_header));
+	}
+
+	/* Header properly freed but not in any freelists yet .*/
+	idx_set_order(chunk, idx, order);
+
+	header = idx_to_header(chunk, idx);
+	header_add_freelist(chunk, header, idx, order);
+
+	return 0;
+}
+
+__weak int buddy_free_internal(struct buddy *buddy, u64 addr)
+{
+	int ret;
+
+	if (!buddy)
+		return -EINVAL;
+
+	if ((ret = buddy_lock(buddy)))
+		return ret;
+
+	buddy_free_unlocked(buddy, addr);
+
+	buddy_unlock(buddy);
+
+	return 0;
+}
+
+__weak char _license[] SEC("license") = "GPL";
-- 
2.49.0

Re: [PATCH v2 12/13] selftests: bpf: Add buddy allocator for libarena

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 1301 bytes --]

> diff --git a/tools/testing/selftests/bpf/libarena/src/buddy.bpf.c b/tools/testing/selftests/bpf/libarena/src/buddy.bpf.c
> new file mode 100644
> index 000000000000..f43e1db209be
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/libarena/src/buddy.bpf.c
> @@ -0,0 +1,784 @@

[ ... ]

> +/*
> + * Carve out part of the reserved address space and hand it over
> + * to the buddy allocator.
> + *
> + * We are assuming the buddy allocator is the only allocator in the
> + * system, so there is no race between this function unreserving a
> + * page range and the
> + */

This comment appears to be truncated mid-sentence. Was there additional
text intended after "and the "?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21409286496

AI-authorship-score: low
AI-authorship-explanation: The incomplete comment is a strong indicator of human authorship, and the deep domain-specific knowledge of BPF arenas and buddy allocator algorithms suggests human expertise.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: One minor documentation issue found - an incomplete comment that ends mid-sentence.

[PATCH v2 13/13] selftests: bpf: Add selftests for the libarena buddy allocator

[Emil Tsalapatis]

From: Emil Tsalapatis <etsal@meta.com>

Add regular and ASAN testing for the buddy allocator. This tests
the allocator's correctness by itself and its integration with ASAN.

Signed-off-by: Emil Tsalapatis (Meta) <emil@etsalapatis.com>
---
 .../bpf/libarena/selftests/selftest.c         |   4 +
 .../libarena/selftests/st_asan_buddy.bpf.c    | 238 ++++++++++++++++++
 .../bpf/libarena/selftests/st_buddy.bpf.c     | 231 +++++++++++++++++
 3 files changed, 473 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_asan_buddy.bpf.c
 create mode 100644 tools/testing/selftests/bpf/libarena/selftests/st_buddy.bpf.c

diff --git a/tools/testing/selftests/bpf/libarena/selftests/selftest.c b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
index 3e4b8754889f..268749c687a1 100644
--- a/tools/testing/selftests/bpf/libarena/selftests/selftest.c
+++ b/tools/testing/selftests/bpf/libarena/selftests/selftest.c
@@ -266,10 +266,12 @@ error:							\
 }
 
 TEST(bump_selftest);
+TEST(buddy_selftest);
 
 #ifdef BPF_ARENA_ASAN
 TEST(asan_test_bump);
 TEST(asan_test_stack);
+TEST(asan_test_buddy);
 #endif
 
 static void
@@ -314,10 +316,12 @@ int main(int argc, char *argv[])
 	libbpf_set_print(libbpf_print_fn);
 
 	run_bump_selftest();
+	run_buddy_selftest();
 
 #ifdef BPF_ARENA_ASAN
 	run_asan_test_bump();
 	run_asan_test_stack();
+	run_asan_test_buddy();
 #endif
 
 	return 0;
diff --git a/tools/testing/selftests/bpf/libarena/selftests/st_asan_buddy.bpf.c b/tools/testing/selftests/bpf/libarena/selftests/st_asan_buddy.bpf.c
new file mode 100644
index 000000000000..e3887a7c5d93
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/selftests/st_asan_buddy.bpf.c
@@ -0,0 +1,238 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+#include <common.h>
+
+#include <asan.h>
+#include <buddy.h>
+
+#include "selftest.h"
+
+#ifdef BPF_ARENA_ASAN
+
+#include "st_asan_common.h"
+
+private(ST_BUDDY) struct buddy st_buddy_asan;
+
+u64 __arena st_asan_buddy_lock;
+
+static __always_inline int asan_test_buddy_oob_single(size_t alloc_size)
+{
+	u8 __arena *mem;
+	int i;
+
+	ASAN_VALIDATE();
+
+	mem = buddy_alloc(&st_buddy_asan, alloc_size);
+	if (!mem) {
+		bpf_printk("buddy_alloc failed for size %lu", alloc_size);
+		return -ENOMEM;
+	}
+
+	ASAN_VALIDATE();
+
+	bpf_for(i, 0, alloc_size) {
+		mem[i] = 0xba;
+		ASAN_VALIDATE_ADDR(false, &mem[i]);
+	}
+
+	mem[alloc_size] = 0xba;
+	ASAN_VALIDATE_ADDR(true, &mem[alloc_size]);
+
+	buddy_free(&st_buddy_asan, mem);
+
+	return 0;
+}
+
+static __always_inline int asan_test_buddy_uaf_single(size_t alloc_size)
+{
+	u8 __arena *mem;
+	int i;
+
+	mem = buddy_alloc(&st_buddy_asan, alloc_size);
+	if (!mem) {
+		bpf_printk("buddy_alloc failed for size %lu", alloc_size);
+		return -ENOMEM;
+	}
+
+	ASAN_VALIDATE();
+
+	bpf_for(i, 0, alloc_size) {
+		mem[i] = 0xba;
+		ASAN_VALIDATE_ADDR(false, &mem[i]);
+	}
+
+	ASAN_VALIDATE();
+
+	buddy_free(&st_buddy_asan, mem);
+
+	bpf_for(i, 0, alloc_size) {
+		/* The header doesn't get poisoned. */
+		if (BUDDY_HEADER_OFF <= i &&
+		    i < BUDDY_HEADER_OFF + sizeof(struct buddy_header))
+			continue;
+
+		mem[i] = 0xba;
+		ASAN_VALIDATE_ADDR(true, &mem[i]);
+	}
+
+	return 0;
+}
+
+struct buddy_blob {
+	volatile u8 mem[48];
+	u8 oob;
+};
+
+static __always_inline int asan_test_buddy_blob_single(void)
+{
+	volatile struct buddy_blob __arena *blob;
+	const size_t alloc_size = sizeof(struct buddy_blob) - 1;
+
+	blob = buddy_alloc(&st_buddy_asan, alloc_size);
+	if (!blob)
+		return -ENOMEM;
+
+	blob->mem[0] = 0xba;
+	ASAN_VALIDATE_ADDR(false, &blob->mem[0]);
+
+	blob->mem[47] = 0xba;
+	ASAN_VALIDATE_ADDR(false, &blob->mem[47]);
+
+	blob->oob = 0;
+	ASAN_VALIDATE_ADDR(true, &blob->oob);
+
+	buddy_free(&st_buddy_asan, (void __arena *)blob);
+
+	return 0;
+}
+
+static __always_inline int asan_test_buddy_oob(void)
+{
+	size_t sizes[] = {
+		7, 8, 17, 18, 64, 256, 317, 512, 1024,
+	};
+	int ret, i;
+
+	ret = buddy_init(&st_buddy_asan,
+			     (arena_spinlock_t __arena *)&st_asan_buddy_lock);
+	if (ret) {
+		bpf_printk("buddy_init failed with %d", ret);
+		return ret;
+	}
+
+	bpf_for(i, 0, 7) {
+		ret = asan_test_buddy_oob_single(sizes[i]);
+		if (ret) {
+			bpf_printk("%s:%d Failed for size %lu", __func__,
+				   __LINE__, sizes[i]);
+			buddy_destroy(&st_buddy_asan);
+			return ret;
+		}
+	}
+
+	buddy_destroy(&st_buddy_asan);
+
+	ASAN_VALIDATE();
+
+	return 0;
+}
+
+static __always_inline int asan_test_buddy_uaf(void)
+{
+	size_t sizes[] = { 16, 32, 64, 128, 256, 512, 128, 1024, 16384 };
+	int ret, i;
+
+	ret = buddy_init(&st_buddy_asan,
+			     (arena_spinlock_t __arena *)&st_asan_buddy_lock);
+	if (ret) {
+		bpf_printk("buddy_init failed with %d", ret);
+		return ret;
+	}
+
+	bpf_for(i, 0, 7) {
+		ret = asan_test_buddy_uaf_single(sizes[i]);
+		if (ret) {
+			bpf_printk("%s:%d Failed for size %lu", __func__,
+				   __LINE__, sizes[i]);
+			buddy_destroy(&st_buddy_asan);
+			return ret;
+		}
+	}
+
+	buddy_destroy(&st_buddy_asan);
+
+	ASAN_VALIDATE();
+
+	return 0;
+}
+
+static __always_inline int asan_test_buddy_blob(void)
+{
+	const int iters = 10;
+	int ret, i;
+
+	ret = buddy_init(&st_buddy_asan,
+			     (arena_spinlock_t __arena *)&st_asan_buddy_lock);
+	if (ret) {
+		bpf_printk("buddy_init failed with %d", ret);
+		return ret;
+	}
+
+	for (i = 0; i < iters && can_loop; i++) {
+		ret = asan_test_buddy_blob_single();
+		if (ret) {
+			bpf_printk("%s:%d Failed on iteration %d", __func__,
+				   __LINE__, i);
+			buddy_destroy(&st_buddy_asan);
+			return ret;
+		}
+	}
+
+	buddy_destroy(&st_buddy_asan);
+
+	ASAN_VALIDATE();
+
+	return 0;
+}
+
+SEC("syscall")
+int asan_test_buddy(void)
+{
+	int ret;
+
+	ret = asan_test_buddy_oob();
+	if (ret) {
+		bpf_printk("%s:%d OOB test failed", __func__, __LINE__);
+		return ret;
+	}
+
+	ret = asan_test_buddy_uaf();
+	if (ret) {
+		bpf_printk("%s:%d UAF test failed", __func__, __LINE__);
+		return ret;
+	}
+
+	ret = asan_test_buddy_blob();
+	if (ret) {
+		bpf_printk("%s:%d blob test failed", __func__, __LINE__);
+		return ret;
+	}
+
+	return 0;
+}
+
+#else
+
+SEC("syscall")
+int asan_test_buddy(void)
+{
+	return -EOPNOTSUPP;
+}
+
+#endif /* BPF_ARENA_ASAN */
+
+__weak char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/libarena/selftests/st_buddy.bpf.c b/tools/testing/selftests/bpf/libarena/selftests/st_buddy.bpf.c
new file mode 100644
index 000000000000..256d9a865647
--- /dev/null
+++ b/tools/testing/selftests/bpf/libarena/selftests/st_buddy.bpf.c
@@ -0,0 +1,231 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ * Copyright (c) 2025 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2025 Emil Tsalapatis <etsal@meta.com>
+ */
+
+#include <common.h>
+
+#include <asan.h>
+#include <buddy.h>
+
+#include "selftest.h"
+
+private(ST_BUDDY) struct buddy st_buddy;
+static u64 __arena st_buddy_lock;
+
+struct segarr_entry {
+	u8 __arena *block;
+	size_t sz;
+	u8 poison;
+};
+
+typedef struct segarr_entry __arena segarr_entry_t;
+
+#define SEGARRLEN (512)
+static struct segarr_entry __arena segarr[SEGARRLEN];
+static void __arena *ptrs[17];
+size_t __arena alloc_sizes[] = { 3, 17, 1025, 129, 16350, 333, 9, 517 };
+size_t __arena alloc_multiple_sizes[] = { 3, 17, 1025, 129, 16350, 333, 9, 517, 2099 };
+size_t __arena alloc_free_sizes[] = { 3, 17, 64, 129, 256, 333, 512, 517 };
+size_t __arena alignment_sizes[] = { 1, 3, 7, 8, 9, 15, 16, 17, 31,
+				     32, 64, 100, 128, 255, 256, 512, 1000 };
+
+static int buddy_selftest_create()
+{
+	const int iters = 10;
+	int ret, i;
+
+	for (i = 0; i < iters && can_loop; i++) {
+		ret = buddy_init(
+			&st_buddy, (arena_spinlock_t __arena *)&st_buddy_lock);
+		if (ret)
+			return ret;
+
+		ret = buddy_destroy(&st_buddy);
+		if (ret)
+			return ret;
+	}
+
+	return 0;
+}
+
+static int buddy_selftest_alloc()
+{
+	void __arena *mem;
+	int ret, i;
+
+	for (i = 0; i < 8 && can_loop; i++) {
+		ret = buddy_init(
+			&st_buddy, (arena_spinlock_t __arena *)&st_buddy_lock);
+		if (ret)
+			return ret;
+
+		mem = buddy_alloc(&st_buddy, alloc_sizes[i]);
+		if (!mem) {
+			buddy_destroy(&st_buddy);
+			return -ENOMEM;
+		}
+
+		buddy_destroy(&st_buddy);
+	}
+
+	return 0;
+}
+
+static int buddy_selftest_alloc_free()
+{
+	const int iters = 800;
+	void __arena *mem;
+	int ret, i;
+
+	ret = buddy_init(&st_buddy,
+			     (arena_spinlock_t __arena *)&st_buddy_lock);
+	if (ret)
+		return ret;
+
+	bpf_for(i, 0, iters) {
+		mem = buddy_alloc(&st_buddy, alloc_free_sizes[(i * 5) % 8]);
+		if (!mem) {
+			buddy_destroy(&st_buddy);
+			return -ENOMEM;
+		}
+
+		buddy_free(&st_buddy, mem);
+	}
+
+	buddy_destroy(&st_buddy);
+
+	return 0;
+}
+
+static int buddy_selftest_alloc_multiple()
+{
+	int ret, j;
+	u32 i, idx;
+	u8 __arena *mem;
+	size_t sz;
+	u8 poison;
+
+	ret = buddy_init(&st_buddy,
+			     (arena_spinlock_t __arena *)&st_buddy_lock);
+	if (ret)
+		return ret;
+
+	/*
+	 * Cycle through each size, allocating an entry in the
+	 * segarr. Continue for SEGARRLEN iterations. For every
+	 * allocation write down the size, use the current index
+	 * as a poison value, and log it with the pointer in the
+	 * segarr entry. Use the poison value to poison the entire
+	 * allocated memory according to the size given.
+	 */
+	idx = 0;
+	bpf_for(i, 0, SEGARRLEN) {
+		sz = alloc_multiple_sizes[idx % 9];
+		poison = (u8)i;
+
+		mem = buddy_alloc(&st_buddy, sz);
+		if (!mem) {
+			buddy_destroy(&st_buddy);
+			bpf_printk("%s:%d", __func__, __LINE__);
+			return -ENOMEM;
+		}
+
+		segarr[i].block = mem;
+		segarr[i].sz = sz;
+		segarr[i].poison = poison;
+
+		bpf_for(j, 0, sz) {
+			mem[j] = poison;
+			if (mem[j] != poison) {
+				buddy_destroy(&st_buddy);
+				return -EINVAL;
+			}
+		}
+	}
+
+	/*
+	 * For SEGARRLEN iterations, go to (i * 17) % SEGARRLEN, and free
+	 * the block pointed to. Before freeing, check all bytes have the
+	 * poisoned value corresponding to the element. If any values
+	 * are unexpected, return an error.
+	 */
+	bpf_for(i, 10, SEGARRLEN) {
+		idx = (i * 17) % SEGARRLEN;
+
+		mem = segarr[idx].block;
+		sz = segarr[idx].sz;
+		poison = segarr[idx].poison;
+
+		bpf_for(j, 0, sz) {
+			if (mem[j] != poison) {
+				buddy_destroy(&st_buddy);
+				bpf_printk("%s:%d %lx %u vs %u", __func__,
+					   __LINE__, &mem[j], mem[j], poison);
+				return -EINVAL;
+			}
+		}
+
+		buddy_free(&st_buddy, mem);
+	}
+
+	buddy_destroy(&st_buddy);
+
+	return 0;
+}
+
+static int buddy_selftest_alignment()
+{
+	int ret, i;
+
+	ret = buddy_init(&st_buddy,
+			     (arena_spinlock_t __arena *)&st_buddy_lock);
+	if (ret)
+		return ret;
+
+	/* Allocate various sizes and check alignment */
+	bpf_for(i, 0, 17) {
+		ptrs[i] = buddy_alloc(&st_buddy, alignment_sizes[i]);
+		if (!ptrs[i]) {
+			bpf_printk("alignment test: alloc failed for size %lu",
+				   alignment_sizes[i]);
+			buddy_destroy(&st_buddy);
+			return -ENOMEM;
+		}
+
+		/* Check 8-byte alignment */
+		if ((u64)ptrs[i] & 0x7) {
+			bpf_printk(
+				"alignment test: ptr %llx not 8-byte aligned (size %lu)",
+				(u64)ptrs[i], alignment_sizes[i]);
+			buddy_destroy(&st_buddy);
+			return -EINVAL;
+		}
+	}
+
+	/* Free all allocations */
+	bpf_for(i, 0, 17) {
+		buddy_free(&st_buddy, ptrs[i]);
+	}
+
+	buddy_destroy(&st_buddy);
+
+	return 0;
+}
+
+#define BUDDY_ALLOC_SELFTEST(suffix) ALLOC_SELFTEST(buddy_selftest_##suffix)
+
+SEC("syscall")
+__weak int buddy_selftest(void)
+{
+	BUDDY_ALLOC_SELFTEST(create);
+	BUDDY_ALLOC_SELFTEST(alloc);
+	BUDDY_ALLOC_SELFTEST(alloc_free);
+	BUDDY_ALLOC_SELFTEST(alloc_multiple);
+	BUDDY_ALLOC_SELFTEST(alignment);
+
+	return 0;
+}
+
+__weak char _license[] SEC("license") = "GPL";
-- 
2.49.0

Re: [PATCH v2 13/13] selftests: bpf: Add selftests for the libarena buddy allocator

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 2086 bytes --]

> diff --git a/tools/testing/selftests/bpf/libarena/selftests/st_buddy.bpf.c b/tools/testing/selftests/bpf/libarena/selftests/st_buddy.bpf.c
> new file mode 100644
> index 000000000000..256d9a865647
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/libarena/selftests/st_buddy.bpf.c

[ ... ]

> +static int buddy_selftest_alloc_multiple()
> +{
> +	int ret, j;
> +	u32 i, idx;
> +	u8 __arena *mem;
> +	size_t sz;
> +	u8 poison;
> +
> +	ret = buddy_init(&st_buddy,
> +			     (arena_spinlock_t __arena *)&st_buddy_lock);
> +	if (ret)
> +		return ret;
> +
> +	/*
> +	 * Cycle through each size, allocating an entry in the
> +	 * segarr. Continue for SEGARRLEN iterations. For every
> +	 * allocation write down the size, use the current index
> +	 * as a poison value, and log it with the pointer in the
> +	 * segarr entry. Use the poison value to poison the entire
> +	 * allocated memory according to the size given.
> +	 */
> +	idx = 0;
> +	bpf_for(i, 0, SEGARRLEN) {
> +		sz = alloc_multiple_sizes[idx % 9];
                                       ^^^

The comment says "Cycle through each size" but idx is initialized to 0
and never incremented in this loop. This means sz will always be
alloc_multiple_sizes[0] (which is 3) for all 512 allocations. Should
idx be i here to cycle through the different sizes in the array?

> +		poison = (u8)i;
> +
> +		mem = buddy_alloc(&st_buddy, sz);

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21409286496

AI-authorship-score: low
AI-authorship-explanation: The code follows existing selftest patterns and the idx variable bug is a typical human copy-paste error that AI would be less likely to make.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: The idx variable bug causes all allocations to use the same size (3 bytes) instead of cycling through different sizes, reducing test coverage but not causing system instability.