Commit 2845989f authored by Puranjay Mohan's avatar Puranjay Mohan Committed by Alexei Starovoitov
Browse files

bpf: Validate node_id in arena_alloc_pages() 



arena_alloc_pages() accepts a plain int node_id and forwards it through
the entire allocation chain without any bounds checking.

Validate node_id before passing it down the allocation chain in
arena_alloc_pages().

Fixes: 31746031 ("bpf: Introduce bpf_arena.")
Signed-off-by: default avatarPuranjay Mohan <puranjay@kernel.org>
Reviewed-by: default avatarEmil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260417152135.1383754-1-puranjay@kernel.org


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 380044c4

kernel/bpf/arena.c

+4 −0
Original line number Diff line number Diff line
@@ -562,6 +562,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt 
	u32 uaddr32;

	int ret, i;



	if (node_id != NUMA_NO_NODE &&

	    ((unsigned int)node_id >= nr_node_ids || !node_online(node_id)))

		return 0;



	if (page_cnt > page_cnt_max)

		return 0;