bpf_arena_free_pages() accepts scalar arena addresses. The runtime
masks the address to the low 32 bits and reconstructs a full user
address from the arena base before returning the range to the arena
free tree.

When the scalar value is below the low 32 bits of the arena base,
full_uaddr falls below user_vm_start. The existing upper-end clipping
then turns this into an out-of-range free-tree offset. A later
allocation can reuse that offset and return an address below the arena
mapping.

Reject such frees before computing the clipped range.

Fixes: 317460317a02a ("bpf: Introduce bpf_arena.")
Signed-off-by: Yiyang Chen <[email protected]>
---
 kernel/bpf/arena.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index 49a8f7b1beef5..e28e83bed8c51 100644
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -693,6 +693,8 @@ static void arena_free_pages(struct bpf_arena *arena, long 
uaddr, long page_cnt,
        uaddr &= PAGE_MASK;
        kaddr = bpf_arena_get_kern_vm_start(arena) + uaddr;
        full_uaddr = clear_lo32(arena->user_vm_start) + uaddr;
+       if (full_uaddr < arena->user_vm_start)
+               return;
        uaddr_end = min(arena->user_vm_end, full_uaddr + (page_cnt << 
PAGE_SHIFT));
        if (full_uaddr >= uaddr_end)
                return;
-- 
2.34.1


Reply via email to