arena_alloc_pages() accepts a plain int node_id and forwards it through the entire allocation chain without any bounds checking. Validate node_id before passing it down the allocation chain in arena_alloc_pages(). Fixes: 317460317a02 ("bpf: Introduce bpf_arena.") Signed-off-by: Puranjay Mohan --- kernel/bpf/arena.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c index 9c68c9b0b24a..523c3a61063b 100644 --- a/kernel/bpf/arena.c +++ b/kernel/bpf/arena.c @@ -562,6 +562,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt u32 uaddr32; int ret, i; + if (node_id != NUMA_NO_NODE && + ((unsigned int)node_id >= nr_node_ids || !node_online(node_id))) + return 0; + if (page_cnt > page_cnt_max) return 0; base-commit: 380044c40b1636a72fd8f188b5806be6ae564279 -- 2.52.0