bpf: Validate node_id in arena_alloc_pages()

arena_alloc_pages() accepts a plain int node_id and forwards it through the entire allocation chain without any bounds checking. Validate node_id before passing it down the allocation chain in arena_alloc_pages(). Fixes: 317460317a02 ("bpf: Introduce bpf_arena.") Signed-off-by: Puranjay Mohan <puranjay@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260417152135.1383754-1-puranjay@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Puranjay Mohan <puranjay@kernel.org> 2026-04-17 08:21:33 -0700
committer: Alexei Starovoitov <ast@kernel.org> 2026-04-17 10:12:55 -0700
commit: 2845989f2ebaf7848e4eccf9a779daf3156ea0a5 (patch)
tree: 15e6cccd687d253fc89ecabfb3f9974357b50e67 /kernel
parent: 380044c40b1636a72fd8f188b5806be6ae564279 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index 9c68c9b0b24ad..523c3a61063bf 100644
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -562,6 +562,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt
 	u32 uaddr32;
 	int ret, i;
 
+	if (node_id != NUMA_NO_NODE &&
+	    ((unsigned int)node_id >= nr_node_ids || !node_online(node_id)))
+		return 0;
+
 	if (page_cnt > page_cnt_max)
 		return 0;
author	Puranjay Mohan <puranjay@kernel.org>	2026-04-17 08:21:33 -0700
committer	Alexei Starovoitov <ast@kernel.org>	2026-04-17 10:12:55 -0700
commit	2845989f2ebaf7848e4eccf9a779daf3156ea0a5 (patch)
tree	15e6cccd687d253fc89ecabfb3f9974357b50e67 /kernel
parent	380044c40b1636a72fd8f188b5806be6ae564279 (diff)