bpf: Validate node_id in arena_alloc_pages()

arena_alloc_pages() accepts a plain int node_id and forwards it through
the entire allocation chain without any bounds checking.

Validate node_id before passing it down the allocation chain in
arena_alloc_pages().

Fixes: 317460317a02 ("bpf: Introduce bpf_arena.")
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260417152135.1383754-1-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index 9c68c9b0b24adf76090df1953247463f71d0200d..523c3a61063bf3b9f0d8e121211b76c0736288f4 100644 (file)
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -562,6 +562,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt
        u32 uaddr32;
        int ret, i;
 
+       if (node_id != NUMA_NO_NODE &&
+           ((unsigned int)node_id >= nr_node_ids || !node_online(node_id)))
+               return 0;
+
        if (page_cnt > page_cnt_max)
                return 0;