futex: Handle invalid node numbers supplied by user

syzbot used a negative node number which was not rejected early and led
to invalid memory access in node_possible().

Reject negative node numbers except for FUTEX_NO_NODE.

[bigeasy: Keep the FUTEX_NO_NODE check]

Closes: https://lore.kernel.org/all/6835bfe3.a70a0220.253bc2.00b5.GAE@google.com/
Fixes: cec199c5e39bd ("futex: Implement FUTEX2_NUMA")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reported-by: syzbot+9afaf6749e3a7aa1bdf3@syzkaller.appspotmail.com
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250528085521.1938355-4-bigeasy@linutronix.de

diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index 565f9717c6caabbf91908b45bd3eb934f5079a1c..b652d2f60c4097c09015a409dadd6a10ce7a4eeb 100644 (file)
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -583,8 +583,8 @@ int get_futex_key(u32 __user *uaddr, unsigned int flags, union futex_key *key,
                if (futex_get_value(&node, naddr))
                        return -EFAULT;
 
-               if (node != FUTEX_NO_NODE &&
-                   (node >= MAX_NUMNODES || !node_possible(node)))
+               if ((node != FUTEX_NO_NODE) &&
+                   ((unsigned int)node >= MAX_NUMNODES || !node_possible(node)))
                        return -EINVAL;
        }