bpf_arena_free_pages() can be called with a scalar arena address. The runtime reconstructs a full user address from the arena base and the low 32 bits before returning the range to the arena free tree. A scalar one page below the arena base can otherwise produce an out-of-domain free-tree offset and make a later allocation return an address below the arena mapping.
Patch 1 rejects frees whose reconstructed full user address is below user_vm_start. Patch 2 adds verifier_arena coverage for the scalar-below-base case. Yiyang Chen (2): bpf: Reject arena frees below the arena base selftests/bpf: Cover scalar arena frees below the base kernel/bpf/arena.c | 2 + .../selftests/bpf/progs/verifier_arena.c | 41 ++++++++++++++++--- 2 files changed, 38 insertions(+), 5 deletions(-) base-commit: 7feeed42d8b97d0db0eab2c1c30aa86f110fe49c -- 2.34.1

