On Wed, Jul 01, 2026 at 09:12:00PM +0000, Emil Tsalapatis wrote:
> AFAICT this bug returns an address that is not actually
> mapped into userspace and is inaccessible from it, correct?

Yes, that is my understanding as well.

The bad free is below user_vm_start in the user VMA. The issue is that
arena_free_pages() still used the low 32 bits to compute the free-tree
offset, so the one-page-below address wrapped to an out-of-domain pgoff.
A later bpf_arena_alloc_pages() could then return an address outside
[user_vm_start, user_vm_end).

So user space should not be able to access that address through the arena
mmap; the fix is to keep that out-of-domain offset from entering the arena
allocator state in the first place.

> If the above is correct, feel free to add:
> Reviewed-by: Emil Tsalapatis <[email protected]>

Thanks, will add it to v2.

Yiyang


Reply via email to