On Wed, Jul 01, 2026 at 09:12:00PM +0000, Emil Tsalapatis wrote: > AFAICT this bug returns an address that is not actually > mapped into userspace and is inaccessible from it, correct?
Yes, that is my understanding as well. The bad free is below user_vm_start in the user VMA. The issue is that arena_free_pages() still used the low 32 bits to compute the free-tree offset, so the one-page-below address wrapped to an out-of-domain pgoff. A later bpf_arena_alloc_pages() could then return an address outside [user_vm_start, user_vm_end). So user space should not be able to access that address through the arena mmap; the fix is to keep that out-of-domain offset from entering the arena allocator state in the first place. > If the above is correct, feel free to add: > Reviewed-by: Emil Tsalapatis <[email protected]> Thanks, will add it to v2. Yiyang

