[PATCH bpf] bpf: Validate node_id in arena_alloc

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH bpf] bpf: Validate node_id in arena_alloc_pages()
@ 2026-04-17 15:21 Puranjay Mohan
  2026-04-17 15:37 ` Emil Tsalapatis
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Puranjay Mohan @ 2026-04-17 15:21 UTC (permalink / raw)
  To: bpf
  Cc: Puranjay Mohan, Puranjay Mohan, Alexei Starovoitov,
	Andrii Nakryiko, Daniel Borkmann, Martin KaFai Lau,
	Eduard Zingerman, Kumar Kartikeya Dwivedi, Mykyta Yatsenko,
	kernel-team

arena_alloc_pages() accepts a plain int node_id and forwards it through
the entire allocation chain without any bounds checking.

Validate node_id before passing it down the allocation chain in
arena_alloc_pages().

Fixes: 317460317a02 ("bpf: Introduce bpf_arena.")
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
---
 kernel/bpf/arena.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index 9c68c9b0b24a..523c3a61063b 100644
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -562,6 +562,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt
 	u32 uaddr32;
 	int ret, i;
 
+	if (node_id != NUMA_NO_NODE &&
+	    ((unsigned int)node_id >= nr_node_ids || !node_online(node_id)))
+		return 0;
+
 	if (page_cnt > page_cnt_max)
 		return 0;
 

base-commit: 380044c40b1636a72fd8f188b5806be6ae564279
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf] bpf: Validate node_id in arena_alloc_pages()
  2026-04-17 15:21 [PATCH bpf] bpf: Validate node_id in arena_alloc_pages() Puranjay Mohan
@ 2026-04-17 15:37 ` Emil Tsalapatis
  2026-04-17 16:55 ` sashiko-bot
  2026-04-17 17:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 5+ messages in thread
From: Emil Tsalapatis @ 2026-04-17 15:37 UTC (permalink / raw)
  To: Puranjay Mohan, bpf
  Cc: Puranjay Mohan, Alexei Starovoitov, Andrii Nakryiko,
	Daniel Borkmann, Martin KaFai Lau, Eduard Zingerman,
	Kumar Kartikeya Dwivedi, Mykyta Yatsenko, kernel-team

On Fri Apr 17, 2026 at 11:21 AM EDT, Puranjay Mohan wrote:
> arena_alloc_pages() accepts a plain int node_id and forwards it through
> the entire allocation chain without any bounds checking.
>
> Validate node_id before passing it down the allocation chain in
> arena_alloc_pages().

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

Without this, out of bounds node ids trigger VM_BUG_ON() down the allocation path.

>
> Fixes: 317460317a02 ("bpf: Introduce bpf_arena.")
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> ---
>  kernel/bpf/arena.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
> index 9c68c9b0b24a..523c3a61063b 100644
> --- a/kernel/bpf/arena.c
> +++ b/kernel/bpf/arena.c
> @@ -562,6 +562,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt
>  	u32 uaddr32;
>  	int ret, i;
>  
> +	if (node_id != NUMA_NO_NODE &&
> +	    ((unsigned int)node_id >= nr_node_ids || !node_online(node_id)))
> +		return 0;
> +
>  	if (page_cnt > page_cnt_max)
>  		return 0;
>  
>
> base-commit: 380044c40b1636a72fd8f188b5806be6ae564279


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf] bpf: Validate node_id in arena_alloc_pages()
  2026-04-17 15:21 [PATCH bpf] bpf: Validate node_id in arena_alloc_pages() Puranjay Mohan
  2026-04-17 15:37 ` Emil Tsalapatis
@ 2026-04-17 16:55 ` sashiko-bot
  2026-04-17 17:13   ` Puranjay Mohan
  2026-04-17 17:20 ` patchwork-bot+netdevbpf
  2 siblings, 1 reply; 5+ messages in thread
From: sashiko-bot @ 2026-04-17 16:55 UTC (permalink / raw)
  To: Puranjay Mohan; +Cc: bpf

Sashiko AI review found 2 potential issue(s):
- [High] This problem wasn't introduced by this patch, but apply_to_page_range() is called within an atomic critical section with IRQs disabled.
- [Medium] Validation of user-provided NUMA node ID uses node_online() instead of node_state(..., N_MEMORY).
--

commit 312a17d46d0e6285c5b29bc93a445829df8c62c7
Author: Puranjay Mohan <puranjay@kernel.org>

bpf: Validate node_id in arena_alloc_pages()

This commit validates the node_id parameter before passing it down the
allocation chain in arena_alloc_pages().

> diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
> index 9c68c9b0b24ad..523c3a61063bf 100644
> --- a/kernel/bpf/arena.c
> +++ b/kernel/bpf/arena.c
> @@ -562,6 +562,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt
>  	u32 uaddr32;
>  	int ret, i;
>  
> +	if (node_id != NUMA_NO_NODE &&
> +	    ((unsigned int)node_id >= nr_node_ids || !node_online(node_id)))
> +		return 0;
> +

Should this check use node_state(node_id, N_MEMORY) instead of
node_online(node_id)?

A node can be online but memory-less, such as CPU-only nodes. Passing a
memory-less node down the allocation chain could ignore the user's
placement intent and cause unexpected allocator fallback.

This issue isn't introduced by this patch, but looking at the surrounding
code in arena_alloc_pages(), is it safe to call apply_to_page_range()
while holding a raw spinlock?

arena_alloc_pages()
    if (raw_res_spin_lock_irqsave(&arena->spinlock, flags))
        goto out_free_pages;
    ...
    while (remaining) {
        ...
        ret = apply_to_page_range(...);

Since apply_to_page_range() can sleep when allocating page table entries,
could this cause a sleeping function called from invalid context panic since
the spinlock disables interrupts?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260417152135.1383754-1-puranjay@kernel.org?part=1

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf] bpf: Validate node_id in arena_alloc_pages()
  2026-04-17 16:55 ` sashiko-bot
@ 2026-04-17 17:13   ` Puranjay Mohan
  0 siblings, 0 replies; 5+ messages in thread
From: Puranjay Mohan @ 2026-04-17 17:13 UTC (permalink / raw)
  To: sashiko; +Cc: bpf

On Fri, Apr 17, 2026 at 5:55 PM <sashiko-bot@kernel.org> wrote:
>
> Sashiko AI review found 2 potential issue(s):
> - [High] This problem wasn't introduced by this patch, but apply_to_page_range() is called within an atomic critical section with IRQs disabled.
> - [Medium] Validation of user-provided NUMA node ID uses node_online() instead of node_state(..., N_MEMORY).
> --
>
> commit 312a17d46d0e6285c5b29bc93a445829df8c62c7
> Author: Puranjay Mohan <puranjay@kernel.org>
>
> bpf: Validate node_id in arena_alloc_pages()
>
> This commit validates the node_id parameter before passing it down the
> allocation chain in arena_alloc_pages().
>
> > diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
> > index 9c68c9b0b24ad..523c3a61063bf 100644
> > --- a/kernel/bpf/arena.c
> > +++ b/kernel/bpf/arena.c
> > @@ -562,6 +562,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt
> >       u32 uaddr32;
> >       int ret, i;
> >
> > +     if (node_id != NUMA_NO_NODE &&
> > +         ((unsigned int)node_id >= nr_node_ids || !node_online(node_id)))
> > +             return 0;
> > +
>
> Should this check use node_state(node_id, N_MEMORY) instead of
> node_online(node_id)?
>
> A node can be online but memory-less, such as CPU-only nodes. Passing a
> memory-less node down the allocation chain could ignore the user's
> placement intent and cause unexpected allocator fallback.

That is fine I think. it is just a hint.

>
> This issue isn't introduced by this patch, but looking at the surrounding
> code in arena_alloc_pages(), is it safe to call apply_to_page_range()
> while holding a raw spinlock?
>
> arena_alloc_pages()
>     if (raw_res_spin_lock_irqsave(&arena->spinlock, flags))
>         goto out_free_pages;
>     ...
>     while (remaining) {
>         ...
>         ret = apply_to_page_range(...);
>
> Since apply_to_page_range() can sleep when allocating page table entries,
> could this cause a sleeping function called from invalid context panic since
> the spinlock disables interrupts?

No, the page tables are already allocated we just do
set_pte_at(&init_mm, addr, pte, mk_pte(page, PAGE_KERNEL)); in the
callback, so it is fine.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH bpf] bpf: Validate node_id in arena_alloc_pages()
  2026-04-17 15:21 [PATCH bpf] bpf: Validate node_id in arena_alloc_pages() Puranjay Mohan
  2026-04-17 15:37 ` Emil Tsalapatis
  2026-04-17 16:55 ` sashiko-bot
@ 2026-04-17 17:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-04-17 17:20 UTC (permalink / raw)
  To: Puranjay Mohan
  Cc: bpf, puranjay12, ast, andrii, daniel, martin.lau, eddyz87, memxor,
	mykyta.yatsenko5, kernel-team

Hello:

This patch was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Fri, 17 Apr 2026 08:21:33 -0700 you wrote:
> arena_alloc_pages() accepts a plain int node_id and forwards it through
> the entire allocation chain without any bounds checking.
> 
> Validate node_id before passing it down the allocation chain in
> arena_alloc_pages().
> 
> Fixes: 317460317a02 ("bpf: Introduce bpf_arena.")
> Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
> 
> [...]

Here is the summary with links:
  - [bpf] bpf: Validate node_id in arena_alloc_pages()
    https://git.kernel.org/bpf/bpf/c/2845989f2eba

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-04-17 17:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17 15:21 [PATCH bpf] bpf: Validate node_id in arena_alloc_pages() Puranjay Mohan
2026-04-17 15:37 ` Emil Tsalapatis
2026-04-17 16:55 ` sashiko-bot
2026-04-17 17:13   ` Puranjay Mohan
2026-04-17 17:20 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox