[PATCH bpf-next 0/2] bpf: Reject arena frees below the arena base

From: Yiyang Chen

Date: Tue Jun 30 2026 - 06:19:29 EST


bpf_arena_free_pages() can be called with a scalar arena address. The
runtime reconstructs a full user address from the arena base and the low
32 bits before returning the range to the arena free tree. A scalar one
page below the arena base can otherwise produce an out-of-domain free-tree
offset and make a later allocation return an address below the arena
mapping.

Patch 1 rejects frees whose reconstructed full user address is below
user_vm_start. Patch 2 adds verifier_arena coverage for the
scalar-below-base case.

Yiyang Chen (2):
bpf: Reject arena frees below the arena base
selftests/bpf: Cover scalar arena frees below the base

kernel/bpf/arena.c | 2 +
.../selftests/bpf/progs/verifier_arena.c | 41 ++++++++++++++++---
2 files changed, 38 insertions(+), 5 deletions(-)


base-commit: 7feeed42d8b97d0db0eab2c1c30aa86f110fe49c
--
2.34.1