bpf: Fix off-by-one boundary validation in arena direct-value access

BPF_MAP_TYPE_ARENA accepts BPF_PSEUDO_MAP_VALUE offsets at exactly the end of the arena mapping (off == arena_size). The boundary check in arena_map_direct_value_addr() uses `>` instead of `>=`, which incorrectly allows a one-past-end pointer to be accepted. Change the condition to `>=` to correctly reject offsets that fall outside the valid arena user_vm range. Fixes: 317460317a02 ("bpf: Introduce bpf_arena.") Signed-off-by: Junyoung Jang <graypanda.inzag@gmail.com> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260426172505.1947915-1-graypanda.inzag@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Junyoung Jang <graypanda.inzag@gmail.com> 2026-04-26 20:25:05 +0300
committer: Alexei Starovoitov <ast@kernel.org> 2026-05-10 02:18:39 +0300
commit: 3ac1a467e37683f602221e243fa3c59b0de81165 (patch)
tree: 6d94789f54da9f5664370898c5c5e4d56d49b4a0
parent: bf6d507f7e3c65751d52fd8caf1ea4e003922624 (diff)
download: linux-3ac1a467e37683f602221e243fa3c59b0de81165.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index 802656c6fd3c..49a8f7b1beef 100644
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -511,7 +511,7 @@ static int arena_map_direct_value_addr(const struct bpf_map *map, u64 *imm, u32
 {
 	struct bpf_arena *arena = container_of(map, struct bpf_arena, map);
 
-	if ((u64)off > arena->user_vm_end - arena->user_vm_start)
+	if ((u64)off >= arena->user_vm_end - arena->user_vm_start)
 		return -ERANGE;
 	*imm = (unsigned long)arena->user_vm_start;
 	return 0;
author	Junyoung Jang <graypanda.inzag@gmail.com>	2026-04-26 20:25:05 +0300
committer	Alexei Starovoitov <ast@kernel.org>	2026-05-10 02:18:39 +0300
commit	3ac1a467e37683f602221e243fa3c59b0de81165 (patch)
tree	6d94789f54da9f5664370898c5c5e4d56d49b4a0
parent	bf6d507f7e3c65751d52fd8caf1ea4e003922624 (diff)
download	linux-3ac1a467e37683f602221e243fa3c59b0de81165.tar.xz