On 1/12/23 6:04 AM, Ori Glassman wrote:
I think I am able to write to an non allocated task local storage memory within an eBPF program (raw_tracepoint program), could anyone confirm this is really a bug, and that I'm not missing anything? Here's the code (thanks!):
Not a bug. There is no use-after-free issue. bpf_task_storage_delete() deletes
the value from map_a but it does not mean the value is freed immediately. The
value is still protected under the RCU grace period.
----------------------------------------------------
long *ptr;
struct task_struct *task = bpf_get_current_task_btf();
ptr = bpf_task_storage_get(&map_a, task, 0, (1ULL << 0)); // create if doesn't exist
if (ptr)
*ptr = 200;
int ret = bpf_task_storage_delete(&map_a, task);
if (ret != 0)
return 0;
if (ptr)
*ptr = 300; // writing to an un-mapped address
const char fmt[] = "%ld";
bpf_trace_printk(fmt, sizeof(fmt), *ptr); // this prints 300
----------------------------------------------------
My system is ('uname -a'): 'Linux ip-172-31-3-230 5.15.0-1027-aws #31-Ubuntu SMP Wed Nov 30 20:19:26 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux'
