From: Amery Hung <ameryhung@gmail.com>
To: bpf@vger.kernel.org
Cc: alexei.starovoitov@gmail.com, andrii@kernel.org,
daniel@iogearbox.net, eddyz87@gmail.com, memxor@gmail.com,
yatsenko@meta.com, ameryhung@gmail.com, kernel-team@meta.com
Subject: [PATCH bpf-next v1 1/3] selftests/bpf: Prevent allocating data larger than a page
Date: Mon, 13 Apr 2026 12:02:57 -0700 [thread overview]
Message-ID: <20260413190259.358442-2-ameryhung@gmail.com> (raw)
In-Reply-To: <20260413190259.358442-1-ameryhung@gmail.com>
Fix a bug in the task local data library that may allocate more than a
a page for tld_data_u. This may happen when users set a too large
TLD_DYN_DATA_SIZE, so check it when creating dynamic TLD fields and fix
the corresponding selftest.
Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
.../selftests/bpf/prog_tests/task_local_data.h | 3 ++-
.../bpf/prog_tests/test_task_local_data.c | 18 +++++++++++++-----
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/task_local_data.h b/tools/testing/selftests/bpf/prog_tests/task_local_data.h
index 1e5c67c78ffb..489f07045c9f 100644
--- a/tools/testing/selftests/bpf/prog_tests/task_local_data.h
+++ b/tools/testing/selftests/bpf/prog_tests/task_local_data.h
@@ -241,7 +241,8 @@ static tld_key_t __tld_create_key(const char *name, size_t size, bool dyn_data)
* TLD_DYN_DATA_SIZE is allocated for tld_create_key()
*/
if (dyn_data) {
- if (off + TLD_ROUND_UP(size, 8) > tld_meta_p->size)
+ if (off + TLD_ROUND_UP(size, 8) > tld_meta_p->size ||
+ tld_meta_p->size > TLD_PAGE_SIZE - sizeof(struct tld_data_u))
return (tld_key_t){-E2BIG};
} else {
if (off + TLD_ROUND_UP(size, 8) > TLD_PAGE_SIZE - sizeof(struct tld_data_u))
diff --git a/tools/testing/selftests/bpf/prog_tests/test_task_local_data.c b/tools/testing/selftests/bpf/prog_tests/test_task_local_data.c
index e219ff506b56..8b99b4880d24 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_task_local_data.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_task_local_data.c
@@ -3,8 +3,14 @@
#include <bpf/btf.h>
#include <test_progs.h>
+/*
+ * Only a page is pinned to kernel, so the maximum amount of dynamic data
+ * allowed is page_size - sizeof(struct tld_data_u) - static TLD fields.
+ */
+#define TLD_DYN_DATA_SIZE_MAX (getpagesize() - sizeof(struct tld_data_u) - 8)
+
#define TLD_FREE_DATA_ON_THREAD_EXIT
-#define TLD_DYN_DATA_SIZE (getpagesize() - 8)
+#define TLD_DYN_DATA_SIZE TLD_DYN_DATA_SIZE_MAX
#include "task_local_data.h"
struct test_tld_struct {
@@ -147,11 +153,13 @@ static void test_task_local_data_basic(void)
/*
* Shouldn't be able to store data exceed a page. Create a TLD just big
- * enough to exceed a page. TLDs already created are int value0, int
- * value1, and struct test_tld_struct value2.
+ * enough to exceed a page. Data already contains struct tld_data_u,
+ * value0 and value1 of int type, and value 2 of struct test_tld_struct.
*/
- key = tld_create_key("value_not_exist",
- TLD_PAGE_SIZE - 2 * sizeof(int) - sizeof(struct test_tld_struct) + 1);
+ key = tld_create_key("value_not_exist", TLD_PAGE_SIZE + 1 -
+ sizeof(struct tld_data_u) -
+ TLD_ROUND_UP(sizeof(int), 8) * 2 -
+ TLD_ROUND_UP(sizeof(struct test_tld_struct), 8));
ASSERT_EQ(tld_key_err_or_zero(key), -E2BIG, "tld_create_key");
key = tld_create_key("value2", sizeof(struct test_tld_struct));
--
2.52.0
next prev parent reply other threads:[~2026-04-13 19:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 19:02 [PATCH bpf-next v1 0/3] Fix garbage data in task local data Amery Hung
2026-04-13 19:02 ` Amery Hung [this message]
2026-04-13 19:02 ` [PATCH bpf-next v1 2/3] selftests/bpf: Fix tld_get_data() returning garbage data Amery Hung
2026-04-13 19:02 ` [PATCH bpf-next v1 3/3] selftests/bpf: Test small task local data allocation Amery Hung
2026-04-15 19:20 ` [PATCH bpf-next v1 0/3] Fix garbage data in task local data patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413190259.358442-2-ameryhung@gmail.com \
--to=ameryhung@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-team@meta.com \
--cc=memxor@gmail.com \
--cc=yatsenko@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox