Re: [v2 3/5] arm64: mte: implement CONFIG_ARM64_MTE_COMP
From: Yury Norov
Date: Thu Jul 13 2023 - 15:27:25 EST
> > + bitmap_set_value_unaligned((unsigned long *)buf, largest_idx,
> > + bit_pos, 4);
>
> > + bitmap_set_value_unaligned((unsigned long *)buf, largest_idx,
> > + bit_pos, 6);
>
> > + bitmap_set_value_unaligned((unsigned long *)buf, tags[i],
> > + bit_pos, 4);
>
> > + bitmap_set_value_unaligned((unsigned long *)buf, 0, bit_pos, 4);
>
> > + bitmap_set_value_unaligned((unsigned long *)buf, sizes[i],
> > + bit_pos, 7);
>
> > + largest_idx = bitmap_get_value_unaligned((unsigned long *)buf, bit_pos,
> > + l_bits);
>
> > + r_tags[i] = bitmap_get_value_unaligned((unsigned long *)buf,
> > + bit_pos, 4);
>
> > + r_sizes[i] = bitmap_get_value_unaligned((unsigned long *)buf,
> > + bit_pos, 7);
>
> These castings is a red flag. bitmap API shouldn't be used like this. Something
> is not okay here.
Big-endian arches are not OK. Out-of-boundary access is not OK when
the buf is not exactly a multiple of words.
> > +void ea0_release_handle(u64 handle)
> > +{
> > + void *storage = ea0_storage(handle);
> > + int size = ea0_storage_size(handle);
> > + struct kmem_cache *c;
>
> > + if (!handle || !storage)
> > + return;
>
> You use handle before this check. Haven't you run static analysers?
This approach is called 'defensive programming' as I learned from
previous iteration. Another interesting thing is that the only caller
of the function in patch #5 explicitly checks the handle for NULL, so
we're surely double-defensed here.
+void _mte_free_saved_tags(void *storage)
+{
+ unsigned long handle = xa_to_value(storage);
+ int size;
+
+ if (!handle)
+ return;
+ size = ea0_storage_size(handle);
+ ea0_release_handle(handle);
+}
_mte_free_saved_tags() calculates size, but doesn't use it in any form,
just to calculate it again in callee...
Thanks,
Yury