Re: [RFC] <sys/tagged-address.h>: An API for tagged address

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: "H.J. Lu" <hjl.tools@gmail.com>
To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Cc: Florian Weimer <fweimer@redhat.com>,
	 "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	 "Shanbhogue, Vedvyas" <vedvyas.shanbhogue@intel.com>,
	 "H.J. Lu via Libc-alpha" <libc-alpha@sourceware.org>,
	Joseph Myers <joseph@codesourcery.com>
Subject: Re: [RFC] <sys/tagged-address.h>: An API for tagged address
Date: Thu, 18 Feb 2021 14:32:57 -0800	[thread overview]
Message-ID: <CAMe9rOrUm89Rnp2cPLe1h8Bav3pKnhxGk-OcUnNBR1+9Wac0xQ@mail.gmail.com> (raw)
In-Reply-To: <20210218135035.GE12795@arm.com>

On Thu, Feb 18, 2021 at 5:50 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
>
> The 02/18/2021 14:28, Florian Weimer wrote:
> > * Szabolcs Nagy:
> > >> was called in a thread.  It won't work when 2 threads have different address
> > >> masks.  I think set_tagged_address_mask should be disallowed in child
> > >> threads and in parent thread when there are any active child threads.
> > >
> > > i think this is the wrong api. currently the libc should set
> > > things up early. api for user code is too late.
> > >
> > > user code does not know if it runs single threaded or not
> > > (although we have __libc_single_threaded now, i'm not sure if
> > > we can use that for this purpose)
> >
> > We could, but it's possible to launch threads from ELF constructors (and
> > I think some libraries do that).  So you could avoid the call or
> > diagnose a failure if single-threaded, but the tagged address feature
> > wouldn't compose well.
> >
> > Some kernel interfaces have this problem (e.g., unshare), but they are
> > less general-purpose than tagged addresses.
>
> it is possible to have a prctl flag that requests the abi
> change for the entire process. (and then the kernel has
> to do the sync across threads.)
>
> the semantics is not entirely obvious wrt memory model
> if we want to do this for e.g. MTE tag checks, but for
> syscall abi it should be possible to define reasonably.
>
> e.g. a use-case for changing mte/tag abi settings for an
> entire process is a custom allocator that wants to use
> heap tagging. by the time it can call the prctl the
> process may be already multi-threaded.
>
> there is also a problem with coordination between
> concurrent callers. this is simple with the tagged
> address abi which is a 1 bit state and we can say that
> it always goes one way: no tag -> tag, but more complex
> state like mte checking mode or mte tag exclusion set,
> requires coordination, which tells me that there should
> be a single owner: the libc.
>
> but i don't know what requirements intel LAM has.

We are working to enable LAM in glibc and GCC (HWASAN).

0. LAM is disabled when the process starts.
1. Define GNU property markers for LAM compatibility.
2. Update ld.so to support LAM.
3. Make libc.so LAM compatible (memmove).
4. Provide an API to enable LAM.

We noticed a few issues:

1. HWASAN should use the glibc API to enable tagged address
since glibc must track the tagged address mask.
2. set_tagged_address_mask shouldn't be allowed after
pthread_create is called.
3. After set_tagged_address_mask is called, can it be called
again to change tagged address mask.

-- 
H.J.

next prev parent reply	other threads:[~2021-02-18 22:33 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-11 17:37 H.J. Lu
2021-02-11 20:28 ` Joseph Myers
2021-02-11 21:39   ` H.J. Lu
2021-02-12  9:43     ` Florian Weimer
2021-02-12 13:06       ` H.J. Lu
2021-02-17 18:43         ` H.J. Lu
2021-02-17 21:58           ` H.J. Lu
2021-02-18 13:24             ` Szabolcs Nagy
2021-02-18 13:28               ` Florian Weimer
2021-02-18 13:50                 ` Szabolcs Nagy
2021-02-18 22:32                   ` H.J. Lu [this message]
2021-02-22  8:27                     ` Szabolcs Nagy
2021-02-22 13:57                       ` H.J. Lu
2021-02-18 13:17         ` Szabolcs Nagy
2021-02-18 13:21           ` Florian Weimer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMe9rOrUm89Rnp2cPLe1h8Bav3pKnhxGk-OcUnNBR1+9Wac0xQ@mail.gmail.com \
    --to=hjl.tools@gmail.com \
    --cc=fweimer@redhat.com \
    --cc=joseph@codesourcery.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=libc-alpha@sourceware.org \
    --cc=szabolcs.nagy@arm.com \
    --cc=vedvyas.shanbhogue@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).