The 09/22/2020 17:55, Catalin Marinas wrote: > On Tue, Sep 22, 2020 at 04:52:49PM +0100, Szabolcs Nagy wrote: > > if we add a kernel level opt-in mechanism for tag checks later (e.g. > > elf marking) or if the settings are exclusively owned by early libc > > code then i think the proposed abi is ok (this is our current > > agreement and works as long as no late runtime change is needed to the > > settings). > > In the Android case, run-time changes to the tag checking mode I think > are expected (usually via signal handlers), though per-thread. ok that works, but does not help allocators or runtimes that don't own the signal handlers. > > i'm now wondering about the default tag check mode: it may be better > > to enable sync tag checks in the kernel. it's not clear to me what > > would break with that. this is probably late to discuss now and libc > > would need ways to override the default no matter what, but i'd like > > to know if somebody sees problems or risks with unconditional sync tag > > checks turned on (sorry i don't remember if we went through this > > before). i assume it would have no effect on a process that never uses > > PROT_MTE. > > I don't think it helps much. We already have a requirement that to be > able to pass tagged pointers to kernel syscalls, the user needs a > prctl(PR_TAGGED_ADDR_ENABLE) call (code already in mainline). Using > PROT_MTE without tagged pointers won't be of much use. So if we are to > set different tag check defaults, we should also enable the tagged addr > ABI automatically. > > That said, I still have a preference for MTE and tagged addr ABI to be > explicitly requested by the (human) user either via environment > variables or marked in an ELF note as "safe with/using tags". Given the > recent mremap() issue we caused in glibc, I'm worried that other things > may break with enabling the tagged addr ABI everywhere. > > Another aspect is that sync mode by default in a distro where glibc is > MTE-aware will lead to performance regressions. That's another case in > favour of the user explicitly asking for tag checking. ok this all makes sense to me. > > Anyway, I'm open to having a debate on changing the defaults. > > -- > Catalin
