Skip to content
Commit 090c331a authored by Alexandru Elisei's avatar Alexandru Elisei
Browse files

arm64: mte: Fix page_tag_storage_reserved() by introducing PG_tag_storage_reserved 

page_tag_storage_reserved() takes a tagged page as argument and checks if
the corresponding tag storage has been reserved, but this is prone to false
positives.

Consider the scenario:

1. Page P is allocated as tagged, and the corresponding tag storage block B
   is reserved. Block B refcount = 2.

2. Page P + 1, with the same corresponding tag storage block, block B, is
   allocated as tagged, but reserve_tag_storage() is incorrecly not called.
   Block B refcount remains 2.

3. page_tag_storage_reserved() for page P + 1 returns true because block B
   is reserved.

4. Page P is freed, the refcount for block B is decremented by 1, which
   becomes 1, and the block is freed.

5. Block B is allocated for data => tags for page P + 1 (which is still in
   use as tagged) are corrupted.

Fix this by introducing a new PG_tag_storage_reserved page flag which will
be set when reserve_tag_storage() has reserved the corresponding tag
storage block (or increased the block refcount).
parent a39cae70
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment