ARM MTE data race: ro.is_memtag_disabled

[rdevshp]

1. h_malloc_disable_memory_tagging writes to ro.is_memtag_disabled in the init_lock mutex region
2. ro.is_memtag_disabled is read through is_memtag_enabled without proper synchronization in invocations like allocate_small -> write_after_free_check

Since it is not atomic, the data race results in undefined behavior.

[thestinger]

This shouldn't matter, it can just only be safely used in contexts where it's not racy. There isn't a commitment to it not racing against other stuff. It's for internal use.

[rdevshp]

There is also a potential deadlock issue with h_malloc_disable_memory_tagging where if h_malloc_disable_memory_tagging is called in one thread, and another thread forks, it can result in a child process with the init_lock locked forever. (I have created issue #317 for this)

[thestinger]

It can't be used in a situation where that could happen.

[rdevshp]

It can't be used in a situation where that could happen.

Just to be sure, you mean that h_malloc_disable_memory_tagging can't be used in situations where either the inter-thread data race or the fork deadlock can happen right? I am currently trying to create a patch for the fork deadlock. If that would never happen, then I would not continue with my patching attempt for the h_malloc_disable_memory_tagging fork deadlock.

[thestinger]

It's only safe to use it in a limited set of situations and it's for internal usage.