Re: [PATCH v8 09/20] kasan: preassign tags to objects with ctors or SLAB_TYPESAFE_BY_RCU
From: Andrey Konovalov
Date: Fri Sep 21 2018 - 08:25:03 EST
On Fri, Sep 21, 2018 at 1:25 PM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
> On Wed, Sep 19, 2018 at 8:54 PM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote:
>> if (!shuffle) {
>> for_each_object_idx(p, idx, s, start, page->objects) {
>> - setup_object(s, page, p);
>> - if (likely(idx < page->objects))
>> - set_freepointer(s, p, p + s->size);
>> - else
>> + if (likely(idx < page->objects)) {
>> + next = p + s->size;
>> + next = setup_object(s, page, next);
>> + set_freepointer(s, p, next);
>> + } else
>> set_freepointer(s, p, NULL);
>> }
>> - page->freelist = fixup_red_left(s, start);
>> + start = fixup_red_left(s, start);
>> + start = setup_object(s, page, start);
>> + page->freelist = start;
>> }
>
> Just want to double-check that this is correct.
> We now do an additional setup_object call after the loop, but we do 1
> less in the loop. So total number of calls should be the same, right?
> However, after the loop we call setup_object for the first object (?),
> but inside of the loop we skip the call for the last object (?). Am I
> missing something, or we call ctor twice for the last object and don't
> call it for the first one?
Inside the loop we call setup_object for the "next" object. So we
start iterating on the first one, but call setup_object for the
second. Then the loop moves on to the second one and calls
setup_object for the third. And so on. So the loop calls setup_object
for every object (including the last one) except for the first one.
The idea is that we want the freelist pointer that is stored in the
current object to have a tagged pointer to the next one, so we need to
assign a tag to the next object before storing the pointer in the
current one.