On 17/10/2022 19:09, Tudor Cretu wrote:
On CHERI architectures, the stores/loads of capabilities can be atomic.
Maybe "should be atomic", as otherwise it's a bit unclear what justifies this change.
Add (u)intcap_t types to the native_words check in order to allow the stores/loads of capabilities to pass the checks for atomic operations.
Signed-off-by: Tudor Cretu tudor.cretu@arm.com
include/linux/compiler_types.h | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 36d8b41f7ccf..755b0b42f7b9 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -323,9 +323,16 @@ struct ftrace_likely_data { default: (x))) /* Is this type a native word size -- useful for atomic operations */ +#ifdef __CHERI__ +#define __native_word(t) \
- (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || \
sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long) || \__same_type(t, __intcap_t) || __same_type(t, __uintcap_t))
I think you have made the best compromise here, but I just wanted to note that it won't work with capability pointers, notably user pointers. However we already know painfully well that we cannot tell whether a type is a pointer, so the only alternative to what you chose is == sizeof(__intcap_t) or similar, which is clearly less safe. It seems that this macro only needs to deal with capabilities in the form of __kernel_uintptr_t, so I'm in favour of your approach at least for the time being.
Kevin
+#else #define __native_word(t) \ (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || \ sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long)) +#endif #ifdef __OPTIMIZE__ # define __compiletime_assert(condition, msg, prefix, suffix) \