Received: by 10.192.165.148 with SMTP id m20csp4117944imm; Mon, 30 Apr 2018 12:03:19 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr4ZDj5PNJaAYz0uSRW3NZ9f+txURAzaEp8S6iFhezbEhzEuIuR35ieYEweeIQld53loP8y X-Received: by 2002:a63:a309:: with SMTP id s9-v6mr10715579pge.187.1525114999119; Mon, 30 Apr 2018 12:03:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525114999; cv=none; d=google.com; s=arc-20160816; b=AYcmMkSWU3W1UUlSwrj11ps5zFu4aklLXsZgN0AR3DeqYxiE6LYnP4w+FWe4NnywGN da0YJov2HEu10ubS71fuKvOihIdihNyRrOZF4msGvnIlklc85KG9mm6IJ6eAuzf0887P theZPaIdDSoZzHxLrcLmQZJPvt7kKs8434amd8HvwDxrXUunYMyac6YANHljF+0K9xMk 6x3YnfEoYLLqvUgB3kjFr69zuljCqaol/YAsZhprGDXxk9yhEMBZLj96VDPtA8H4lj8S /Q2XFcXiI61NzBulqsy7iwdK38D98Nl03TtNmB3WGncmOWdgUxKUEuu/wLK1krN+z2L+ K2+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=O0r1tE3E054cVPI0+wQrVS3oFfAoZ+ZNwMQ5qFnDVfU=; b=vp5+oUUzbhmoSaaWxUYMJeEhoTMpi1RFvzJjXCTvCoiwMSKCh2JsB/AZ2lLE5fn906 EmOPnB1Y/b9gpHCiI6fbNrHVyZOJTPEhKRy0Fa8u8Dxf2Obmc/CYirMPO5bw3I9zSU8A zBLzykywppq5UAPmGbSKfa9p1nuIFwjO7REUHfeQIWPrsQqR+dSD75Sml19OMjw5L6EW GL4FhgXo19RF4webgKw4VIsMjzhEglwgvW9z0b34PTnpQuZGb460Besere0RZ4OiI63l xAMYphqey/RmKw8nUJqeozZLVyQ/FEJfT32vDjggaVWD1/pSlGNQDKEHcB+zsVQrd8Bs 87cQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=O/qgyenl; dkim=fail header.i=@chromium.org header.s=google header.b=ZPTNhEL/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f7-v6si6501552pgq.207.2018.04.30.12.03.04; Mon, 30 Apr 2018 12:03:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=O/qgyenl; dkim=fail header.i=@chromium.org header.s=google header.b=ZPTNhEL/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754860AbeD3TCR (ORCPT + 99 others); Mon, 30 Apr 2018 15:02:17 -0400 Received: from mail-vk0-f68.google.com ([209.85.213.68]:42389 "EHLO mail-vk0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753397AbeD3TCQ (ORCPT ); Mon, 30 Apr 2018 15:02:16 -0400 Received: by mail-vk0-f68.google.com with SMTP id j7-v6so5602198vkc.9 for ; Mon, 30 Apr 2018 12:02:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=O0r1tE3E054cVPI0+wQrVS3oFfAoZ+ZNwMQ5qFnDVfU=; b=O/qgyenlgppidE0Qooz5zMoCWR7jIKbiD1tXdRejw20AqrK9AhrTWsScbnGxHlan1c B03IZWjDx3DHMkhWPjdAb5G7zsQV2mO3Hp63GCNAEjTeJH8lWtrMk1pSl0Up2iz0hUi2 6j/eO34ik7NOmkh5i743KyyvU6y6i02oZaUhR2vY1jAX0G9LUqsnYgzTFkfrDNg6eQP6 aanTdCF8wj+tDUrV4NzLhNT7lTBAhrtIwrjYbiclKrpAtdvo3Rx4Ke+qH5TU0QOm4pb6 cS+EjY2wYXpoQ083ig5bE+bnfLn8caKMm5qJPjrCAGbSp28jIsfpWV72q5laNCYPnhos Vwdw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=O0r1tE3E054cVPI0+wQrVS3oFfAoZ+ZNwMQ5qFnDVfU=; b=ZPTNhEL/BHffvu+PI/3W3y4+NmynOJho/JawErdv96sUPwIIHEAoVbnDnnNiD7MS3J yJcd3mFYHsfl6ULYVjaXHoHMbm/d/tIChcV5gzHdpFjdLAaQdklyuSACRLTTyB2vNs+N TdicdOKJi80fcS50X8gfsQQ090vviYbkzU4OY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=O0r1tE3E054cVPI0+wQrVS3oFfAoZ+ZNwMQ5qFnDVfU=; b=F+J1e/3uEC8f7j7+SaOjAFUZFk4+/Fd3/mlcUiubxLp+UXrrb9NkLqLifGE0X18HGz lE18WbhECx9rx1raAMJTJWbMk8qdfZclVkEOrINDD81TGaYOVpUmTEhm7avjRZoEM9rP nBp/1Re0uS6YuOdaSqM3e8O+iV3yimeuhx+bg+27JBUJ538OQgq+f5ypw1huO4W8pWWL T8Ox+s6GlQYrhRXPfJDc5RzWeEXKjPHLjqQ2XdQV5pgvOa1rz+5iulQPoNrgMHrlMhL0 zVhIg9G5AGcZc/ddoqIT70OQ6y627Xq5xuRQ+2bgBBIExlI9XYYvpeNWQsDgBAurt+QP UZ2Q== X-Gm-Message-State: ALQs6tAPNPVPe3sfRRooczFXq2v0jJyTzrIIHrTnIvm6h5xDs1Kp3Zzn ING39zOyTzHXPrtWMqz/5xAN9XL0NS+KBRc0lo0FIA== X-Received: by 2002:a1f:b7c6:: with SMTP id h189-v6mr7328705vkf.84.1525114935061; Mon, 30 Apr 2018 12:02:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.11.209 with HTTP; Mon, 30 Apr 2018 12:02:14 -0700 (PDT) In-Reply-To: <20180429203023.GA11891@bombadil.infradead.org> References: <20180214182618.14627-1-willy@infradead.org> <20180214182618.14627-3-willy@infradead.org> <20180308025812.GA9082@bombadil.infradead.org> <20180308230512.GD29073@bombadil.infradead.org> <20180313183220.GA21538@bombadil.infradead.org> <20180429203023.GA11891@bombadil.infradead.org> From: Kees Cook Date: Mon, 30 Apr 2018 12:02:14 -0700 X-Google-Sender-Auth: Drwm3P81uZF8P-Yvu2Kq18crezI Message-ID: Subject: Re: [PATCH 2/2] mm: Add kvmalloc_ab_c and kvzalloc_struct To: Matthew Wilcox Cc: Julia Lawall , Andrew Morton , Matthew Wilcox , Linux-MM , LKML , Kernel Hardening , cocci@systeme.lip6.fr, Himanshu Jha Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 29, 2018 at 1:30 PM, Matthew Wilcox wrote: > On Sun, Apr 29, 2018 at 09:59:27AM -0700, Kees Cook wrote: >> Did this ever happen? > > Not yet. I brought it up at LSFMM, and I'll repost the patches soon. > >> I'd also like to see kmalloc_array_3d() or >> something that takes three size arguments. We have a lot of this >> pattern too: >> >> kmalloc(sizeof(foo) * A * B, gfp...) >> >> And we could turn that into: >> >> kmalloc_array_3d(sizeof(foo), A, B, gfp...) > > Are either of A or B constant? Because if so, we could just use > kmalloc_array. If not, then kmalloc_array_3d becomes a little more > expensive than kmalloc_array because we have to do a divide at runtime > instead of compile-time. that's still better than allocating too few > bytes, of course. Yeah, getting the order of the division is nice. Some thoughts below... > > I'm wondering how far down the abc + ab + ac + bc + d rabbit-hole we're > going to end up going. As far as we have to, I guess. Well, the common patterns I've seen so far are: a ab abc a + bc ab + cd For any longer multiplications, I've only found[1]: drivers/staging/rtl8188eu/os_dep/osdep_service.c: void **a = kzalloc(h * sizeof(void *) + h * w * size, GFP_KERNEL); At the end of the day, though, I don't really like having all these different names... kmalloc(), kmalloc_array(), kmalloc_ab_c(), kmalloc_array_3d() with their "matching" zeroing function: kzalloc(), kcalloc(), kzalloc_ab_c(), kmalloc_array_3d(..., gfp | __GFP_ZERO) For the multiplication cases, I wonder if we could just have: kmalloc_multN(gfp, a, b, c, ...) kzalloc_multN(gfp, a, b, c, ...) and we can replace all kcalloc() users with kzalloc_mult2(), all kmalloc_array() users with kmalloc_mult2(), the abc uses with kmalloc_mult3(). That said, I *do* like kmalloc_struct() as it's a very common pattern... Or maybe, just leave the pattern in the name? kmalloc_ab(), kmalloc_abc(), kmalloc_ab_c(), kmalloc_ab_cd() ? Getting the constant ordering right could be part of the macro definition, maybe? i.e.: static inline void *kmalloc_ab(size_t a, size_t b, gfp_t flags) { if (__builtin_constant_p(a) && a != 0 && \ b > SIZE_MAX / a) return NULL; else if (__builtin_constant_p(b) && b != 0 && \ a > SIZE_MAX / b) return NULL; return kmalloc(a * b, flags); } (I just wish C had a sensible way to catch overflow...) -Kees [1] git grep -E 'alloc\([^,]+[^(]\*[^)][^,]+[^(]\*[^)][^,]+[^(]\*[^)][^,]+,' -- Kees Cook Pixel Security