Received: by 10.192.165.148 with SMTP id m20csp3520182imm; Mon, 7 May 2018 13:50:03 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq6G61tVcjV0mN3StsWPFM18OAHRDGMd1cRaNDftCORyfJ5Zcbltdea7Y761csMPWzPurD6 X-Received: by 10.98.72.209 with SMTP id q78mr37671368pfi.70.1525726203927; Mon, 07 May 2018 13:50:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525726203; cv=none; d=google.com; s=arc-20160816; b=XQDtrlkpL/oqXOPcEY94VXV4MCzGcbG1IBPtoDJsyjed7RECvon0WVSRS/ohTczoug ZGsg8ebD9r7aPPIALNQsqIcvQ75t9gASRhx3Aqb+X4vQJA/ad7LRXzJDL2/fw4g+ZeWh LpJ5fuSCDktR61N7v2SAEzbDO2EQA/Mk3Vzpot1NHvS/ev0dg9yUXvt3sHyOwXpoKYh9 lelWEmPzbFUr2dhe2TQxcZZQxpshf/ltv0GMtvx4P9uNlUT1JTWu3Dqe/ozvg/vQ9mQ5 neOZbOhVkVGTNHGnkn39AJvBzN0HZimo2cG2GrZisdkLUo3CdzitF8ZRyqwtK2oVkY6g rIrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=+Th29b3EoEqmRHa157UC2NJ6dO2wHOxsoSA7alUWDtw=; b=0VphRTUrA4aonRMZ7XhpBDxDbMyhV13AAMr3ofEcysZKiRFSduBUBBuOb6XqR1YZIi me3dVCsYSLt5v7SPTgsIt+FdR0wZAFZhpJQyT9ULv+FysfB/9Ec+J+hB28wVJxs/fcBq 7SEZKPKYch90ZjFBabWHiYsz43ckGcz6WLIiNuOoGhiLXYmhl7z3cZLbfL449qYjkKR5 M8IqPBFexjrqXWGq6lZHQpgWccFfv836d2DtMLppwodxagc8cRUGW+oXcMIGvbsniWAw YNEM+hBBc8C1nb3F8g0MX4wFjMDxu9V3ATFSdUyZguZc44L7J7/8E63IvS9+E5HOPvC/ CUhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=robd7v3N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n2-v6si18189437plk.433.2018.05.07.13.49.49; Mon, 07 May 2018 13:50:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=robd7v3N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753120AbeEGUtQ (ORCPT + 99 others); Mon, 7 May 2018 16:49:16 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:38620 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752841AbeEGUtP (ORCPT ); Mon, 7 May 2018 16:49:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=+Th29b3EoEqmRHa157UC2NJ6dO2wHOxsoSA7alUWDtw=; b=robd7v3NJu69kjr+pTvPO/IIC N0IKitJG4+/YtR3UyyrN5QpDdTPvge2hLM9RE6onkab+781pTi69XCwIbcFhWhOgiiFWNJ87Wgzwd t6GlmW4kE5HtMI3Ma+qS6bTe90GLDC69iIAJGhOs4c7+cDCTXvikFMEgs9VGvBCwG/bTgSolNnTay Hq7yyRI6ojzUM4e9NkD2TAPZFtLzVpEGD20pvu5Oqt6vuBlo0Y9VxlmYTEL6bb/B/QMs5PKQLWh27 V12yw4Oxs7Yymi40s6wCSgeF3K8w/3i1BE7fNup5YFiXCR6woww9UJGKVQLemUELwkK6PuG0wFBmT llTQbpYdg==; Received: from willy by bombadil.infradead.org with local (Exim 4.90_1 #2 (Red Hat Linux)) id 1fFn4J-0006Cx-9d; Mon, 07 May 2018 20:49:11 +0000 Date: Mon, 7 May 2018 13:49:11 -0700 From: Matthew Wilcox To: Kees Cook Cc: John Johansen , Matthew Wilcox , Linux-MM , LKML , Rasmus Villemoes Subject: Re: *alloc API changes Message-ID: <20180507204911.GC15604@bombadil.infradead.org> References: <20180505034646.GA20495@bombadil.infradead.org> <20180507113902.GC18116@bombadil.infradead.org> <20180507201945.GB15604@bombadil.infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 07, 2018 at 01:27:38PM -0700, Kees Cook wrote: > On Mon, May 7, 2018 at 1:19 PM, Matthew Wilcox wrote: > > Yes. And today with kvmalloc. However, I proposed to Linus that > > kvmalloc() shouldn't allow it -- we should have kvmalloc_large() which > > would, but kvmalloc wouldn't. He liked that idea, so I'm going with it. > > How would we handle size calculations for _large? I'm not sure we should, at least initially. The very few places which need a large kvmalloc really are special and can do their own careful checking. Because, as Linus pointed out, we shouldn't be letting the user ask us to allocate a terabyte of RAM. We should just fail that. let's see how those users pan out, and then see what we can offer in terms of safety. > > There are very, very few places which should need kvmalloc_large. > > That's one million 8-byte pointers. If you need more than that inside > > the kernel, you're doing something really damn weird and should do > > something that looks obviously different. > > I'm CCing John since I remember long ago running into problems loading > the AppArmor DFA with kmalloc and switching it to kvmalloc. John, how > large can the DFAs for AppArmor get? Would an 8MB limit be a problem? Great! Opinions from people who'll use this interface are exceptionally useful. > And do we have any large IO or network buffers >8MB? Not that get allocated with kvmalloc ... because you can't DMA map vmalloc (without doing some unusual contortions). > > but I thought of another problem with array_size. We already have > > ARRAY_SIZE and it means "the number of elements in the array". > > > > so ... struct_bytes(), array_bytes(), array3_bytes()? > > Maybe "calc"? struct_calc(), array_calc(), array3_calc()? This has the > benefit of actually saying more about what it is doing, rather than > its return value... In the end, I don't care. :) I don't have a strong feeling on this either. > > Keeping our focus on allocations ... do we have plain additions (as > > opposed to multiply-and-add?) And subtraction? > > All I've seen are just rare "weird" cases of lots of mult/add. Some > are way worse than others: > http://www.ozlabs.org/~akpm/mmotm/broken-out/exofs-avoid-vla-in-structures.patch > > Just having the mult/add saturation would be lovely. Ow. My brain just oozed out of my ears.