Received: by 10.192.165.148 with SMTP id m20csp3520182imm;
        Mon, 7 May 2018 13:50:03 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZq6G61tVcjV0mN3StsWPFM18OAHRDGMd1cRaNDftCORyfJ5Zcbltdea7Y761csMPWzPurD6
X-Received: by 10.98.72.209 with SMTP id q78mr37671368pfi.70.1525726203927;
        Mon, 07 May 2018 13:50:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525726203; cv=none;
        d=google.com; s=arc-20160816;
        b=XQDtrlkpL/oqXOPcEY94VXV4MCzGcbG1IBPtoDJsyjed7RECvon0WVSRS/ohTczoug
         ZGsg8ebD9r7aPPIALNQsqIcvQ75t9gASRhx3Aqb+X4vQJA/ad7LRXzJDL2/fw4g+ZeWh
         LpJ5fuSCDktR61N7v2SAEzbDO2EQA/Mk3Vzpot1NHvS/ev0dg9yUXvt3sHyOwXpoKYh9
         lelWEmPzbFUr2dhe2TQxcZZQxpshf/ltv0GMtvx4P9uNlUT1JTWu3Dqe/ozvg/vQ9mQ5
         neOZbOhVkVGTNHGnkn39AJvBzN0HZimo2cG2GrZisdkLUo3CdzitF8ZRyqwtK2oVkY6g
         rIrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=+Th29b3EoEqmRHa157UC2NJ6dO2wHOxsoSA7alUWDtw=;
        b=0VphRTUrA4aonRMZ7XhpBDxDbMyhV13AAMr3ofEcysZKiRFSduBUBBuOb6XqR1YZIi
         me3dVCsYSLt5v7SPTgsIt+FdR0wZAFZhpJQyT9ULv+FysfB/9Ec+J+hB28wVJxs/fcBq
         7SEZKPKYch90ZjFBabWHiYsz43ckGcz6WLIiNuOoGhiLXYmhl7z3cZLbfL449qYjkKR5
         M8IqPBFexjrqXWGq6lZHQpgWccFfv836d2DtMLppwodxagc8cRUGW+oXcMIGvbsniWAw
         YNEM+hBBc8C1nb3F8g0MX4wFjMDxu9V3ATFSdUyZguZc44L7J7/8E63IvS9+E5HOPvC/
         CUhQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=robd7v3N;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n2-v6si18189437plk.433.2018.05.07.13.49.49;
        Mon, 07 May 2018 13:50:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=robd7v3N;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753120AbeEGUtQ (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 7 May 2018 16:49:16 -0400
Received: from bombadil.infradead.org ([198.137.202.133]:38620 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752841AbeEGUtP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 May 2018 16:49:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version
        :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
        Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=+Th29b3EoEqmRHa157UC2NJ6dO2wHOxsoSA7alUWDtw=; b=robd7v3NJu69kjr+pTvPO/IIC
        N0IKitJG4+/YtR3UyyrN5QpDdTPvge2hLM9RE6onkab+781pTi69XCwIbcFhWhOgiiFWNJ87Wgzwd
        t6GlmW4kE5HtMI3Ma+qS6bTe90GLDC69iIAJGhOs4c7+cDCTXvikFMEgs9VGvBCwG/bTgSolNnTay
        Hq7yyRI6ojzUM4e9NkD2TAPZFtLzVpEGD20pvu5Oqt6vuBlo0Y9VxlmYTEL6bb/B/QMs5PKQLWh27
        V12yw4Oxs7Yymi40s6wCSgeF3K8w/3i1BE7fNup5YFiXCR6woww9UJGKVQLemUELwkK6PuG0wFBmT
        llTQbpYdg==;
Received: from willy by bombadil.infradead.org with local (Exim 4.90_1 #2 (Red Hat Linux))
        id 1fFn4J-0006Cx-9d; Mon, 07 May 2018 20:49:11 +0000
Date:   Mon, 7 May 2018 13:49:11 -0700
From:   Matthew Wilcox <willy@infradead.org>
To:     Kees Cook <keescook@google.com>
Cc:     John Johansen <john.johansen@canonical.com>,
        Matthew Wilcox <mawilcox@microsoft.com>,
        Linux-MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Rasmus Villemoes <linux@rasmusvillemoes.dk>
Subject: Re: *alloc API changes
Message-ID: <20180507204911.GC15604@bombadil.infradead.org>
References: <CAGXu5j++1TLqGGiTLrU7OvECfBAR6irWNke9u7Rr2i8g6_30QQ@mail.gmail.com>
 <20180505034646.GA20495@bombadil.infradead.org>
 <CAGXu5jLbbts6Do5JtX8+fij0m=wEZ30W+k9PQAZ_ddOnpuPHZA@mail.gmail.com>
 <20180507113902.GC18116@bombadil.infradead.org>
 <CAGXu5jKq7uZsDN8qLzKTUC2eVQT2f3ZvVbr8s9oQFeikun9NjA@mail.gmail.com>
 <20180507201945.GB15604@bombadil.infradead.org>
 <CAGXu5jL_vYWs7eKY34ews2pW24fvOqNPybmuugg9ycfR1siOLA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5jL_vYWs7eKY34ews2pW24fvOqNPybmuugg9ycfR1siOLA@mail.gmail.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 07, 2018 at 01:27:38PM -0700, Kees Cook wrote:
> On Mon, May 7, 2018 at 1:19 PM, Matthew Wilcox <willy@infradead.org> wrote:
> > Yes.  And today with kvmalloc.  However, I proposed to Linus that
> > kvmalloc() shouldn't allow it -- we should have kvmalloc_large() which
> > would, but kvmalloc wouldn't.  He liked that idea, so I'm going with it.
> 
> How would we handle size calculations for _large?

I'm not sure we should, at least initially.  The very few places which
need a large kvmalloc really are special and can do their own careful
checking.  Because, as Linus pointed out, we shouldn't be letting the
user ask us to allocate a terabyte of RAM.  We should just fail that.

let's see how those users pan out, and then see what we can offer in
terms of safety.

> > There are very, very few places which should need kvmalloc_large.
> > That's one million 8-byte pointers.  If you need more than that inside
> > the kernel, you're doing something really damn weird and should do
> > something that looks obviously different.
> 
> I'm CCing John since I remember long ago running into problems loading
> the AppArmor DFA with kmalloc and switching it to kvmalloc. John, how
> large can the DFAs for AppArmor get? Would an 8MB limit be a problem?

Great!  Opinions from people who'll use this interface are exceptionally
useful.

> And do we have any large IO or network buffers >8MB?

Not that get allocated with kvmalloc ... because you can't DMA map vmalloc
(without doing some unusual contortions).

> > but I thought of another problem with array_size.  We already have
> > ARRAY_SIZE and it means "the number of elements in the array".
> >
> > so ... struct_bytes(), array_bytes(), array3_bytes()?
> 
> Maybe "calc"? struct_calc(), array_calc(), array3_calc()? This has the
> benefit of actually saying more about what it is doing, rather than
> its return value... In the end, I don't care. :)

I don't have a strong feeling on this either.

> > Keeping our focus on allocations ... do we have plain additions (as
> > opposed to multiply-and-add?)  And subtraction?
> 
> All I've seen are just rare "weird" cases of lots of mult/add. Some
> are way worse than others:
> http://www.ozlabs.org/~akpm/mmotm/broken-out/exofs-avoid-vla-in-structures.patch
> 
> Just having the mult/add saturation would be lovely.

Ow.  My brain just oozed out of my ears.