Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp163509imm; Thu, 31 May 2018 21:20:01 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIcVmyHAypo3OwGq/hVtzdoVqBcMWUL3qvNNg60YhDCQLokiUFTwImwucZAX5QH2BAmeroB X-Received: by 2002:a63:4003:: with SMTP id n3-v6mr7588180pga.184.1527826801500; Thu, 31 May 2018 21:20:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527826801; cv=none; d=google.com; s=arc-20160816; b=sYH3gUD5r3GpG3s9DDHpl0V6N6y/fQfTrjb9CDWb6pU5g4eN/IovNaczKD6w5p8e1i w4hJNpGge7oTLgSk0taudVMKDMZGoSr7vZrhR1xVm5m/f5U+UQanYIAfZFyyfo9l5/hf +iNvd1XZmw2QymoYxZ1tjp7sVxOV13xkt/ZvbgAb5/AMcYa6TUXU2Mxg+cxAtQiXbPDI v5gJX7xn+aQd3d97rWbEgY6f0L9q7y9eUWyzJZNU3IHZvZxeJ27EuLayvO618oy4TLcM mzX8kVVEf5o/KDxH6KoGsN54tbWqmCEY2b1al7b/lTrN7zg44PN0UhM/BaoxVcXmCoEF Yz4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=D4VYj5FME6kaPy4Yg/VrJA5KkbAxjIPlEPQiyBkGeCM=; b=NIlE4jfi07qE2hIKpvQQDoSKKYG72omykBzW6+FgL41LNq2LONYedqBb8Xj8uig2bN 4r99lug7DvY0fLrez0wCUJBFFg1Y7i1zpKQJnY/3jKfaOLEnBu4cCou6LZ2pdUMq8/DT 589Lav1w84Kt0K4ZelsA3bJvgrky5HerMjVAT34v0WTFO3zX9hTVORo4ebe3GUVCrt83 bJkBw1xiOK0PyvAAFExAnxivuHzFErMscmZc2WbQrp5l/A3DZhO+onwHUz3uMS8UWLQ+ 85AiBcHGWxQ9uO1s2bVonMLZKYhg+lsTj9w8eaEUq/tiIv+LEsSsnJOk+YHKOLyBWoKF 7raA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=q/szzmgT; dkim=fail header.i=@chromium.org header.s=google header.b=FXyBo5hq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z12-v6si20086141pgc.134.2018.05.31.21.19.14; Thu, 31 May 2018 21:20:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=q/szzmgT; dkim=fail header.i=@chromium.org header.s=google header.b=FXyBo5hq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750850AbeFAESO (ORCPT + 99 others); Fri, 1 Jun 2018 00:18:14 -0400 Received: from mail-vk0-f67.google.com ([209.85.213.67]:46809 "EHLO mail-vk0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750760AbeFAESM (ORCPT ); Fri, 1 Jun 2018 00:18:12 -0400 Received: by mail-vk0-f67.google.com with SMTP id i190-v6so14687826vkd.13 for ; Thu, 31 May 2018 21:18:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=D4VYj5FME6kaPy4Yg/VrJA5KkbAxjIPlEPQiyBkGeCM=; b=q/szzmgTbM19iHfcRoVEAiOSGV20AQM0SwZwnsS0Pq5CibaXyuHKM6OBc0W7vzFJfK 7CsA2qbg2/DU44IHtbBlHhrbrUHMKmA+qhJJj/faDCOxDc3QcFKCkDFnzTidGCw0YXBj n2Q2gSxQ6Qbk0qNidRZLZFeLVE2ODVf5pZhYsfUSPQO2V3BdPKZpxQ43vsMkiNWaYXmh mqEdoacbjC/H6Y+Rs5JaLzJZb5sDnVq0kkzO//xeD/3WrMzIlP2+oaKgKMuTWgqaxI0G nY8Y72xpavfQk48xZUmdbKGfT+zh7JN2Qcub+btqazpkThb5uSSQRvkVIrqCjiIBdANb nusw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=D4VYj5FME6kaPy4Yg/VrJA5KkbAxjIPlEPQiyBkGeCM=; b=FXyBo5hqbtVUdOtCYMv/ZktaKIuT5xgilygb2isz+ujvtuotMh+h7f/85+BRkHib7D JriRWW9YZ1rbjhT28Otkh5L0s15HakwzKCmhTr7m2fbJ6UXXxWnLEXikbmWt34VqG2cJ TQc3apaRuhcnYgXO9xBjKRalLCYC1+TXT0DPM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=D4VYj5FME6kaPy4Yg/VrJA5KkbAxjIPlEPQiyBkGeCM=; b=rXJoDAfFAb7uHTA085o6BSuER2B96KFeB+yY7jRS5NYbFSPRei/NGXdm208W7roCNQ 7BGkGYM5Nidm2Ml5ELjo0IrU6CIZKySax2f7+WdxNRZZP1E5e/iuQgJLujR55qBDDUr9 uYcsD1RS+l5b5Pn0E2EVCZvWXlmsZLGwxRZKsnVQ5oZdiUtK2MkHbO/jXqhvcS/X23z0 x9tcqvPUMjFdkd+rFcE+wL11r2IalIXNj7QitH8QKavcwsAdgyDfEdqin1wQ/VNczvcA sW/bGeYDL/xTdjmeWbsiXbNroGwdQk6rtwGo9AqSRHzYMdPxumWfX2pPfYf5H1boa34h EYIQ== X-Gm-Message-State: ALKqPwd8Kz+JCOAUgchIVgBxLH6ZIZ9Cosvh4f1IAa99vBjg4Fpa7PO0 hiH2tRXpV7E7HhCQDvyYjs1ssTejXoail1ZNEHxX5w== X-Received: by 2002:a1f:824a:: with SMTP id e71-v6mr5646529vkd.7.1527826691490; Thu, 31 May 2018 21:18:11 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1f:a085:0:0:0:0:0 with HTTP; Thu, 31 May 2018 21:18:10 -0700 (PDT) In-Reply-To: References: <20180601004233.37822-1-keescook@chromium.org> From: Kees Cook Date: Thu, 31 May 2018 21:18:10 -0700 X-Google-Sender-Auth: wEk4ZxLwrgonkhaKWuRmGdfOFBk Message-ID: Subject: Re: [PATCH v3 00/16] Provide saturating helpers for allocation To: Linus Torvalds Cc: Matthew Wilcox , Rasmus Villemoes , Matthew Wilcox , Linux Kernel Mailing List , linux-mm , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 31, 2018 at 5:54 PM, Linus Torvalds wrote: > On Thu, May 31, 2018 at 7:43 PM Kees Cook wrote: >> >> So, while nothing does: >> kmalloc_array(a, b, ...) -> kmalloc(array_size(a, b), ...) >> the treewide changes DO perform changes like this: >> kmalloc(a * b, ...) -> kmalloc(array_size(a, b), ...) > > Ugh. I really really still absolutely despise this. Heh. Yeah, I called this out specifically because I wasn't sure if this was going to be okay. :P > Why can't you just have a separate set of coccinelle scripts that do > the simple and clean cases? > > So *before* doing any array_size() conversions, just do > > kzalloc(a*b, ...) -> kcalloc(a, b, ...) > kmalloc(a*b,..) -> kmalloc_array(a,b, ...) > > and the obvious variations on that (devm_xyz() has all the same helpers). Yup. I'll get started on it. I did have a version of a python script that generated coccinelle scripts, but I started losing my mind. I'll double-check if I can find a way to do some internal-to-Coccinelle python to handle some of the variation directly, etc. For those interested in the details: the complexity for me is in how Coccinelle handles expressions (or my understanding of it's handling). There's nothing in between "expression" and "identifier", so "thing->field" is an expression not an identifier ("thing" is an identifier), but "foo * bar" is _also_ an expression, so I have to slowly peel away the "easy" stuff (sizeof, constants, etc) before expressions to avoid collapsing factors into the wrong arguments (e.g. kzalloc(a * b * c, ...) -> kcalloc(a * b, c, ...) is not desirable), so there end up being a LOT of rules... I was able to compress allocation families into a a regex, but without that, I'll end up with the sizeof/const/etc rules times the family times the kalloc and _array rules. > Only after doing the ones that don't have the nice obvious helpers, do > the remaining ones with array_size(), ie > > *alloc(a*b, ..) -> *alloc(array_size(a,b), ...) > > because that really makes for much less legible code. > > Hmm? Sounds good. Thanks! -Kees -- Kees Cook Pixel Security