Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2624341imm; Sun, 1 Jul 2018 01:48:52 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLWJisR1YhFEHI9Ikd9AdDMjEn8gYNDDZ8YQ8TD60VC/pqJH+5sLbLO7/ZeKKuLDEXH0mrn X-Received: by 2002:a65:538e:: with SMTP id x14-v6mr17664526pgq.388.1530434932535; Sun, 01 Jul 2018 01:48:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530434932; cv=none; d=google.com; s=arc-20160816; b=M9oq/LdOCVNS68xFg+SlhBcgt+1+t1GK68DxyPlNSL1PZeNbrofAncmXBzGoCmAuFF j3G0s973x5pl2pKruK84PEL0HFeAsqgtNYJH8o5jocHS0R9klHBhEgeYeIFoWzO5O3Fy O4IMvZK+7weafaFg3qYmetTVvQq+5YnV84kSrxcb3f4t0cEbJMr/Fm8NOVysBwFZEFjZ zRYzdekTtuTWp3/kIkrgDkGgs0Xwn2PZ41ziFl0K8xAU6+qr54tbKA0E33ULr4F+jjZZ I14+I+0rLPVGIbS33h5X78qNDYbbyLnk6QKGKZJ3DSkyvDzZA2rIeWXuNff4Ry1eDjzu n0vA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:subject:references:cc:to:arc-authentication-results; bh=kGP6dRvb1mOO98C4OTcglfDJZuI/ElnYCsy7EFYaAQQ=; b=HXCInipzVGKX2B8cEld1LVQ+owpMKfPrp02kF/CP6hS1drfEt+WfG3OpXLKZoc1C92 NxkXwRysXg74gKg8ZiFpNZjKvwQdreAX5PhVqTE+KqFjDxm1FcqofWysqDeov5nAz476 sLeBUiNpm9rAvFQCdQUvl7tJczuCmDCr6zYeIPDgVQ0c8xEZpirj+UGA1wp71BlP6XCC gH+XBkdW1qHHP6CBLQvfQbCLY1Bc/JbsyfXWfJlYHmK/ZqbJyqskgpu4ep7GsFCwsGA+ G2idpoHSkADlCryRknqnG+Xjfj6i6g/8BXa+AS5aScCA0TmNGRhr4aivjycTeTMCbX++ zUlg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j20-v6si278065pgl.594.2018.07.01.01.48.37; Sun, 01 Jul 2018 01:48:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752181AbeGAIr7 (ORCPT + 99 others); Sun, 1 Jul 2018 04:47:59 -0400 Received: from mout.web.de ([212.227.15.3]:36073 "EHLO mout.web.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752010AbeGAIr4 (ORCPT ); Sun, 1 Jul 2018 04:47:56 -0400 Received: from [192.168.1.3] ([77.181.193.101]) by smtp.web.de (mrweb002 [213.165.67.108]) with ESMTPSA (Nemesis) id 0LlnQO-1g8bmT2P0i-00ZPZ0; Sun, 01 Jul 2018 10:47:13 +0200 To: Kees Cook , Matthew Wilcox , linux-mm@kvack.org, kernel-hardening@lists.openwall.com Cc: kernel-janitors@vger.kernel.org, LKML , Matthew Wilcox , Rasmus Villemoes , Linus Torvalds References: <20180601004233.37822-13-keescook@chromium.org> Subject: Re: [PATCH v3 12/16] treewide: Use array_size() for kmalloc()-family From: SF Markus Elfring Message-ID: Date: Sun, 1 Jul 2018 10:46:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <20180601004233.37822-13-keescook@chromium.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:KY50xjN06J2j+XRRb90gZGSHbtq+81xTCsEWHM+H7rnbOV6nE2h iKghSo4YHDUtgwCKTkXGLMv4OmyH2vs60+yucDH1Wr67Pzs0STSJITJ+H994bjAIqsO6sWm S6lKzGNSJoOYeC9pUf7rCxqEMPDuv8yzMpilfhGD7v8/0w5b0mbdsB/A+LPnarAfhldPVtT 2IUR+TKaO8QVag9V6x3rw== X-UI-Out-Filterresults: notjunk:1;V01:K0:vn8fXjOXSEY=:yg/z7w2B2ZeT3AAhRB0c1Y m7IRKhU+7P9IcVcV7T/zueVVo8F7YK8tI+f5T3W5YJ/Hvo18AyNlH9nMOsS5e403eZbTNso7T VHxRY2O0q6QPB42yHN+pZRKrAymDbPoKxMosA4/XyfWcj/BeKhZXd10YfdEdxs5wADSHjbqdq noQpIdiSu0Q1mPswL340NPaJ4s/whgc1fSmbfMYx+eUYh3Kz7K78ERtji4nnsASH472hkze5f WNDbqSGCaXig+tBweR7LWf7Vvri68JZiLiCwaaJOt+PRNL98a9Eume2Etmdt53iQ1VivF6XiR n8Ew7EJ4PocE21WFHrDT5yKX6/mah7sk+4Ta+j9iqAlaWPZWCF8YQSFbIxA4XCnz3SeVUqzqc 1DE8oykqtHcHREEJhOcE+8h77he47HdlQOgNiVh/No0cbDUtHNC9B9K654wbcBIleoPeJuHTz zpCljt4Ik2kl91bbJmGj1KNwWN5r+6YSd84tS0bnWYBL8pcIPGKjBDvW1Z3s4qRsrGwe3a0NK e6bZVAbBeWzJBGL8xf2zUC5H0xw+4Pwm0F/ij+vN+cPNzpWpKTZAJ0isbLYjkUehpZqjxRL1h PGNbgrK8koV0LxvU5gkYNAFXyShX9LYvngtnEJjX5vd2I9Ya6tf9e/9LS3mNokRkt8aSJyvJ1 nmv/mcGQB/sQ3PFP9Af/mtrRbJCu5Kki8knjzn2qrzBe7iMie04PM4qP2XvG1P0l34Tl6OyLr 1ywgGbxw+lMHQROPpl1eAf59vfn+Zslji0jOwWKxf2aI4EvfVIwhsMDVxMW5x2KtBxEW8//i1 SeEgAXk Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > For kmalloc()-family allocations, instead of A * B, use array_size(). > Similarly, instead of A * B *C, use array3_size(). It took a while until my software development attention was caught also by this update suggestion. > Note that: > kmalloc(array_size(a, b), ...); > could be written as: > kmalloc_array(a, b, ...) > (and similarly, kzalloc(array_size(a, b), ...) as kcalloc(a, b, ...)) This is good to know, isn't it? > but this made the Coccinelle script WAY larger. Such a consequence is usual when the corresponding software development challenges grow. Are there further approaches to consider? > There is no desire to replace kmalloc_array() with kmalloc(array_size(...), ...), > but given the number of changes made treewide, The number of changed source files can be impressive overall. > I opted for Coccinelle simplicity. I suggest to reconsider corresponding consequences. I find that an important aspect can be missing in this commit description then. How would you like to determine if the array size calculation (multiplication) should be performed together with an overflow check (or not)? How do you think about to express such a case distinction also in a bigger script for the semantic patch language? > This also tries to isolate sizeof() and constant factors, in an attempt > to regularize the argument ordering. This desire is reasonable. > Automatically generated using the following Coccinelle script: I have taken another look at implementation details. * My view might not matter for the generated changes from this run of a limited SmPL script. * My suggestions will influence the run time characteristics if such a source code transformation pattern will be executed again. > // 2-factor product with sizeof(variable) > @@ > identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc"; * This regular expression could be optimised to the specification “kv?[mz]alloc”. Extensions will be useful for further function names. * The repetition of such a constraint in subsequent SmPL rules could be avoided if inheritance will be used for this metavariable. > expression GFP, THING; > identifier COUNT; > @@ > > - alloc(sizeof(THING) * COUNT, GFP) > + alloc(array_size(COUNT, sizeof(THING)), GFP) More change items are specified here than what would be essentially necessary. * Function name * Second parameter This can be a design option to give the Coccinelle software the opportunity for additional source code formatting (pretty printing). These SmPL rules were designed in the way so far that they are independent from previous rules. This approach contains the risk that a metavariable type like “expression” can match more source code than it was expected. This technical detail matters for the selection of the replacement “array3_size”. The comments in the script indicate a desire for specific case distinctions. I have got the impression that the use of SmPL disjunctions will be more appropriate for the desired condition checks. A priority could be specified then for involved pattern evaluation. Would you like to adjust the transformation pattern any further? Regards, Markus