Received: by 2002:ab2:6309:0:b0:1fb:d597:ff75 with SMTP id s9csp1094037lqt; Fri, 7 Jun 2024 07:54:31 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXlMatGOMsPEgK3tGIdK4tTSN31Ejpla6YRpenGCv15kLBMY0F+ZIHnpvZwTRsa82Ic9IkcLl96k72vQrD/wsuzr1BomlLI35Zr29d/Rg== X-Google-Smtp-Source: AGHT+IFUzGtSY+O6k8GhJ0hVkxhzR7xJmjg67gPTzP49MEjbxxWecFwVqCyyNvkLZwThSanVFFm7 X-Received: by 2002:a05:6214:3b85:b0:6af:3153:cc3e with SMTP id 6a1803df08f44-6b059f97676mr28455476d6.65.1717772070950; Fri, 07 Jun 2024 07:54:30 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717772070; cv=pass; d=google.com; s=arc-20160816; b=b2SdIWlAQBylw5otJnZH9xN8wxyRXuB3fdxtp41sxANfZm6JlOqzXGpIb/c3X9ITH0 zHiRXRQXWfxa95FXelPL0s036+CRp1ypcjmsqmux5A4BdiJZqT6GlIWS42VnADtCrFVM ooruS3pzuk0L7CTo3fidAAR1rOmEGKxsCZLwJFJOUSEAl1s9PwOqkCzj2eXedhLWDBid Qy++MiLxtMpxt7trrMdYNnUiwHfO/so62mrDWFIn4cBYUNrXWEN7N03sAarHnFmTrUlY /nw4HoeIJ+yB/18iWJy4H0DU04WMS/rxjpevZoMNHMjIDCFh7SlFDUoy6rUnfDrqulRe sStg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=bDacixIrBWfVmsMZ4G2zcBRlCAJOLZ4a0Zmmv7o0EkY=; fh=2yXPPjoChjep/W0CQCS9BISZvMguxm4gKwwfZC7SWeI=; b=X0WMDbVV03SqpsC/kR9L5LjL5DE5wuyV7ByVS3Bi3y/zsyWMQUli9Q4lcGAeqY/iuR 3bs1lUWbxXZJmhFIdqacL/e9N0ZY1B2pqOAoOnn8/V5OMe13ENlUn2TKUCqJzmPsE0zl Wzbb8gb4+zGXbxYI8AlCkdvbf8Uzd5dpoANmd3+cG8gIQyEZTBLh1uXop9bM2t+UvNrz 2vtlGGy6WHA6di1ycOLd0ghmWDS0e3IcjbDng6XOTYlthtzEtNe72MZFSK2IJX8GrMIc zc6neVtXSFwu/vifl6Jyq0rL/oRhZnp2WKs1CbkKAjCPHtDz2kNFzMovhh5E9HwG59GR r1qQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=Hwxz4S60; arc=pass (i=1 dkim=pass dkdomain=zx2c4.com); spf=pass (google.com: domain of linux-kernel+bounces-206304-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-206304-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id 6a1803df08f44-6b04f9fe043si39950916d6.435.2024.06.07.07.54.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jun 2024 07:54:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-206304-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=Hwxz4S60; arc=pass (i=1 dkim=pass dkdomain=zx2c4.com); spf=pass (google.com: domain of linux-kernel+bounces-206304-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-206304-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A08BF1C20EA5 for ; Fri, 7 Jun 2024 14:54:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 694E219B3EA; Fri, 7 Jun 2024 14:45:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="Hwxz4S60" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 816975465B; Fri, 7 Jun 2024 14:45:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717771513; cv=none; b=thNvx5wTg+EOYMkI9a2ukxOhEiFBhxiYpogRvt6BewIGLOwP4YWEGlOEid2mFw/qFJiCvfdu1B+qPpxeKSKP1Oi753K36zeoxkplvGMzROCPEKs9DJthHJxjwXCOG6BQE7l+PEB53zstJvTSxuXvtICnsymJW0UWnoFDYZ54Lo0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717771513; c=relaxed/simple; bh=MDofwAXepnX5w1Xp3fTdja2xd1Wu/zbRCc01yrBXc3E=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Q1ruo/xf8MQCmnbNF0pkj/LRQqg0dqah0txaUZ/laSMi10NLeLZIItw7deXchgY4QviNrZkdWYYaatzvkoeZXhz6TgaV//P1LtRjoLTslobaqUrddGlDpLjC4BnXsAgNg4xQarhIfTpucf9DulEnqEXizMH+J2kNPJJG2PdFfYs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b=Hwxz4S60; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6668EC2BBFC; Fri, 7 Jun 2024 14:45:11 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="Hwxz4S60" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1717771510; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bDacixIrBWfVmsMZ4G2zcBRlCAJOLZ4a0Zmmv7o0EkY=; b=Hwxz4S60Bgb7ppeABfv4VUsOxv4HsmRAsAL9M4ub8QoNfb+yQ7H6ImBo99a6vFI0zfVaOb qxZI1BFQBNJlJ8mB4lL5vZE0hoxlUaAF207N2gZvS+/aJ/Iy0DLgpZCLz93DbIJg2zwo8k 6taQnNCVQ6nc+LOkdEkc6P2zk/SWVVw= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 428e2fd8 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Fri, 7 Jun 2024 14:45:09 +0000 (UTC) Date: Fri, 7 Jun 2024 16:45:03 +0200 From: "Jason A. Donenfeld" To: Eric Biggers Cc: linux-kernel@vger.kernel.org, patches@lists.linux.dev, tglx@linutronix.de, linux-crypto@vger.kernel.org, linux-api@vger.kernel.org, x86@kernel.org, Greg Kroah-Hartman , Adhemerval Zanella Netto , Carlos O'Donell , Florian Weimer , Arnd Bergmann , Jann Horn , Christian Brauner , David Hildenbrand Subject: Re: [PATCH v16 2/5] random: add vgetrandom_alloc() syscall Message-ID: References: <20240528122352.2485958-1-Jason@zx2c4.com> <20240528122352.2485958-3-Jason@zx2c4.com> <20240531035917.GD6505@sol.localdomain> <20240604172249.GA1566@sol.localdomain> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: On Fri, Jun 07, 2024 at 04:41:26PM +0200, Jason A. Donenfeld wrote: > On Tue, Jun 04, 2024 at 10:22:49AM -0700, Eric Biggers wrote: > > On Sat, Jun 01, 2024 at 12:56:40PM +0200, Jason A. Donenfeld wrote: > > > On Thu, May 30, 2024 at 08:59:17PM -0700, Eric Biggers wrote: > > > > On Tue, May 28, 2024 at 02:19:51PM +0200, Jason A. Donenfeld wrote: > > > > > +/** > > > > > + * sys_vgetrandom_alloc - Allocate opaque states for use with vDSO getrandom(). > > > > > + * > > > > > + * @num: On input, a pointer to a suggested hint of how many states to > > > > > + * allocate, and on return the number of states actually allocated. > > > > > + * > > > > > + * @size_per_each: On input, must be zero. On return, the size of each state allocated, > > > > > + * so that the caller can split up the returned allocation into > > > > > + * individual states. > > > > > + * > > > > > + * @addr: Reserved, must be zero. > > > > > + * > > > > > + * @flags: Reserved, must be zero. > > > > > + * > > > > > + * The getrandom() vDSO function in userspace requires an opaque state, which > > > > > + * this function allocates by mapping a certain number of special pages into > > > > > + * the calling process. It takes a hint as to the number of opaque states > > > > > + * desired, and provides the caller with the number of opaque states actually > > > > > + * allocated, the size of each one in bytes, and the address of the first > > > > > + * state, which may be split up into @num states of @size_per_each bytes each, > > > > > + * by adding @size_per_each to the returned first state @num times, while > > > > > + * ensuring that no single state straddles a page boundary. > > > > > + * > > > > > + * Returns the address of the first state in the allocation on success, or a > > > > > + * negative error value on failure. > > > > > + * > > > > > + * The returned address of the first state may be passed to munmap(2) with a > > > > > + * length of `(size_t)num * (size_t)size_per_each`, in order to deallocate the > > > > > + * memory, after which it is invalid to pass it to vDSO getrandom(). > > > > > > > > Wouldn't a munmap with '(size_t)num * (size_t)size_per_each' be potentially too > > > > short, due to how the allocation is sized such that states don't cross page > > > > boundaries? > > > > > > You're right, I think. The calculation should instead be something like: > > > > > > DIV_ROUND_UP(num, PAGE_SIZE / size_per_each) * PAGE_SIZE > > > > > > Does that seem correct to you? > > > > > > > Yes, though I wonder if it would be better to give userspace the number of pages > > instead of the number of states. > > Or maybe just the number of total bytes allocated? That would match > what's expected to be passed to munmap() and is maybe the easiest to > deal with. I'll give that a shot for v+1. Hmm, though, on second thought, * @num: On input, a pointer to a suggested hint of how many states to * allocate, and on return the number of states actually allocated. This is kind of elegant -- it's an in/out param. Changing the semantics of the out param isn't super obvious. And bytes means it should probably be a long too. So maybe I'll keep it as is, and fix the documentation to have the right calculation. Jason