LKML Archive on
help / color / mirror / Atom feed
From: Matthew Wilcox <>
To: Kees Cook <>
Cc: John Johansen <>,
	Matthew Wilcox <>,
	Linux-MM <>,
	LKML <>,
	Rasmus Villemoes <>
Subject: Re: *alloc API changes
Date: Mon, 7 May 2018 13:49:11 -0700	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Mon, May 07, 2018 at 01:27:38PM -0700, Kees Cook wrote:
> On Mon, May 7, 2018 at 1:19 PM, Matthew Wilcox <> wrote:
> > Yes.  And today with kvmalloc.  However, I proposed to Linus that
> > kvmalloc() shouldn't allow it -- we should have kvmalloc_large() which
> > would, but kvmalloc wouldn't.  He liked that idea, so I'm going with it.
> How would we handle size calculations for _large?

I'm not sure we should, at least initially.  The very few places which
need a large kvmalloc really are special and can do their own careful
checking.  Because, as Linus pointed out, we shouldn't be letting the
user ask us to allocate a terabyte of RAM.  We should just fail that.

let's see how those users pan out, and then see what we can offer in
terms of safety.

> > There are very, very few places which should need kvmalloc_large.
> > That's one million 8-byte pointers.  If you need more than that inside
> > the kernel, you're doing something really damn weird and should do
> > something that looks obviously different.
> I'm CCing John since I remember long ago running into problems loading
> the AppArmor DFA with kmalloc and switching it to kvmalloc. John, how
> large can the DFAs for AppArmor get? Would an 8MB limit be a problem?

Great!  Opinions from people who'll use this interface are exceptionally

> And do we have any large IO or network buffers >8MB?

Not that get allocated with kvmalloc ... because you can't DMA map vmalloc
(without doing some unusual contortions).

> > but I thought of another problem with array_size.  We already have
> > ARRAY_SIZE and it means "the number of elements in the array".
> >
> > so ... struct_bytes(), array_bytes(), array3_bytes()?
> Maybe "calc"? struct_calc(), array_calc(), array3_calc()? This has the
> benefit of actually saying more about what it is doing, rather than
> its return value... In the end, I don't care. :)

I don't have a strong feeling on this either.

> > Keeping our focus on allocations ... do we have plain additions (as
> > opposed to multiply-and-add?)  And subtraction?
> All I've seen are just rare "weird" cases of lots of mult/add. Some
> are way worse than others:
> Just having the mult/add saturation would be lovely.

Ow.  My brain just oozed out of my ears.

  reply	other threads:[~2018-05-07 20:49 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-05  1:08 Kees Cook
2018-05-05  3:46 ` Matthew Wilcox
2018-05-05  4:24   ` Kees Cook
2018-05-07 11:39     ` Matthew Wilcox
2018-05-07 16:03       ` Kees Cook
2018-05-07 20:19         ` Matthew Wilcox
2018-05-07 20:27           ` Kees Cook
2018-05-07 20:49             ` Matthew Wilcox [this message]
2018-05-07 21:15               ` Kees Cook
2018-05-07 21:48             ` John Johansen
2018-05-07 21:41     ` Rasmus Villemoes
2018-05-07 22:56       ` Kees Cook
2018-05-05  4:30   ` Matthew Wilcox

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \
    --subject='Re: *alloc API changes' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).