LKML Archive on
help / color / mirror / Atom feed
From: John Johansen <>
To: Kees Cook <>, Matthew Wilcox <>
Cc: Matthew Wilcox <>,
	Linux-MM <>,
	LKML <>,
	Rasmus Villemoes <>
Subject: Re: *alloc API changes
Date: Mon, 7 May 2018 14:48:43 -0700	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 05/07/2018 01:27 PM, Kees Cook wrote:
> On Mon, May 7, 2018 at 1:19 PM, Matthew Wilcox <> wrote:
>> On Mon, May 07, 2018 at 09:03:54AM -0700, Kees Cook wrote:
>>> On Mon, May 7, 2018 at 4:39 AM, Matthew Wilcox <> wrote:
>>>> On Fri, May 04, 2018 at 09:24:56PM -0700, Kees Cook wrote:
>>>>> On Fri, May 4, 2018 at 8:46 PM, Matthew Wilcox <> wrote:
>>>>> The only fear I have with the saturating helpers is that we'll end up
>>>>> using them in places that don't recognize SIZE_MAX. Like, say:
>>>>> size = mul(a, b) + 1;
>>>>> then *poof* size == 0. Now, I'd hope that code would use add(mul(a,
>>>>> b), 1), but still... it makes me nervous.
>>>> That's reasonable.  So let's add:
>>>> (there's a presumably somewhat obsolete CONFIG_FORCE_MAX_ZONEORDER on some
>>>> architectures which allows people to configure MAX_ORDER all the way up
>>>> to 64.  That config option needs to go away, or at least be limited to
>>>> a much lower value).
>>>> On x86, that's 4k << 11 = 8MB.  On PPC, that might be 64k << 9 == 32MB.
>>>> Those values should be relatively immune to further arithmetic causing
>>>> an additional overflow.
>>> But we can do larger than 8MB allocations with vmalloc, can't we?
>> Yes.  And today with kvmalloc.  However, I proposed to Linus that
>> kvmalloc() shouldn't allow it -- we should have kvmalloc_large() which
>> would, but kvmalloc wouldn't.  He liked that idea, so I'm going with it.
> How would we handle size calculations for _large?
>> There are very, very few places which should need kvmalloc_large.
>> That's one million 8-byte pointers.  If you need more than that inside
>> the kernel, you're doing something really damn weird and should do
>> something that looks obviously different.
> I'm CCing John since I remember long ago running into problems loading
> the AppArmor DFA with kmalloc and switching it to kvmalloc. John, how
> large can the DFAs for AppArmor get? Would an 8MB limit be a problem?

theoretically yes, and I have done tests with policy larger than that,
but in practice I have never seen it. The largest I have seen in
practice is about 1.5MB. The policy container that wraps the dfa,
could be larger if if its wrapping multiple policy sets (think
pre-loading policy for multiple containers in one go), but we don't do
that currently and there is no requirement for that to be handled with
a single allocation.

We have some improvements coming that will reduce our policy size, and
enable it so that we can split some of the larger dfas into multiple
allocations so I really don't expect this will be a problem.

If it becomes an issue we know the size of the allocation needed and
can just have a condition that calls vmalloc_large when needed.

  parent reply	other threads:[~2018-05-07 21:48 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-05  1:08 Kees Cook
2018-05-05  3:46 ` Matthew Wilcox
2018-05-05  4:24   ` Kees Cook
2018-05-07 11:39     ` Matthew Wilcox
2018-05-07 16:03       ` Kees Cook
2018-05-07 20:19         ` Matthew Wilcox
2018-05-07 20:27           ` Kees Cook
2018-05-07 20:49             ` Matthew Wilcox
2018-05-07 21:15               ` Kees Cook
2018-05-07 21:48             ` John Johansen [this message]
2018-05-07 21:41     ` Rasmus Villemoes
2018-05-07 22:56       ` Kees Cook
2018-05-05  4:30   ` Matthew Wilcox

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \
    --subject='Re: *alloc API changes' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).