Re: [PATCH v3 00/16] Provide saturating helpers for allocation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, May 31, 2018 at 5:54 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Thu, May 31, 2018 at 7:43 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>>
>> So, while nothing does:
>>     kmalloc_array(a, b, ...) -> kmalloc(array_size(a, b), ...)
>> the treewide changes DO perform changes like this:
>>     kmalloc(a * b, ...) -> kmalloc(array_size(a, b), ...)
>
> Ugh. I really really still absolutely despise this.

Heh. Yeah, I called this out specifically because I wasn't sure if
this was going to be okay. :P

> Why can't you just have a separate set of coccinelle scripts that do
> the simple and clean cases?
>
> So *before* doing any array_size() conversions, just do
>
>     kzalloc(a*b, ...) -> kcalloc(a, b, ...)
>     kmalloc(a*b,..) -> kmalloc_array(a,b, ...)
>
> and the obvious variations on that (devm_xyz() has all the same helpers).

Yup. I'll get started on it. I did have a version of a python script
that generated coccinelle scripts, but I started losing my mind. I'll
double-check if I can find a way to do some internal-to-Coccinelle
python to handle some of the variation directly, etc.

For those interested in the details: the complexity for me is in how
Coccinelle handles expressions (or my understanding of it's handling).
There's nothing in between "expression" and "identifier", so
"thing->field" is an expression not an identifier ("thing" is an
identifier), but "foo * bar" is _also_ an expression, so I have to
slowly peel away the "easy" stuff (sizeof, constants, etc) before
expressions to avoid collapsing factors into the wrong arguments (e.g.
kzalloc(a * b * c, ...) -> kcalloc(a * b, c, ...) is not desirable),
so there end up being a LOT of rules... I was able to compress
allocation families into a a regex, but without that, I'll end up with
the sizeof/const/etc rules times the family times the kalloc and
_array rules.

> Only after doing the ones that don't have the nice obvious helpers, do
> the remaining ones with array_size(), ie
>
>     *alloc(a*b, ..) -> *alloc(array_size(a,b), ...)
>
> because that really makes for much less legible code.
>
> Hmm?

Sounds good. Thanks!

-Kees

-- 
Kees Cook
Pixel Security
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux