Message ID | 20221024082610.74990-1-sakari.ailus@linux.intel.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp319871wru; Mon, 24 Oct 2022 01:28:16 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6U8BmshlU8zBd38fIS/iL3YIPqmr6XkBK4EBp167XyLWOusfvFJiQlywkPUGTuD9WfR17B X-Received: by 2002:a17:907:7fac:b0:7a1:cace:1352 with SMTP id qk44-20020a1709077fac00b007a1cace1352mr8147666ejc.6.1666600095941; Mon, 24 Oct 2022 01:28:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666600095; cv=none; d=google.com; s=arc-20160816; b=OQeJ2rZXnzM7pOZUpgPfrcUiP6K3MUK8mXVfvvItaNdKONrAkTXfkrM+/3izXu1e7X yj0jVqo3ocW2A7KBV+esFaxtd/riyLMyvYUgL7jjnlyf5dK208k5yM1Zd53EZUGKOJVx BwOsrpET4JzfT/X1NTqMz/C5JepymoAwSpwEgzq5JcG1kgBCE1mOS57/f3dU2FUCJydV 7Ldzb/0BJPRD1/ljTbgiRVKpUmLgRsWId9sMnBn3KGQjyn/P4nGYEoYYM58374z7Vyx8 LsoTfJIkf1RhMDBLD0PQAajmfoN5QT/5YcN4lIhNhH9U0jWMUHYHXcnzTb03JCKnUENN Go9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=eU9w4x9+g5pzprFKAl9bdoNxMinEpFEA1EC7f9NncTA=; b=0LOTfs6zPCFa27sX070to1r5fT7Lv4Zdc0bpEvMo0RPzv46b8ukGvydSkAkTritQt7 GX3Dh4yEASM5j2fzHwB1RPbZKfMHXe5iHMbJoVedh9wSe4YS2oLtjpGxL3yjgq6a3uOH pHmmsBbZyCaLPcinxf8uNqhERZNoGTPWhVrdeXWIvHYUjcCShjp7VP16fIqJMOTKhl8l tIHZvbrjdI8erbEon2Z5wdoKZ1RPts/AzXFgAAaMqiwC06wvUa1s9DQucfknt96k6TAw RCNI+QswEPzEqtG3jNk3MHic7uLZcpBF6EwieSjR1Jhg9AXTU1JFFLpotkmHV0qmveWM UkCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=TPxEq8mp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qk36-20020a1709077fa400b007919fc02ce8si16286717ejc.971.2022.10.24.01.27.52; Mon, 24 Oct 2022 01:28:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=TPxEq8mp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230311AbiJXI1C (ORCPT <rfc822;pwkd43@gmail.com> + 99 others); Mon, 24 Oct 2022 04:27:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230328AbiJXI0f (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 24 Oct 2022 04:26:35 -0400 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 926EEFAC0 for <linux-kernel@vger.kernel.org>; Mon, 24 Oct 2022 01:25:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1666599949; x=1698135949; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=YJtA74YQm4A6lPUrh3QtcR1iB0PmZLMp2ejYydWO/IA=; b=TPxEq8mp05Wb68t27HgUmeOCQZNhx6N/jagSq59RlJlCDSeZq2LlhUpS jREuRvgNG8y+B/HojpGvdSfTcMF9+XiXO5JjW4pcp1me4CxPjGkuLOwyC KUYyFUo5bRsrI8p5I5ZSwMEiii2PWlGMmn3vfAe4FrgftULICtv1y7Fcw LwYLiPzjI634Ob2YRjZnfHtOFzuQrois70Oa/oJE+LBuUQVkkI6upMhnx xy749sNt/IWW7VgRWgloRLQA20WwIX/63KyzHtSHxepacFcdfp/mCGrFJ 4a5/cEFke2ssANc88AqwjslPToVie6reB1ZvE2lHSt4xH4BOORVI/0fdr g==; X-IronPort-AV: E=McAfee;i="6500,9779,10509"; a="307356793" X-IronPort-AV: E=Sophos;i="5.95,207,1661842800"; d="scan'208";a="307356793" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 01:25:48 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10509"; a="806237388" X-IronPort-AV: E=Sophos;i="5.95,207,1661842800"; d="scan'208";a="806237388" Received: from punajuuri.fi.intel.com (HELO paasikivi.fi.intel.com) ([10.237.72.43]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 01:25:44 -0700 Received: from punajuuri.localdomain (punajuuri.localdomain [192.168.240.130]) by paasikivi.fi.intel.com (Postfix) with ESMTP id D8F4D2021B; Mon, 24 Oct 2022 11:25:41 +0300 (EEST) Received: from sailus by punajuuri.localdomain with local (Exim 4.94.2) (envelope-from <sakari.ailus@linux.intel.com>) id 1omsmg-000JWJ-PX; Mon, 24 Oct 2022 11:26:10 +0300 From: Sakari Ailus <sakari.ailus@linux.intel.com> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: linux-kernel@vger.kernel.org, Andy Shevchenko <andriy.shevchenko@linux.intel.com>, "Rafael J. Wysocki" <rafael@kernel.org>, David Laight <David.Laight@ACULAB.COM> Subject: [PATCH 1/1] linux/container_of.h: Warn about loss of constness Date: Mon, 24 Oct 2022 11:26:10 +0300 Message-Id: <20221024082610.74990-1-sakari.ailus@linux.intel.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747556862081691433?= X-GMAIL-MSGID: =?utf-8?q?1747556862081691433?= |
Series |
[1/1] linux/container_of.h: Warn about loss of constness
|
|
Commit Message
Sakari Ailus
Oct. 24, 2022, 8:26 a.m. UTC
container_of() casts the original type to another which leads to the loss
of the const qualifier if it is not specified in the caller-provided type.
This easily leads to container_of() returning a non-const pointer to a
const struct which the C compiler does not warn about.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
---
include/linux/container_of.h | 9 +++++++++
1 file changed, 9 insertions(+)
Comments
On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > container_of() casts the original type to another which leads to the loss > of the const qualifier if it is not specified in the caller-provided type. > This easily leads to container_of() returning a non-const pointer to a > const struct which the C compiler does not warn about. > > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> > --- > include/linux/container_of.h | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/include/linux/container_of.h b/include/linux/container_of.h > index 2f4944b791b81..c7c21d0f41a87 100644 > --- a/include/linux/container_of.h > +++ b/include/linux/container_of.h > @@ -13,6 +13,10 @@ > * @type: the type of the container struct this is embedded in. > * @member: the name of the member within the struct. > * > + * WARNING: as container_of() casts the given struct to another, also the No need for "also" here (sorry for the grammar nit.) > + * possible const qualifier of @ptr is lost unless it is also specified in > + * @type. This is not a problem if the containing object is not const. Use with > + * care. I do not think these last two sentences you added here are needed either. > */ > #define container_of(ptr, type, member) ({ \ > void *__mptr = (void *)(ptr); \ > @@ -27,6 +31,11 @@ > * @type: the type of the container struct this is embedded in. > * @member: the name of the member within the struct. > * > + * WARNING: as container_of() casts the given struct to another, also the > + * possible const qualifier of @ptr is lost unless it is also specified in > + * @type. This is not a problem if the containing object is not const. Use with > + * care. Same comments here. thanks, greg k-h
On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > > container_of() casts the original type to another which leads to the loss > > of the const qualifier if it is not specified in the caller-provided type. > > This easily leads to container_of() returning a non-const pointer to a > > const struct which the C compiler does not warn about. > > > > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> > > --- > > include/linux/container_of.h | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/include/linux/container_of.h b/include/linux/container_of.h > > index 2f4944b791b81..c7c21d0f41a87 100644 > > --- a/include/linux/container_of.h > > +++ b/include/linux/container_of.h > > @@ -13,6 +13,10 @@ > > * @type: the type of the container struct this is embedded in. > > * @member: the name of the member within the struct. > > * > > + * WARNING: as container_of() casts the given struct to another, also the > > No need for "also" here (sorry for the grammar nit.) > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > + * @type. This is not a problem if the containing object is not const. Use with > > + * care. > > I do not think these last two sentences you added here are needed > either. > > > > */ > > #define container_of(ptr, type, member) ({ \ > > void *__mptr = (void *)(ptr); \ > > @@ -27,6 +31,11 @@ > > * @type: the type of the container struct this is embedded in. > > * @member: the name of the member within the struct. > > * > > + * WARNING: as container_of() casts the given struct to another, also the Wrong function name here. > > + * possible const qualifier of @ptr is lost unless it is also specified in > > + * @type. This is not a problem if the containing object is not const. Use with > > + * care. > > Same comments here. Wait, no one uses this macro, so why not just remove it entirely? thanks, greg k-h
From: Greg Kroah-Hartman > Sent: 24 October 2022 09:44 ... > > + * WARNING: as container_of() casts the given struct to another, also the > > No need for "also" here (sorry for the grammar nit.) > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > + * @type. This is not a problem if the containing object is not const. Use with > > + * care. > > I do not think these last two sentences you added here are needed > either. It is all TL;DR :-) Even just: NOTE: any const qualifier of @ptr is lost. Is probably more than enough. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
+ Kees On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote: > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: > > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > > > container_of() casts the original type to another which leads to the loss > > > of the const qualifier if it is not specified in the caller-provided type. > > > This easily leads to container_of() returning a non-const pointer to a > > > const struct which the C compiler does not warn about. ... > > > * @type: the type of the container struct this is embedded in. > > > * @member: the name of the member within the struct. > > > * > > > + * WARNING: as container_of() casts the given struct to another, also the > > Wrong function name here. > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > + * @type. This is not a problem if the containing object is not const. Use with > > > + * care. > > > > Same comments here. > > Wait, no one uses this macro, so why not just remove it entirely? Kees, do you know why and what for we have container_of_safe()?
Hi Greg, Thanks for the comments. On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote: > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: > > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > > > container_of() casts the original type to another which leads to the loss > > > of the const qualifier if it is not specified in the caller-provided type. > > > This easily leads to container_of() returning a non-const pointer to a > > > const struct which the C compiler does not warn about. > > > > > > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> > > > --- > > > include/linux/container_of.h | 9 +++++++++ > > > 1 file changed, 9 insertions(+) > > > > > > diff --git a/include/linux/container_of.h b/include/linux/container_of.h > > > index 2f4944b791b81..c7c21d0f41a87 100644 > > > --- a/include/linux/container_of.h > > > +++ b/include/linux/container_of.h > > > @@ -13,6 +13,10 @@ > > > * @type: the type of the container struct this is embedded in. > > > * @member: the name of the member within the struct. > > > * > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > No need for "also" here (sorry for the grammar nit.) > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > + * @type. This is not a problem if the containing object is not const. Use with > > > + * care. > > > > I do not think these last two sentences you added here are needed > > either. > > > > > > > */ > > > #define container_of(ptr, type, member) ({ \ > > > void *__mptr = (void *)(ptr); \ > > > @@ -27,6 +31,11 @@ > > > * @type: the type of the container struct this is embedded in. > > > * @member: the name of the member within the struct. > > > * > > > + * WARNING: as container_of() casts the given struct to another, also the > > Wrong function name here. I'll address this and the other two issues above in v2. > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > + * @type. This is not a problem if the containing object is not const. Use with > > > + * care. > > > > Same comments here. > > Wait, no one uses this macro, so why not just remove it entirely? Good question. It appears to be a (relatively) common pattern to look up something and the return its containing object if the lookup was successful. Doing a quick $ git grep 'container_of.*:' drivers include reveals more than 20 instances of the pattern. There are probably more those that use if for testing for NULL. I guess people don't know about this macro, apart from the developers of the staging driver it was added for (commit 05e6557b8ed833546ee2b66ce6b58fecf09f439e).
On Mon, Oct 24, 2022 at 09:11:53AM +0000, Sakari Ailus wrote: > On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote: > > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: ... > > Wait, no one uses this macro, so why not just remove it entirely? > > Good question. It appears to be a (relatively) common pattern to look up > something and the return its containing object if the lookup was > successful. Doing a quick > > $ git grep 'container_of.*:' drivers include > > reveals more than 20 instances of the pattern. There are probably more > those that use if for testing for NULL. I guess people don't know about > this macro, apart from the developers of the staging driver it was added > for (commit 05e6557b8ed833546ee2b66ce6b58fecf09f439e). Maybe we can provide an example to keep this macro in the kernel, meaning convert one of the drivers / subsystem to actually use it?
From: Andy Shevchenko > Sent: 24 October 2022 10:23 ... > > > Wait, no one uses this macro, so why not just remove it entirely? > > > > Good question. It appears to be a (relatively) common pattern to look up > > something and the return its containing object if the lookup was > > successful. Doing a quick > > > > $ git grep 'container_of.*:' drivers include > > > > reveals more than 20 instances of the pattern. There are probably more > > those that use if for testing for NULL. I guess people don't know about > > this macro, apart from the developers of the staging driver it was added > > for (commit 05e6557b8ed833546ee2b66ce6b58fecf09f439e). > > Maybe we can provide an example to keep this macro in the kernel, meaning > convert one of the drivers / subsystem to actually use it? Adding _safe() to a function name doesn't actually tell you anything. You still need to look up what it is 'safe' against. In this case the full code pattern is actually much clearer. It is also quite likely that it is followed by an: if (!ptr) return xxx; You that can/should really be put before the container_of() call. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On Mon, Oct 24, 2022 at 09:34:42AM +0000, David Laight wrote: > From: Andy Shevchenko > > Sent: 24 October 2022 10:23 ... > > > > Wait, no one uses this macro, so why not just remove it entirely? > > > > > > Good question. It appears to be a (relatively) common pattern to look up > > > something and the return its containing object if the lookup was > > > successful. Doing a quick > > > > > > $ git grep 'container_of.*:' drivers include > > > > > > reveals more than 20 instances of the pattern. There are probably more > > > those that use if for testing for NULL. I guess people don't know about > > > this macro, apart from the developers of the staging driver it was added > > > for (commit 05e6557b8ed833546ee2b66ce6b58fecf09f439e). > > > > Maybe we can provide an example to keep this macro in the kernel, meaning > > convert one of the drivers / subsystem to actually use it? > > Adding _safe() to a function name doesn't actually tell you anything. > You still need to look up what it is 'safe' against. > > In this case the full code pattern is actually much clearer. > > It is also quite likely that it is followed by an: > if (!ptr) > return xxx; > You that can/should really be put before the container_of() call. return statements in macros are no go. Or you meant something else?
From: 'Andy Shevchenko' > Sent: 24 October 2022 10:37 > ... > > > > > > Wait, no one uses this macro, so why not just remove it entirely? > > > > > > > > Good question. It appears to be a (relatively) common pattern to look up > > > > something and the return its containing object if the lookup was > > > > successful. Doing a quick > > > > > > > > $ git grep 'container_of.*:' drivers include > > > > > > > > reveals more than 20 instances of the pattern. There are probably more > > > > those that use if for testing for NULL. I guess people don't know about > > > > this macro, apart from the developers of the staging driver it was added > > > > for (commit 05e6557b8ed833546ee2b66ce6b58fecf09f439e). > > > > > > Maybe we can provide an example to keep this macro in the kernel, meaning > > > convert one of the drivers / subsystem to actually use it? > > > > Adding _safe() to a function name doesn't actually tell you anything. > > You still need to look up what it is 'safe' against. > > > > In this case the full code pattern is actually much clearer. > > > > It is also quite likely that it is followed by an: > > if (!ptr) > > return xxx; > > You that can/should really be put before the container_of() call. > > return statements in macros are no go. Or you meant something else? I meant in the function itself. It might be interesting to check how many of the function can actually have a NULL pointer? Especially in staging code might be being 'defensive'. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On Mon, Oct 24, 2022 at 09:11:53AM +0000, Sakari Ailus wrote: > Hi Greg, > > Thanks for the comments. > > On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote: > > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: > > > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > > > > container_of() casts the original type to another which leads to the loss > > > > of the const qualifier if it is not specified in the caller-provided type. > > > > This easily leads to container_of() returning a non-const pointer to a > > > > const struct which the C compiler does not warn about. > > > > > > > > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> > > > > --- > > > > include/linux/container_of.h | 9 +++++++++ > > > > 1 file changed, 9 insertions(+) > > > > > > > > diff --git a/include/linux/container_of.h b/include/linux/container_of.h > > > > index 2f4944b791b81..c7c21d0f41a87 100644 > > > > --- a/include/linux/container_of.h > > > > +++ b/include/linux/container_of.h > > > > @@ -13,6 +13,10 @@ > > > > * @type: the type of the container struct this is embedded in. > > > > * @member: the name of the member within the struct. > > > > * > > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > > > No need for "also" here (sorry for the grammar nit.) > > > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > > + * @type. This is not a problem if the containing object is not const. Use with > > > > + * care. > > > > > > I do not think these last two sentences you added here are needed > > > either. > > > > > > > > > > */ > > > > #define container_of(ptr, type, member) ({ \ > > > > void *__mptr = (void *)(ptr); \ > > > > @@ -27,6 +31,11 @@ > > > > * @type: the type of the container struct this is embedded in. > > > > * @member: the name of the member within the struct. > > > > * > > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > Wrong function name here. > > I'll address this and the other two issues above in v2. > > > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > > + * @type. This is not a problem if the containing object is not const. Use with > > > > + * care. > > > > > > Same comments here. > > > > Wait, no one uses this macro, so why not just remove it entirely? > > Good question. It appears to be a (relatively) common pattern to look up > something and the return its containing object if the lookup was > successful. Doing a quick > > $ git grep 'container_of.*:' drivers include And odds are, they all are wrong. Any function that has a pointer sent to it that it wants to then cast out to the outer size of the structure has to implicitly know that this is a valid pointer. There's no way to check so you have to trust the fact that the caller sent you the right thing. Trying to check is almost always someone trying to be "over eager" in testing things that can never happen. Just like all of the checks for the result of a container_of() call, that's always wrong as well. thanks, > reveals more than 20 instances of the pattern. There are probably more > those that use if for testing for NULL. I guess people don't know about > this macro, apart from the developers of the staging driver it was added > for (commit 05e6557b8ed833546ee2b66ce6b58fecf09f439e). Ah, lustre is long-gone, so I'll just add a patch to my tree to remove this macro. thanks, greg k-h
On Mon, Oct 24, 2022 at 09:46:40AM +0000, David Laight wrote: > From: 'Andy Shevchenko' > > Sent: 24 October 2022 10:37 > > ... > > > > > > > > Wait, no one uses this macro, so why not just remove it entirely? > > > > > > > > > > Good question. It appears to be a (relatively) common pattern to look up > > > > > something and the return its containing object if the lookup was > > > > > successful. Doing a quick > > > > > > > > > > $ git grep 'container_of.*:' drivers include > > > > > > > > > > reveals more than 20 instances of the pattern. There are probably more > > > > > those that use if for testing for NULL. I guess people don't know about > > > > > this macro, apart from the developers of the staging driver it was added > > > > > for (commit 05e6557b8ed833546ee2b66ce6b58fecf09f439e). > > > > > > > > Maybe we can provide an example to keep this macro in the kernel, meaning > > > > convert one of the drivers / subsystem to actually use it? > > > > > > Adding _safe() to a function name doesn't actually tell you anything. > > > You still need to look up what it is 'safe' against. > > > > > > In this case the full code pattern is actually much clearer. > > > > > > It is also quite likely that it is followed by an: > > > if (!ptr) > > > return xxx; > > > You that can/should really be put before the container_of() call. > > > > return statements in macros are no go. Or you meant something else? > > I meant in the function itself. > > It might be interesting to check how many of the function > can actually have a NULL pointer? > Especially in staging code might be being 'defensive'. This is a pointless discussion, this macro will now be deleted, sorry. greg k-h
From: Greg Kroah-Hartman > Sent: 24 October 2022 11:02 > > On Mon, Oct 24, 2022 at 09:46:40AM +0000, David Laight wrote: > > From: 'Andy Shevchenko' > > > Sent: 24 October 2022 10:37 > > > ... > > > > > > > > > > Wait, no one uses this macro, so why not just remove it entirely? ... > > It might be interesting to check how many of the function > > can actually have a NULL pointer? > > Especially in staging code might be being 'defensive'. > > This is a pointless discussion, this macro will now be deleted, sorry. I think we actually agree :-) David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Hi Greg, On Mon, Oct 24, 2022 at 11:48:32AM +0200, Greg Kroah-Hartman wrote: > On Mon, Oct 24, 2022 at 09:11:53AM +0000, Sakari Ailus wrote: > > Hi Greg, > > > > Thanks for the comments. > > > > On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote: > > > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: > > > > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > > > > > container_of() casts the original type to another which leads to the loss > > > > > of the const qualifier if it is not specified in the caller-provided type. > > > > > This easily leads to container_of() returning a non-const pointer to a > > > > > const struct which the C compiler does not warn about. > > > > > > > > > > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> > > > > > --- > > > > > include/linux/container_of.h | 9 +++++++++ > > > > > 1 file changed, 9 insertions(+) > > > > > > > > > > diff --git a/include/linux/container_of.h b/include/linux/container_of.h > > > > > index 2f4944b791b81..c7c21d0f41a87 100644 > > > > > --- a/include/linux/container_of.h > > > > > +++ b/include/linux/container_of.h > > > > > @@ -13,6 +13,10 @@ > > > > > * @type: the type of the container struct this is embedded in. > > > > > * @member: the name of the member within the struct. > > > > > * > > > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > > > > > No need for "also" here (sorry for the grammar nit.) > > > > > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > > > + * @type. This is not a problem if the containing object is not const. Use with > > > > > + * care. > > > > > > > > I do not think these last two sentences you added here are needed > > > > either. > > > > > > > > > > > > > */ > > > > > #define container_of(ptr, type, member) ({ \ > > > > > void *__mptr = (void *)(ptr); \ > > > > > @@ -27,6 +31,11 @@ > > > > > * @type: the type of the container struct this is embedded in. > > > > > * @member: the name of the member within the struct. > > > > > * > > > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > > > Wrong function name here. > > > > I'll address this and the other two issues above in v2. > > > > > > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > > > + * @type. This is not a problem if the containing object is not const. Use with > > > > > + * care. > > > > > > > > Same comments here. > > > > > > Wait, no one uses this macro, so why not just remove it entirely? > > > > Good question. It appears to be a (relatively) common pattern to look up > > something and the return its containing object if the lookup was > > successful. Doing a quick > > > > $ git grep 'container_of.*:' drivers include > > And odds are, they all are wrong. > > Any function that has a pointer sent to it that it wants to then cast > out to the outer size of the structure has to implicitly know that this > is a valid pointer. There's no way to check so you have to trust the > fact that the caller sent you the right thing. > > Trying to check is almost always someone trying to be "over eager" in > testing things that can never happen. Just like all of the checks for > the result of a container_of() call, that's always wrong as well. I don't see how it would be more wrong than checking for NULL (or an error) in other macros. The caller won't have to check for those separately and this tends to avoid accidental NULL pointer dereferences. But given that the macro was unused after four or so years suggests that we can probably do fine without it, too. > > reveals more than 20 instances of the pattern. There are probably more > > those that use if for testing for NULL. I guess people don't know about > > this macro, apart from the developers of the staging driver it was added > > for (commit 05e6557b8ed833546ee2b66ce6b58fecf09f439e). > > Ah, lustre is long-gone, so I'll just add a patch to my tree to remove > this macro. Ok. I'll send v2 with this in mind.
Hi David, On Mon, Oct 24, 2022 at 08:59:29AM +0000, David Laight wrote: > From: Greg Kroah-Hartman > > Sent: 24 October 2022 09:44 > ... > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > No need for "also" here (sorry for the grammar nit.) > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > + * @type. This is not a problem if the containing object is not const. Use with > > > + * care. > > > > I do not think these last two sentences you added here are needed > > either. > > It is all TL;DR :-) > > Even just: > > NOTE: any const qualifier of @ptr is lost. > > Is probably more than enough. Fine for me, but I'd prefer to keep the WARNING, making this: WARNING: any const qualifier of @ptr is lost.
On Mon, Oct 24, 2022 at 12:00:16PM +0300, Andy Shevchenko wrote: > + Kees > > On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote: > > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: > > > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > > > > container_of() casts the original type to another which leads to the loss > > > > of the const qualifier if it is not specified in the caller-provided type. > > > > This easily leads to container_of() returning a non-const pointer to a > > > > const struct which the C compiler does not warn about. > > ... > > > > > * @type: the type of the container struct this is embedded in. > > > > * @member: the name of the member within the struct. > > > > * > > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > Wrong function name here. > > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > > + * @type. This is not a problem if the containing object is not const. Use with > > > > + * care. > > > > > > Same comments here. > > > > Wait, no one uses this macro, so why not just remove it entirely? > > Kees, do you know why and what for we have container_of_safe()? It looks like it was designed to handle the cases where the pointer was ERR_OR_NULL: IS_ERR_OR_NULL(__mptr) ? ERR_CAST(__mptr) : \ ((type *)(__mptr - offsetof(type, member))); }) i.e. just pass through the NULL/ERR instead of attempting the cast, which would fail spectacularly. :) It seems like this version should actually be used everywhere instead of nowhere... (i.e. just drop container_of() and rename container_of_safe() to container_of())
On Mon, Oct 24, 2022 at 7:39 PM Kees Cook <keescook@chromium.org> wrote: > > On Mon, Oct 24, 2022 at 12:00:16PM +0300, Andy Shevchenko wrote: > > + Kees > > > > On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote: > > > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: > > > > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > > > > > container_of() casts the original type to another which leads to the loss > > > > > of the const qualifier if it is not specified in the caller-provided type. > > > > > This easily leads to container_of() returning a non-const pointer to a > > > > > const struct which the C compiler does not warn about. > > > > ... > > > > > > > * @type: the type of the container struct this is embedded in. > > > > > * @member: the name of the member within the struct. > > > > > * > > > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > > > Wrong function name here. > > > > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > > > + * @type. This is not a problem if the containing object is not const. Use with > > > > > + * care. > > > > > > > > Same comments here. > > > > > > Wait, no one uses this macro, so why not just remove it entirely? > > > > Kees, do you know why and what for we have container_of_safe()? > > It looks like it was designed to handle the cases where the pointer was > ERR_OR_NULL: > > IS_ERR_OR_NULL(__mptr) ? ERR_CAST(__mptr) : \ > ((type *)(__mptr - offsetof(type, member))); }) > > i.e. just pass through the NULL/ERR instead of attempting the cast, > which would fail spectacularly. :) > > It seems like this version should actually be used everywhere instead of > nowhere... (i.e. just drop container_of() and rename container_of_safe() > to container_of()) As a rule, though, users of container_of() don't check the pointer returned by it against NULL, so I'm not sure how much of an improvement that would be. If NULL is passed to container_of(), there will be a spectacular failure, sooner or later ...
From: Rafael J. Wysocki > Sent: 24 October 2022 18:51 ... > > It looks like it was designed to handle the cases where the pointer was > > ERR_OR_NULL: > > > > IS_ERR_OR_NULL(__mptr) ? ERR_CAST(__mptr) : \ > > ((type *)(__mptr - offsetof(type, member))); }) > > > > i.e. just pass through the NULL/ERR instead of attempting the cast, > > which would fail spectacularly. :) > > > > It seems like this version should actually be used everywhere instead of > > nowhere... (i.e. just drop container_of() and rename container_of_safe() > > to container_of()) > > As a rule, though, users of container_of() don't check the pointer > returned by it against NULL, so I'm not sure how much of an > improvement that would be. > > If NULL is passed to container_of(), there will be a spectacular > failure, sooner or later ... Certainly there isn't much difference between dereferencing a -Exxxx value and -Exxxx - offsetof(). Both are in the same page - hopefully not mapped? Missing ERR/NULL checks are a problem but adding one inside container_of() doesn't really help. You might as well add an explicit test before using container_of() rather than adding one inside it AND requiring a test afterwards. I don't think the compiler can assume the subtraction doesn't generate NULL - so must check twice. I've not even sure how many of the functions that can check can ever actually be passed an invalid pointer. Normally the caller bails out and returns the error before passing it on. The kernel really doesn't check every function parameter for validity - it has to assume the caller is doing something sensible. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On Mon, Oct 24, 2022 at 07:51:11PM +0200, Rafael J. Wysocki wrote: > On Mon, Oct 24, 2022 at 7:39 PM Kees Cook <keescook@chromium.org> wrote: > > > > On Mon, Oct 24, 2022 at 12:00:16PM +0300, Andy Shevchenko wrote: > > > + Kees > > > > > > On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote: > > > > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote: > > > > > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote: > > > > > > container_of() casts the original type to another which leads to the loss > > > > > > of the const qualifier if it is not specified in the caller-provided type. > > > > > > This easily leads to container_of() returning a non-const pointer to a > > > > > > const struct which the C compiler does not warn about. > > > > > > ... > > > > > > > > > * @type: the type of the container struct this is embedded in. > > > > > > * @member: the name of the member within the struct. > > > > > > * > > > > > > + * WARNING: as container_of() casts the given struct to another, also the > > > > > > > > Wrong function name here. > > > > > > > > > > + * possible const qualifier of @ptr is lost unless it is also specified in > > > > > > + * @type. This is not a problem if the containing object is not const. Use with > > > > > > + * care. > > > > > > > > > > Same comments here. > > > > > > > > Wait, no one uses this macro, so why not just remove it entirely? > > > > > > Kees, do you know why and what for we have container_of_safe()? > > > > It looks like it was designed to handle the cases where the pointer was > > ERR_OR_NULL: > > > > IS_ERR_OR_NULL(__mptr) ? ERR_CAST(__mptr) : \ > > ((type *)(__mptr - offsetof(type, member))); }) > > > > i.e. just pass through the NULL/ERR instead of attempting the cast, > > which would fail spectacularly. :) > > > > It seems like this version should actually be used everywhere instead of > > nowhere... (i.e. just drop container_of() and rename container_of_safe() > > to container_of()) > > As a rule, though, users of container_of() don't check the pointer > returned by it against NULL, so I'm not sure how much of an > improvement that would be. Nor should they. This is just tiny pointer math, that always assumes a valid pointer is passed in. It should never be used in any code path where a valid pointer is NOT passed into it. thanks, greg k-h
diff --git a/include/linux/container_of.h b/include/linux/container_of.h index 2f4944b791b81..c7c21d0f41a87 100644 --- a/include/linux/container_of.h +++ b/include/linux/container_of.h @@ -13,6 +13,10 @@ * @type: the type of the container struct this is embedded in. * @member: the name of the member within the struct. * + * WARNING: as container_of() casts the given struct to another, also the + * possible const qualifier of @ptr is lost unless it is also specified in + * @type. This is not a problem if the containing object is not const. Use with + * care. */ #define container_of(ptr, type, member) ({ \ void *__mptr = (void *)(ptr); \ @@ -27,6 +31,11 @@ * @type: the type of the container struct this is embedded in. * @member: the name of the member within the struct. * + * WARNING: as container_of() casts the given struct to another, also the + * possible const qualifier of @ptr is lost unless it is also specified in + * @type. This is not a problem if the containing object is not const. Use with + * care. + * * If IS_ERR_OR_NULL(ptr), ptr is returned unchanged. */ #define container_of_safe(ptr, type, member) ({ \