| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Oct 2022 17:05:10 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: "Rafael J. Wysocki" <rafael@...nel.org>
Cc: Sakari Ailus <sakari.ailus@...ux.intel.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Heikki Krogerus <heikki.krogerus@...ux.intel.com>,
Bjorn Andersson <andersson@...nel.org>,
Prashant Malani <pmalani@...omium.org>,
linux-acpi@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org, Daniel Scally <djrscally@...il.com>
Subject: Re: [PATCH v2 1/5] device property: Keep dev_fwnode() and
dev_fwnode_const() separate
On Mon, Oct 03, 2022 at 01:54:37PM +0200, Rafael J. Wysocki wrote:
> On Fri, Sep 30, 2022 at 4:43 PM Greg Kroah-Hartman
> <gregkh@...uxfoundation.org> wrote:
> >
> > On Fri, Sep 30, 2022 at 02:30:53PM +0000, Sakari Ailus wrote:
> > > Hi Greg,
> > >
> > > On Wed, Sep 28, 2022 at 01:05:20PM +0200, Greg Kroah-Hartman wrote:
> > > > On Wed, Sep 28, 2022 at 01:57:42PM +0300, Andy Shevchenko wrote:
> > > > > It's not fully correct to take a const parameter pointer to a struct
> > > > > and return a non-const pointer to a member of that struct.
> > > > >
> > > > > Instead, introduce a const version of the dev_fwnode() API which takes
> > > > > and returns const pointers and use it where it's applicable.
> > > > >
> > > > > Suggested-by: Sakari Ailus <sakari.ailus@...ux.intel.com>
> > > > > Fixes: aade55c86033 ("device property: Add const qualifier to device_get_match_data() parameter")
> > > > > Signed-off-by: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
> > > > > Acked-by: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
> > > > > Reviewed-by: Sakari Ailus <sakari.ailus@...ux.intel.com>
> > > > > ---
> > > > > drivers/base/property.c | 11 +++++++++--
> > > > > include/linux/property.h | 3 ++-
> > > > > 2 files changed, 11 insertions(+), 3 deletions(-)
> > > > >
> > > > > diff --git a/drivers/base/property.c b/drivers/base/property.c
> > > > > index 4d6278a84868..699f1b115e0a 100644
> > > > > --- a/drivers/base/property.c
> > > > > +++ b/drivers/base/property.c
> > > > > @@ -17,13 +17,20 @@
> > > > > #include <linux/property.h>
> > > > > #include <linux/phy.h>
> > > > >
> > > > > -struct fwnode_handle *dev_fwnode(const struct device *dev)
> > > > > +struct fwnode_handle *dev_fwnode(struct device *dev)
> > > > > {
> > > > > return IS_ENABLED(CONFIG_OF) && dev->of_node ?
> > > > > of_fwnode_handle(dev->of_node) : dev->fwnode;
> > > > > }
> > > > > EXPORT_SYMBOL_GPL(dev_fwnode);
> > > > >
> > > > > +const struct fwnode_handle *dev_fwnode_const(const struct device *dev)
> > > > > +{
> > > > > + return IS_ENABLED(CONFIG_OF) && dev->of_node ?
> > > > > + of_fwnode_handle(dev->of_node) : dev->fwnode;
> > > > > +}
> > > > > +EXPORT_SYMBOL_GPL(dev_fwnode_const);
> > > >
> > > > Ick, no, this is a mess.
> > > >
> > > > Either always return a const pointer, or don't. Ideally always return a
> > > > const pointer, so all we really need is:
> > > >
> > > > const struct fwnode_handle *dev_fwnode(const struct device *dev);
> > > >
> > > > right?
> > > >
> > > > Yes, it will take some unwinding backwards to get there, but please do
> > > > that instead of having 2 different functions where the parameter type is
> > > > part of the function name. This isn't the 1980's...
> > >
> > > The problem with this approach is that sometimes non-const fwnode_handles
> > > are needed. On OF, for instance, anything that has something to do with
> > > refcounting requires this. Software nodes as well.
> >
> > If they are writable, then yes, let's keep them writable, and not create
> > two function paths where we have to pick and choose.
> >
> > > One option which I suggested earlier was to turn dev_fwnode() into a macro
> > > and use C11 _Generic() to check whether the device is const or not.
> >
> > As much fun as that would be, I don't think it would work well.
> >
> > Although, maybe it would, have an example of how that would look?
> >
> > I ask as I just went through a large refactoring of the kobject layer to
> > mark many things const * and I find it a bit "sad" that functions like
> > this:
> > static inline struct device *kobj_to_dev(const struct kobject *kobj)
> > {
> > return container_of(kobj, struct device, kobj);
> > }
> > have the ability to take a read-only pointer and spit out a writable one
> > thanks to the pointer math in container_of() with no one being the
> > wiser.
>
> Well, is this really a problem?
>
> After all, if an immutable structure is embedded in another one, that
> doesn't automatically imply that the containing structure has to be
> immutable too. Hence, a const pointer to the inner structure doesn't
> automatically yield a const pointer to the outer one.
That is true, but it's a _huge_ hint that we are throwing away here,
sometimes without even really realizing it.
Ideally, if you have a const * passed into container_of() you would get
a const * back, and then, if you _really_ know what you are doing with
it, feel free to cast it away. That cast would be a huge sign that
"hey, something is happening here" and allow people to at least notice
it, while today, we loose all of that.
Let me play around with this a bit. In talking with the Rust Linux
developers, a lot of "how do we know if this pointer is immutable or
not" discussions happen. With many of our apis, right now we don't know
that, and perhaps that should change as it would make things not
necessarily more "safe", but more "obvious" as to what both the intent
is, and what is actually happening to pointers at times.
Especially in the mess that is kobjects and struct device where we cast
pointers around with abandon :)
thanks,
greg k-h
Powered by blists - more mailing lists