Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4448648rdh; Wed, 29 Nov 2023 01:39:10 -0800 (PST) X-Google-Smtp-Source: AGHT+IHk9/cKTZ+lt1CF8ySE0mZ5yGREJ40A+DYll5vLvP4Q/a3RQOOg9qCM3z+H8Voah3AizShN X-Received: by 2002:a17:903:124c:b0:1ca:7f91:aa5d with SMTP id u12-20020a170903124c00b001ca7f91aa5dmr21820196plh.16.1701250750470; Wed, 29 Nov 2023 01:39:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701250750; cv=none; d=google.com; s=arc-20160816; b=QDhTtGbI3A2XjAaGmjtd5FuSh0Q92O/+aw7gfdrK2AWt/l8FvaAiKQASdvFDceNKQW ki8O0MmS4Fjv4F/zOPd+lHXHZVXa3ur3kaI4pky8Xb7EgANCM4UbJ6s2vU3op8qZW9ro 3tzY+R+EjQ41P+kj70FkSsw0+MvpOIdZ+0A2W9ld5nTZoOQ7p6kn7xKEIkXb5TqYDfWX xdr+uHYi/LE2SYamb9WIAQnf6ZKIv2k8ENaNi4qZET+r0Z47AgNDwf8XtyxH6//g1n8S qHKaMHRk+H09IFp5QWU2jwJWeq3vhWLSgEJF1Dg0jzlf0z7PmmFi9A1DgrcgOY8vaLhl xCBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:references:organization:in-reply-to:subject:cc:to :from:dkim-signature; bh=glGPjuv018l90G71aW7W7Tqy58dvzkS0KDmfnwjFQGs=; fh=zzPMnm/2Mb0FHS1SvdtRqjcg2wG5vK79kQ93n1zLbr0=; b=NT6H6wjxrx1lUVDje0ibv04t+xl6Irj2tr9OY8pkcA0vG2AaXjSEg6xW3yGnz8ilBM 8m67PIvUXdgJz/DQkHuHQo+dPkk1K9E1AUc9xG0GHFKp/AsdF0mSL/r2c4QGthPeyT4A BP+9lZFsKi/pReYLjcXN6m6gfV/zYoSIaZ2n7bhYyTE45SWsoUmaVg8rTtQWsyR+AOIT oW5g7JAePQqUmfkBg3u2T1PLS2lkZi+BWYrKXrPBjpfkpjnpMo1wGB2bAxB/4UjTZBGO 8VB/1KRO5cs1jv/m2kPMn0U0+BVUsaXTE42S/+Dv7fucI/2nlNzUkinlhIlvBFsbhr03 kavg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=oEC1EpQo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id c11-20020a170902d48b00b001cfc02e79besi8715612plg.105.2023.11.29.01.39.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Nov 2023 01:39:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=oEC1EpQo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 847F5803C945; Wed, 29 Nov 2023 01:39:06 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229885AbjK2Jir (ORCPT + 99 others); Wed, 29 Nov 2023 04:38:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229453AbjK2Jip (ORCPT ); Wed, 29 Nov 2023 04:38:45 -0500 Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 829261999; Wed, 29 Nov 2023 01:38:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1701250731; x=1732786731; h=from:to:cc:subject:in-reply-to:references:date: message-id:mime-version:content-transfer-encoding; bh=AKuXrJt5cSWlwQTjHEOlVJMaFv/ThpR7gpZ8mCu+jiM=; b=oEC1EpQo5rf8b6v1akur41tQJRUNUQjy6Bv2QHzwhIehBvQo0kICStJm Q9x+di2pNCxRZglfOYp8W61hdpAJxt4KtE9bDcDYbUTBiVkeatdXo1ghS KmmBm99laTrCHU8YSurt7L6dDTzWp4hCRO4hODFm5tETqVJCO+F80IDDn Vd+D4BL+r9eyui3YMKwlPGGAZzSs23K/jp1baNi4bEFCw8cx4RLuxwyOV 25nXF/1PmYuRuPbUWpPSxGEC7dR1g5HMj3G6MLPPe4IKgsSU5VXP323x1 DydywNxTQ7jO7LHKCs4dcaH5cp8RfJPCWYW9i9rVgH2CGkAVD2JKwzIfh g==; X-IronPort-AV: E=McAfee;i="6600,9927,10908"; a="424277739" X-IronPort-AV: E=Sophos;i="6.04,235,1695711600"; d="scan'208";a="424277739" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Nov 2023 01:38:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10908"; a="745194703" X-IronPort-AV: E=Sophos;i="6.04,235,1695711600"; d="scan'208";a="745194703" Received: from dstavrak-mobl.ger.corp.intel.com (HELO localhost) ([10.252.60.61]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Nov 2023 01:38:45 -0800 From: Jani Nikula To: Maxime Ripard , Ville =?utf-8?B?U3lyasOkbMOk?= Cc: Thomas Zimmermann , Emma Anholt , Jonathan Corbet , linux-kernel@vger.kernel.org, Samuel Holland , Sandy Huang , Jernej Skrabec , linux-doc@vger.kernel.org, Hans Verkuil , linux-rockchip@lists.infradead.org, Chen-Yu Tsai , dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linux-sunxi@lists.linux.dev, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v4 05/45] drm/connector: Check drm_connector_init pointers arguments In-Reply-To: <2mnodqvu2oo674vspiy4gxhglu3it5cq47acx5itnbwevgc4cf@c7h2bvnx3m2n> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo References: <20231128-kms-hdmi-connector-state-v4-0-c7602158306e@kernel.org> <20231128-kms-hdmi-connector-state-v4-5-c7602158306e@kernel.org> <87h6l66nth.fsf@intel.com> <2mnodqvu2oo674vspiy4gxhglu3it5cq47acx5itnbwevgc4cf@c7h2bvnx3m2n> Date: Wed, 29 Nov 2023 11:38:42 +0200 Message-ID: <8734wo7vbx.fsf@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 29 Nov 2023 01:39:06 -0800 (PST) On Wed, 29 Nov 2023, Maxime Ripard wrote: > Hi Ville, > > On Tue, Nov 28, 2023 at 03:49:08PM +0200, Ville Syrj=C3=A4l=C3=A4 wrote: >> On Tue, Nov 28, 2023 at 02:29:40PM +0100, Maxime Ripard wrote: >> > On Tue, Nov 28, 2023 at 02:54:02PM +0200, Jani Nikula wrote: >> > > On Tue, 28 Nov 2023, Maxime Ripard wrote: >> > > > All the drm_connector_init variants take at least a pointer to the >> > > > device, connector and hooks implementation. >> > > > >> > > > However, none of them check their value before dereferencing those >> > > > pointers which can lead to a NULL-pointer dereference if the author >> > > > isn't careful. >> > >=20 >> > > Arguably oopsing on the spot is preferrable when this can't be cause= d by >> > > user input. It's always a mistake that should be caught early during >> > > development. >> > >=20 >> > > Not everyone checks the return value of drm_connector_init and frien= ds, >> > > so those cases will lead to more mysterious bugs later. And probably >> > > oopses as well. >> >=20 >> > So maybe we can do both then, with something like >> >=20 >> > if (WARN_ON(!dev)) >> > return -EINVAL >> >=20 >> > if (drm_WARN_ON(dev, !connector || !funcs)) >> > return -EINVAL; >> >=20 >> > I'd still like to check for this, so we can have proper testing, and we >> > already check for those pointers in some places (like funcs in >> > drm_connector_init), so if we don't cover everything we're inconsisten= t. >>=20 >> People will invariably cargo-cult this kind of stuff absolutely >> everywhere and then all your functions will have tons of dead >> code to check their arguments. > > And that's a bad thing because... ? > > Also, are you really saying that checking that your arguments make sense > is cargo-cult? It's a powerful thing to be able to assume a NULL argument is always a fatal programming error on the caller's side, and should oops and get caught immediately. It's an assertion. We're not talking about user input or anything like that here. If you start checking for things that can't happen, and return errors for them, you start gracefully handling things that don't have anything graceful about them. Having such checks in place trains people to think they *may* happen. While it should fail fast and loud at the developer's first smoke test, and get fixed then and there. BR, Jani. > > We're already doing it in some parts of KMS, so we have to be > consistent, and the answer to "most drivers don't check the error" > cannot be "let's just give on error checking then". > >> I'd prefer not to go there usually. >>=20 >> Should we perhaps start to use the (arguably hideous) >> - void f(struct foo *bar) >> + void f(struct foo bar[static 1]) >> syntax to tell the compiler we don't accept NULL pointers? >>=20 >> Hmm. Apparently that has the same problem as using any >> other kind of array syntax in the prototype. That is, >> the compiler demands to know the definition of 'struct foo' >> even though we're passing in effectively a pointer. Sigh. > > Honestly, I don't care as long as it's something we can unit-test to > make sure we make it consistent. We can't unit test a complete kernel > crash. --=20 Jani Nikula, Intel