Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp1107551rdb; Fri, 1 Dec 2023 07:16:43 -0800 (PST) X-Google-Smtp-Source: AGHT+IExKZCv0nvtRPBiripZ8gIELp+inKsgVRxH9FJsUNLq8kqUTxRFtZfT+QJfVP1+vf5HKKds X-Received: by 2002:a05:6a20:13c8:b0:18b:c96b:a433 with SMTP id ho8-20020a056a2013c800b0018bc96ba433mr23337400pzc.56.1701443803292; Fri, 01 Dec 2023 07:16:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701443803; cv=none; d=google.com; s=arc-20160816; b=qEM34In9FkkPBpqTuMrHfWGhJDa6uWY5lmNvPSpWo4MIgK4/vvynhKu4t5Z2i2dy4l TYgqW+Xz+SSfCUbjdx9aUYct5jJy5Bu6e4L0UBwj15qcNM/XRVuYJixjN0V9qx5NznE4 Oa26+DS8ZnFb7eclgZTSqo3QthEMSXUKfJvJm+Yz2AyD77K65voM8nAjnCkIeb0Nq0rA HPM3ElH1S4Jd5FU3YwA9tDs4NKsny60ZpQ//m7LrW9GNq//JeXPEZJMIKK9L0z8Rm0ks UC0due2Gd7W5M228Z8VE4zMdzSCjdJyr+Qrd2GErx9b5jnpjEGfl/0KW/KTz5+BE6zUD cuNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=K5353WZYaHWuqwFnqaJf5CswlT+HYorBDLXsahjnLiU=; fh=xEKiaWSSKsulIgZY/DnMJ20XukDND9DHf1uJSG/Mv8A=; b=yB8jPM/bNcsZncEU38I1II1FD6oharG/STgHKNHjJPx+lZd/27nH5Ev0TcIZD34Ro3 Av7OP3HeK0e78o2uEe46ffxv+5UqAHzCNAWIkeVdFGyf2x7SmVL4aSoZREXo4P5+GkeE oA0MpHloNIk+G9tyL5O+GDX3miOl+RU0V31sOwtucxVV0vXDPFpytiJ61In7yYfJiJ8X nxxqI7rwQ2+g1dLZnbQf45/VmFyS73tetWpdBVswPCX2twTY7NFfrcGW0+fIphrz8ef+ WnI7cDZY4Eef2WXm7B8+BoiReEWl+PzUJfQb+B/oHEoID0ITyp4J11Dk0SYVXX+Fp0m/ kakg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=hTWeYIcf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id y11-20020a056a001c8b00b006cd985454f6si3486014pfw.76.2023.12.01.07.16.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Dec 2023 07:16:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=hTWeYIcf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 6649F8184A9A; Fri, 1 Dec 2023 07:16:33 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379461AbjLAPQT (ORCPT + 99 others); Fri, 1 Dec 2023 10:16:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34842 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379462AbjLAPPz (ORCPT ); Fri, 1 Dec 2023 10:15:55 -0500 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABB08210B; Fri, 1 Dec 2023 07:15:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1701443734; x=1732979734; h=date:from:to:cc:subject:message-id:references: mime-version:content-transfer-encoding:in-reply-to; bh=tWb4VPgidAHQe+HcKW5PIOVqtBQKyGJANuwYhvqD8Tg=; b=hTWeYIcfgQvg6qtkekJH9JliRMUQnArnl6S3mbz740ret+gNVbFiYSuf iOHzDqLpwI5sHLXclOM4DtFajbE0MbisJ/Mt71KWYvAIiqAbCAlmVo2ns 6FEWghez2meqroook1uqlbv7Nb/IPEGU/capsNtMiNi95Co2Q74X8+b+U XvFHGIoSF9E34FRCmFDjq9Ser/oGtjyRG57ci/HThrmMy3UO2iEgWuEgm PS3AQOx2iVeWfkxJuJO6mAgRRwpe6+/kL6fvm+fejPmU1fo16Kk6mGK15 guzgjKYbwWo9Bf0cNzPXg9F9R19kNUjslzZNgIiHhmYZ3AxrIaCypFx+M A==; X-IronPort-AV: E=McAfee;i="6600,9927,10911"; a="362393" X-IronPort-AV: E=Sophos;i="6.04,241,1695711600"; d="scan'208";a="362393" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmvoesa105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2023 07:15:32 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10911"; a="763176400" X-IronPort-AV: E=Sophos;i="6.04,241,1695711600"; d="scan'208";a="763176400" Received: from stinkpipe.fi.intel.com (HELO stinkbox) ([10.237.72.74]) by orsmga007.jf.intel.com with SMTP; 01 Dec 2023 07:15:26 -0800 Received: by stinkbox (sSMTP sendmail emulation); Fri, 01 Dec 2023 17:15:25 +0200 Date: Fri, 1 Dec 2023 17:15:25 +0200 From: Ville =?iso-8859-1?Q?Syrj=E4l=E4?= To: Maxime Ripard Cc: Jani Nikula , Thomas Zimmermann , Emma Anholt , Jonathan Corbet , linux-kernel@vger.kernel.org, Samuel Holland , Sandy Huang , Jernej Skrabec , linux-doc@vger.kernel.org, Hans Verkuil , linux-rockchip@lists.infradead.org, Chen-Yu Tsai , dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linux-sunxi@lists.linux.dev, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v4 05/45] drm/connector: Check drm_connector_init pointers arguments Message-ID: References: <20231128-kms-hdmi-connector-state-v4-0-c7602158306e@kernel.org> <20231128-kms-hdmi-connector-state-v4-5-c7602158306e@kernel.org> <87h6l66nth.fsf@intel.com> <2mnodqvu2oo674vspiy4gxhglu3it5cq47acx5itnbwevgc4cf@c7h2bvnx3m2n> <2lbs5dkpusow72koxknoautcfb6e2ygq5wledim4i572ya5xlc@stc4koneykhm> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <2lbs5dkpusow72koxknoautcfb6e2ygq5wledim4i572ya5xlc@stc4koneykhm> X-Patchwork-Hint: comment X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Fri, 01 Dec 2023 07:16:33 -0800 (PST) On Fri, Dec 01, 2023 at 10:01:49AM +0100, Maxime Ripard wrote: > On Wed, Nov 29, 2023 at 11:18:24AM +0200, Ville Syrj?l? wrote: > > On Wed, Nov 29, 2023 at 10:11:26AM +0100, Maxime Ripard wrote: > > > Hi Ville, > > > > > > On Tue, Nov 28, 2023 at 03:49:08PM +0200, Ville Syrj?l? wrote: > > > > On Tue, Nov 28, 2023 at 02:29:40PM +0100, Maxime Ripard wrote: > > > > > On Tue, Nov 28, 2023 at 02:54:02PM +0200, Jani Nikula wrote: > > > > > > On Tue, 28 Nov 2023, Maxime Ripard wrote: > > > > > > > All the drm_connector_init variants take at least a pointer to the > > > > > > > device, connector and hooks implementation. > > > > > > > > > > > > > > However, none of them check their value before dereferencing those > > > > > > > pointers which can lead to a NULL-pointer dereference if the author > > > > > > > isn't careful. > > > > > > > > > > > > Arguably oopsing on the spot is preferrable when this can't be caused by > > > > > > user input. It's always a mistake that should be caught early during > > > > > > development. > > > > > > > > > > > > Not everyone checks the return value of drm_connector_init and friends, > > > > > > so those cases will lead to more mysterious bugs later. And probably > > > > > > oopses as well. > > > > > > > > > > So maybe we can do both then, with something like > > > > > > > > > > if (WARN_ON(!dev)) > > > > > return -EINVAL > > > > > > > > > > if (drm_WARN_ON(dev, !connector || !funcs)) > > > > > return -EINVAL; > > > > > > > > > > I'd still like to check for this, so we can have proper testing, and we > > > > > already check for those pointers in some places (like funcs in > > > > > drm_connector_init), so if we don't cover everything we're inconsistent. > > > > > > > > People will invariably cargo-cult this kind of stuff absolutely > > > > everywhere and then all your functions will have tons of dead > > > > code to check their arguments. > > > > > > And that's a bad thing because... ? > > > > > > Also, are you really saying that checking that your arguments make sense > > > is cargo-cult? > > > > > > We're already doing it in some parts of KMS, so we have to be > > > consistent, and the answer to "most drivers don't check the error" > > > cannot be "let's just give on error checking then". > > > > > > > I'd prefer not to go there usually. > > > > > > > > Should we perhaps start to use the (arguably hideous) > > > > - void f(struct foo *bar) > > > > + void f(struct foo bar[static 1]) > > > > syntax to tell the compiler we don't accept NULL pointers? > > > > > > > > Hmm. Apparently that has the same problem as using any > > > > other kind of array syntax in the prototype. That is, > > > > the compiler demands to know the definition of 'struct foo' > > > > even though we're passing in effectively a pointer. Sigh. > > > > > > Honestly, I don't care as long as it's something we can unit-test to > > > make sure we make it consistent. We can't unit test a complete kernel > > > crash. > > > > Why do you want to put utterly broken code into a unit test? > > Utterly broken code happens. It probably shouldn't, but here we are. > > Anyway, you mostly missed the consistent part. > > The current state with it is: > > - planes: > - drm_universal_plane_init warns if funcs->destroy NULL > - drm_universal_plane_alloc errors out if funcs is NULL > - drmm_universal_plane_alloc warns and errors out if funcs or funcs->destroy are NULL > > - CRTC: > - drm_crtc_init_with_planes warns if funcs->destroy NULL > - drmm_crtc_init_with_planes warns if funcs or funcs->destroy are NULL > - drmm_crtc_alloc_with_planes warns and errors out if funcs or funcs->destroy are NULL > > - encoder: > - drm_encoder_init warns if funcs->destroy NULL > - drmm_encoder_init warns and errors out if funcs or funcs->destroy are NULL > - drmm_encoder_alloc warns and errors out if funcs or funcs->destroy are NULL > > - connectors: > - drm_connector_init warns and errors out if funcs or funcs->destroy are NULL > - drm_connector_init_with_ddc warns and errors out if funcs or funcs->destroy are NULL > - drmm_connector_init warns and errors out if funcs or funcs->destroy are NULL Those are perhaps fine, as things may not oops immediately if you get that wrong. But NULL checking things that will anyway oops immediately, (and there's not chance the thing will do anything useful if you prevent the oops with a NULL check) doesn't make any sense to me. It just makes you doubt the entire universe when you see code like that. > > I think that just proves that your opinion is just not as clear cut as > you'd like it to be, and it's far from being the policy you claim it is. > > Plus, we're not even remotely consistent there, and we're not > documenting that anywhere. > > And we have plenty of other examples of static stuff being checked > because it just makes sense. All variants of drm_crtc_init_with_planes > will for example check that the correct plane type is associated to the > primary and cursor planes. > > We should fix that. Ideally the compiler should catch all of this. But given we are implementing this in C (and even C23 constexpr was neutered beyond uselessness) that's not really possible in any nice way :( -- Ville Syrj?l? Intel