Re: [PATCH 1/1] linux/container_of.h: Warn about loss of constness

[Kees Cook <keescook@chromium.org>]

On Mon, Oct 24, 2022 at 12:00:16PM +0300, Andy Shevchenko wrote:
> + Kees
> 
> On Mon, Oct 24, 2022 at 10:45:25AM +0200, Greg Kroah-Hartman wrote:
> > On Mon, Oct 24, 2022 at 10:43:52AM +0200, Greg Kroah-Hartman wrote:
> > > On Mon, Oct 24, 2022 at 11:26:10AM +0300, Sakari Ailus wrote:
> > > > container_of() casts the original type to another which leads to the loss
> > > > of the const qualifier if it is not specified in the caller-provided type.
> > > > This easily leads to container_of() returning a non-const pointer to a
> > > > const struct which the C compiler does not warn about.
> 
> ...
> 
> > > >   * @type:	the type of the container struct this is embedded in.
> > > >   * @member:	the name of the member within the struct.
> > > >   *
> > > > + * WARNING: as container_of() casts the given struct to another, also the
> > 
> > Wrong function name here.
> > 
> > > > + * possible const qualifier of @ptr is lost unless it is also specified in
> > > > + * @type. This is not a problem if the containing object is not const. Use with
> > > > + * care.
> > > 
> > > Same comments here.
> > 
> > Wait, no one uses this macro, so why not just remove it entirely?
> 
> Kees, do you know why and what for we have container_of_safe()?

It looks like it was designed to handle the cases where the pointer was
ERR_OR_NULL:

       IS_ERR_OR_NULL(__mptr) ? ERR_CAST(__mptr) : \
               ((type *)(__mptr - offsetof(type, member))); })

i.e. just pass through the NULL/ERR instead of attempting the cast,
which would fail spectacularly. :)

It seems like this version should actually be used everywhere instead of
nowhere... (i.e. just drop container_of() and rename container_of_safe()
to container_of())

-- 
Kees Cook