Re: [PATCH] fs: Use a cleanup attribute in copy_fdtable()

[Al Viro <viro@zeniv.linux.org.uk>]

On Sun, Oct 05, 2025 at 07:41:47PM +0200, Miquel Sabaté Solà wrote:
> Al Viro @ 2025-10-05 10:01 +01:
> 
> > On Sun, Oct 05, 2025 at 07:37:50AM +0200, Miquel Sabaté Solà wrote:
> >> Al Viro @ 2025-10-04 22:19 +01:
> >>
> >> > On Sat, Oct 04, 2025 at 11:03:40PM +0200, Miquel Sabaté Solà wrote:
> >> >> This is a small cleanup in which by using the __free(kfree) cleanup
> >> >> attribute we can avoid three labels to go to, and the code turns to be
> >> >> more concise and easier to follow.
> >> >
> >> > Have you tried to build and boot that?
> >>
> >> Yes, and it worked on my machine...
> >
> > Unfortunately, it ends up calling that kfree() on success as well as on failure.
> > Idiomatic way to avoid that would be
> > 	return no_free_ptr(fdt);
> > but you've left bare
> > 	return fdt;
> > in there, ending up with returning dangling pointers to the caller.  So as
> > soon as you get more than BITS_PER_LONG descriptors used by a process,
> > you'll get trouble.  In particular, bash(1) running as an interactive shell
> > would hit that - it has descriptor 255 opened...
> 
> Ugh, this is just silly from my end...
> 
> You are absolutely right. I don't know what the hell I was doing while
> testing that prevented me from realizing this before, but as you say
> it's quite obvious and I was just blind or something.
> 
> Sorry for the noise and thanks for your patience...

FWIW, the real low-level destructor (__free_fdtable()) *does* cope with ->fd
or ->open_fds left NULL, so theoretically we could replace kmalloc with
kzalloc in alloc_fdtable(), add use that thing via DEFINE_FREE()/__free(...);
I'm not sure if it's a good idea, though - at the very least, that property
of destructor would have to be spelled out with explanations, both in
__free_fdtable() and in alloc_fdtable().

Matter of taste, but IMO it's not worth bothering with - figuring out why
the damn thing is correct would take at least as much time and attention
from readers as the current variant does.

BTW, there's a chance to kill struct fdtable off - a project that got stalled
about a year ago (see https://lore.kernel.org/all/20240806010217.GL5334@ZenIV/
and subthread from there on for details) that just might end up eliminating
that double indirect.  I'm not saying that it's a reason not to do cleanups in
what exists right now, just a tangentially related thing that might be interesting
to resurrect...