| Message ID | 20250313130321.442025758@linutronix.de (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | genirq/msi: Spring cleaning | expand |
On Thu, 13 Mar 2025 14:03:38 +0100 (CET) Thomas Gleixner <tglx@linutronix.de> wrote: > In cases where an allocation is consumed by another function, the > allocation needs to be retained on success or freed on failure. The code > pattern is usually: > > struct foo *f = kzalloc(sizeof(*f), GFP_KERNEL); > struct bar *b; > > ,,, > // Initialize f > ... > if (ret) > goto free; > ... > bar = bar_create(f); > if (!bar) { > ret = -ENOMEM; > goto free; > } > ... > return 0; > free: > kfree(f); > return ret; > > This prevents using __free(kfree) on @f because there is no canonical way > to tell the cleanup code that the allocation should not be freed. > > Abusing no_free_ptr() by force ignoring the return value is not really a > sensible option either. > > Provide an explicit macro retain_ptr(), which NULLs the cleanup > pointer. That makes it easy to analyze and reason about. > > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Cc: Peter Zijlstra <peterz@infradead.org> Seems sensible to me and the resulting code is reasonably easy to follow / contained in a small region. Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> > --- > include/linux/cleanup.h | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > --- a/include/linux/cleanup.h > +++ b/include/linux/cleanup.h > @@ -216,6 +216,23 @@ const volatile void * __must_check_fn(co > > #define return_ptr(p) return no_free_ptr(p) > > +/* > + * Only for situations where an allocation is handed in to another function > + * and consumed by that function on success. > + * > + * struct foo *f __free(kfree) = kzalloc(sizeof(*f), GFP_KERNEL); > + * > + * setup(f); > + * if (some_condition) > + * return -EINVAL; > + * .... > + * ret = bar(f); > + * if (!ret) > + * retain_ptr(f); > + * return ret; > + */ > +#define retain_ptr(p) \ > + __get_and_null(p, NULL) > > /* > * DEFINE_CLASS(name, type, exit, init, init_args...): >
On Thu, Mar 13, 2025 at 02:03:38PM +0100, Thomas Gleixner wrote: > In cases where an allocation is consumed by another function, the > allocation needs to be retained on success or freed on failure. The code > pattern is usually: > > struct foo *f = kzalloc(sizeof(*f), GFP_KERNEL); > struct bar *b; > > ,,, > // Initialize f > ... > if (ret) > goto free; > ... > bar = bar_create(f); > if (!bar) { > ret = -ENOMEM; > goto free; > } > ... > return 0; > free: > kfree(f); > return ret; > > This prevents using __free(kfree) on @f because there is no canonical way > to tell the cleanup code that the allocation should not be freed. > > Abusing no_free_ptr() by force ignoring the return value is not really a > sensible option either. > > Provide an explicit macro retain_ptr(), which NULLs the cleanup > pointer. That makes it easy to analyze and reason about. So no objection per se, but one way to solve this is by handing ownership to bar_create(), such that it is responsible for freeing f on failure. Anyway, I suspect the __must_check came from Linus, OTOH take_fd(), the equivalent for file descriptors also don't have that __must_check. So clearly we have precedent here.
On Thu, Mar 13, 2025 at 02:03:38PM +0100, Thomas Gleixner wrote: > In cases where an allocation is consumed by another function, the > allocation needs to be retained on success or freed on failure. The code > pattern is usually: > > struct foo *f = kzalloc(sizeof(*f), GFP_KERNEL); > struct bar *b; > > ,,, > // Initialize f > ... > if (ret) > goto free; > ... > bar = bar_create(f); > if (!bar) { > ret = -ENOMEM; > goto free; > } > ... > return 0; > free: > kfree(f); > return ret; > > This prevents using __free(kfree) on @f because there is no canonical way > to tell the cleanup code that the allocation should not be freed. > > Abusing no_free_ptr() by force ignoring the return value is not really a > sensible option either. > > Provide an explicit macro retain_ptr(), which NULLs the cleanup > pointer. That makes it easy to analyze and reason about. > > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Cc: Peter Zijlstra <peterz@infradead.org> > --- > include/linux/cleanup.h | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > --- a/include/linux/cleanup.h > +++ b/include/linux/cleanup.h > @@ -216,6 +216,23 @@ const volatile void * __must_check_fn(co > > #define return_ptr(p) return no_free_ptr(p) > > +/* > + * Only for situations where an allocation is handed in to another function > + * and consumed by that function on success. > + * > + * struct foo *f __free(kfree) = kzalloc(sizeof(*f), GFP_KERNEL); > + * > + * setup(f); > + * if (some_condition) > + * return -EINVAL; > + * .... > + * ret = bar(f); > + * if (!ret) > + * retain_ptr(f); > + * return ret; Is it better like ret = bar(f); if (ret) return ret; retain_ptr(f); return 0; If there are more than one f, like f1, f2, f3.... ret= bar(f1, f2, ....) if (ret) return ret; retain_ptr(f1); retain_ptr(f2); ... return 0; Or define a macro like #defne no_free_ptr_on_ok(ret, p) ret ? ret : __get_and_null(p, NULL), 0 ret = bar (f); return no_free_ptr_on_ok(ret, f); Frank > + */ > +#define retain_ptr(p) \ > + __get_and_null(p, NULL) > > /* > * DEFINE_CLASS(name, type, exit, init, init_args...): >
--- a/include/linux/cleanup.h +++ b/include/linux/cleanup.h @@ -216,6 +216,23 @@ const volatile void * __must_check_fn(co #define return_ptr(p) return no_free_ptr(p) +/* + * Only for situations where an allocation is handed in to another function + * and consumed by that function on success. + * + * struct foo *f __free(kfree) = kzalloc(sizeof(*f), GFP_KERNEL); + * + * setup(f); + * if (some_condition) + * return -EINVAL; + * .... + * ret = bar(f); + * if (!ret) + * retain_ptr(f); + * return ret; + */ +#define retain_ptr(p) \ + __get_and_null(p, NULL) /* * DEFINE_CLASS(name, type, exit, init, init_args...):
In cases where an allocation is consumed by another function, the allocation needs to be retained on success or freed on failure. The code pattern is usually: struct foo *f = kzalloc(sizeof(*f), GFP_KERNEL); struct bar *b; ,,, // Initialize f ... if (ret) goto free; ... bar = bar_create(f); if (!bar) { ret = -ENOMEM; goto free; } ... return 0; free: kfree(f); return ret; This prevents using __free(kfree) on @f because there is no canonical way to tell the cleanup code that the allocation should not be freed. Abusing no_free_ptr() by force ignoring the return value is not really a sensible option either. Provide an explicit macro retain_ptr(), which NULLs the cleanup pointer. That makes it easy to analyze and reason about. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Peter Zijlstra <peterz@infradead.org> --- include/linux/cleanup.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)