On Mon, Aug 04, 2025 at 04:52:29PM +0100, Al Viro wrote: > On Mon, Aug 04, 2025 at 02:33:13PM +0200, Christian Brauner wrote: > > > + guard(spinlock)(&files->file_lock); > > err = expand_files(files, fd); > > if (unlikely(err < 0)) > > - goto out_unlock; > > - return do_dup2(files, file, fd, flags); > > + return err; > > + err = do_dup2(files, file, fd, flags); > > + if (err < 0) > > + return err; > > > > -out_unlock: > > - spin_unlock(&files->file_lock); > > - return err; > > + return 0; > > } > > NAK. This is broken - do_dup2() drops ->file_lock. And that's why I > loathe the guard() - it's too easy to get confused *and* assume that > it will DTRT, no need to check carefully. Note, BTW, that in actual replacing case do_dup2() has blocking operations (closing the replaced reference) after dropping ->file_lock, so making it locking-neutral would not be easy; doable (have it return the old reference in the replacing case and adjust the callers accordingly), but it's seriously not pretty (NULL/address of old file/ERR_PTR() for return value, boilerplate in callers, etc.). Having do_dup2() called without ->file_lock and taking it inside is not an option - we could pull expand_files() in there, but lookup of oldfd in actual dup2(2)/dup3(2) has to be done within the same ->file_lock scope where it is inserted into the table. Sure, all things equal it's better to have functions locking-neutral, but it's not always the best approach. And while __free() allows for "we'd passed the object to somebody else, it's not ours to consume anymore", guard() does not.
