Initializing automatic __free variables to NULL without need (e.g. branches with different allocations), followed by actual allocation is in contrary to explicit coding rules guiding cleanup.h:
"Given that the "__free(...) = NULL" pattern for variables defined at the top of the function poses this potential interdependency problem the recommendation is to always define and assign variables in one statement and not group variable definitions at the top of the function when __free() is used."
Code does not have a bug, but is less readable and uses discouraged coding practice, so fix that by moving declaration to the place of assignment.
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@oss.qualcomm.com --- drivers/tee/qcomtee/call.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index 65f9140d4e1f..8f8830f0df26 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -395,9 +395,7 @@ static int qcomtee_object_invoke(struct tee_context *ctx, struct tee_ioctl_object_invoke_arg *arg, struct tee_param *params) { - struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_context_data *ctxdata = ctx->data; - struct qcomtee_arg *u __free(kfree) = NULL; struct qcomtee_object *object; int i, ret, result;
@@ -412,12 +410,14 @@ static int qcomtee_object_invoke(struct tee_context *ctx, }
/* Otherwise, invoke a QTEE object: */ - oic = qcomtee_object_invoke_ctx_alloc(ctx); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = + qcomtee_object_invoke_ctx_alloc(ctx); if (!oic) return -ENOMEM;
/* +1 for ending QCOMTEE_ARG_TYPE_INV. */ - u = kcalloc(arg->num_params + 1, sizeof(*u), GFP_KERNEL); + struct qcomtee_arg *u __free(kfree) = kcalloc(arg->num_params + 1, sizeof(*u), + GFP_KERNEL); if (!u) return -ENOMEM;
@@ -562,9 +562,8 @@ static int qcomtee_supp_send(struct tee_context *ctx, u32 errno, u32 num_params,
static int qcomtee_open(struct tee_context *ctx) { - struct qcomtee_context_data *ctxdata __free(kfree) = NULL; - - ctxdata = kzalloc(sizeof(*ctxdata), GFP_KERNEL); + struct qcomtee_context_data *ctxdata __free(kfree) = kzalloc(sizeof(*ctxdata), + GFP_KERNEL); if (!ctxdata) return -ENOMEM;
@@ -645,12 +644,12 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) { - struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result;
- oic = qcomtee_object_invoke_ctx_alloc(ctx); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = + qcomtee_object_invoke_ctx_alloc(ctx); if (!oic) return;
Initializing automatic __free variables to NULL without need (e.g. branches with different allocations), followed by actual allocation is in contrary to explicit coding rules guiding cleanup.h:
"Given that the "__free(...) = NULL" pattern for variables defined at the top of the function poses this potential interdependency problem the recommendation is to always define and assign variables in one statement and not group variable definitions at the top of the function when __free() is used."
Code does not have a bug, but is less readable and uses discouraged coding practice, so fix that by moving declaration to the place of assignment.
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@oss.qualcomm.com --- drivers/tee/qcomtee/mem_obj.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/tee/qcomtee/mem_obj.c b/drivers/tee/qcomtee/mem_obj.c index 228a3e30a31b..a16f8fc39b8d 100644 --- a/drivers/tee/qcomtee/mem_obj.c +++ b/drivers/tee/qcomtee/mem_obj.c @@ -88,11 +88,11 @@ int qcomtee_memobj_param_to_object(struct qcomtee_object **object, struct tee_param *param, struct tee_context *ctx) { - struct qcomtee_mem_object *mem_object __free(kfree) = NULL; struct tee_shm *shm; int err;
- mem_object = kzalloc(sizeof(*mem_object), GFP_KERNEL); + struct qcomtee_mem_object *mem_object __free(kfree) = kzalloc(sizeof(*mem_object), + GFP_KERNEL); if (!mem_object) return -ENOMEM;
Initializing automatic __free variables to NULL without need (e.g. branches with different allocations), followed by actual allocation is in contrary to explicit coding rules guiding cleanup.h:
"Given that the "__free(...) = NULL" pattern for variables defined at the top of the function poses this potential interdependency problem the recommendation is to always define and assign variables in one statement and not group variable definitions at the top of the function when __free() is used."
Code does not have a bug, but is less readable and uses discouraged coding practice, so fix that by moving declaration to the place of assignment.
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@oss.qualcomm.com --- drivers/tee/qcomtee/user_obj.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/tee/qcomtee/user_obj.c b/drivers/tee/qcomtee/user_obj.c index 0139905f2684..6aa3aefd67f0 100644 --- a/drivers/tee/qcomtee/user_obj.c +++ b/drivers/tee/qcomtee/user_obj.c @@ -228,10 +228,10 @@ static int qcomtee_user_object_dispatch(struct qcomtee_object_invoke_ctx *oic, { struct qcomtee_user_object *uo = to_qcomtee_user_object(object); struct qcomtee_context_data *ctxdata = uo->ctx->data; - struct qcomtee_ureq *ureq __free(kfree) = NULL; int errno;
- ureq = kzalloc(sizeof(*ureq), GFP_KERNEL); + struct qcomtee_ureq *ureq __free(kfree) = kzalloc(sizeof(*ureq), + GFP_KERNEL); if (!ureq) return -ENOMEM;
@@ -367,10 +367,10 @@ int qcomtee_user_param_to_object(struct qcomtee_object **object, struct tee_param *param, struct tee_context *ctx) { - struct qcomtee_user_object *user_object __free(kfree) = NULL; int err;
- user_object = kzalloc(sizeof(*user_object), GFP_KERNEL); + struct qcomtee_user_object *user_object __free(kfree) = + kzalloc(sizeof(*user_object), GFP_KERNEL); if (!user_object) return -ENOMEM;
On Mon, Dec 08, 2025 at 03:08:45AM +0100, Krzysztof Kozlowski wrote:
Initializing automatic __free variables to NULL without need (e.g. branches with different allocations), followed by actual allocation is in contrary to explicit coding rules guiding cleanup.h:
"Given that the "__free(...) = NULL" pattern for variables defined at the top of the function poses this potential interdependency problem the recommendation is to always define and assign variables in one statement and not group variable definitions at the top of the function when __free() is used."
Code does not have a bug, but is less readable and uses discouraged coding practice, so fix that by moving declaration to the place of assignment.
Okay I see but..
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@oss.qualcomm.com
drivers/tee/qcomtee/call.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index 65f9140d4e1f..8f8830f0df26 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -395,9 +395,7 @@ static int qcomtee_object_invoke(struct tee_context *ctx, struct tee_ioctl_object_invoke_arg *arg, struct tee_param *params) {
- struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_context_data *ctxdata = ctx->data;
- struct qcomtee_arg *u __free(kfree) = NULL; struct qcomtee_object *object; int i, ret, result;
@@ -412,12 +410,14 @@ static int qcomtee_object_invoke(struct tee_context *ctx, } /* Otherwise, invoke a QTEE object: */
- oic = qcomtee_object_invoke_ctx_alloc(ctx);
- struct qcomtee_object_invoke_ctx *oic __free(kfree) =
qcomtee_object_invoke_ctx_alloc(ctx);/* +1 for ending QCOMTEE_ARG_TYPE_INV. */
- u = kcalloc(arg->num_params + 1, sizeof(*u), GFP_KERNEL);
- struct qcomtee_arg *u __free(kfree) = kcalloc(arg->num_params + 1, sizeof(*u),
GFP_KERNEL);
..this makes the code less readable with variable declarations floating within the function. I would rather favor to not use the cleanup.h construct but use explicit kfree() invocations instead like it's done in all other allocations in the TEE subsystem.
-Sumit
if (!u) return -ENOMEM; @@ -562,9 +562,8 @@ static int qcomtee_supp_send(struct tee_context *ctx, u32 errno, u32 num_params, static int qcomtee_open(struct tee_context *ctx) {
- struct qcomtee_context_data *ctxdata __free(kfree) = NULL;
- ctxdata = kzalloc(sizeof(*ctxdata), GFP_KERNEL);
- struct qcomtee_context_data *ctxdata __free(kfree) = kzalloc(sizeof(*ctxdata),
GFP_KERNEL);@@ -645,12 +644,12 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) {
- struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result;
- oic = qcomtee_object_invoke_ctx_alloc(ctx);
- struct qcomtee_object_invoke_ctx *oic __free(kfree) =
qcomtee_object_invoke_ctx_alloc(ctx);2.51.0
On 12/12/2025 01:55, Sumit Garg wrote:
On Mon, Dec 08, 2025 at 03:08:45AM +0100, Krzysztof Kozlowski wrote:
Initializing automatic __free variables to NULL without need (e.g. branches with different allocations), followed by actual allocation is in contrary to explicit coding rules guiding cleanup.h:
"Given that the "__free(...) = NULL" pattern for variables defined at the top of the function poses this potential interdependency problem the recommendation is to always define and assign variables in one statement and not group variable definitions at the top of the function when __free() is used."
Code does not have a bug, but is less readable and uses discouraged coding practice, so fix that by moving declaration to the place of assignment.
Okay I see but..
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@oss.qualcomm.com
drivers/tee/qcomtee/call.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index 65f9140d4e1f..8f8830f0df26 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -395,9 +395,7 @@ static int qcomtee_object_invoke(struct tee_context *ctx, struct tee_ioctl_object_invoke_arg *arg, struct tee_param *params) {
- struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_context_data *ctxdata = ctx->data;
- struct qcomtee_arg *u __free(kfree) = NULL; struct qcomtee_object *object; int i, ret, result;
@@ -412,12 +410,14 @@ static int qcomtee_object_invoke(struct tee_context *ctx, } /* Otherwise, invoke a QTEE object: */
- oic = qcomtee_object_invoke_ctx_alloc(ctx);
- struct qcomtee_object_invoke_ctx *oic __free(kfree) =
qcomtee_object_invoke_ctx_alloc(ctx);/* +1 for ending QCOMTEE_ARG_TYPE_INV. */
- u = kcalloc(arg->num_params + 1, sizeof(*u), GFP_KERNEL);
- struct qcomtee_arg *u __free(kfree) = kcalloc(arg->num_params + 1, sizeof(*u),
GFP_KERNEL);..this makes the code less readable with variable declarations floating
Which is intentional.
within the function. I would rather favor to not use the cleanup.h construct but use explicit kfree() invocations instead like it's done in all other allocations in the TEE subsystem.
Sure, fair. I just don't get why introducing cleanup.h without actually accepting its explicitly documented style...
Best regards, Krzysztof
On Fri, Dec 12, 2025 at 02:07:40AM +0100, Krzysztof Kozlowski wrote:
On 12/12/2025 01:55, Sumit Garg wrote:
On Mon, Dec 08, 2025 at 03:08:45AM +0100, Krzysztof Kozlowski wrote:
Initializing automatic __free variables to NULL without need (e.g. branches with different allocations), followed by actual allocation is in contrary to explicit coding rules guiding cleanup.h:
"Given that the "__free(...) = NULL" pattern for variables defined at the top of the function poses this potential interdependency problem the recommendation is to always define and assign variables in one statement and not group variable definitions at the top of the function when __free() is used."
Code does not have a bug, but is less readable and uses discouraged coding practice, so fix that by moving declaration to the place of assignment.
Okay I see but..
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@oss.qualcomm.com
drivers/tee/qcomtee/call.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index 65f9140d4e1f..8f8830f0df26 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -395,9 +395,7 @@ static int qcomtee_object_invoke(struct tee_context *ctx, struct tee_ioctl_object_invoke_arg *arg, struct tee_param *params) {
- struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_context_data *ctxdata = ctx->data;
- struct qcomtee_arg *u __free(kfree) = NULL; struct qcomtee_object *object; int i, ret, result;
@@ -412,12 +410,14 @@ static int qcomtee_object_invoke(struct tee_context *ctx, } /* Otherwise, invoke a QTEE object: */
- oic = qcomtee_object_invoke_ctx_alloc(ctx);
- struct qcomtee_object_invoke_ctx *oic __free(kfree) =
qcomtee_object_invoke_ctx_alloc(ctx);/* +1 for ending QCOMTEE_ARG_TYPE_INV. */
- u = kcalloc(arg->num_params + 1, sizeof(*u), GFP_KERNEL);
- struct qcomtee_arg *u __free(kfree) = kcalloc(arg->num_params + 1, sizeof(*u),
GFP_KERNEL);..this makes the code less readable with variable declarations floating
Which is intentional.
within the function. I would rather favor to not use the cleanup.h construct but use explicit kfree() invocations instead like it's done in all other allocations in the TEE subsystem.
Sure, fair. I just don't get why introducing cleanup.h without actually accepting its explicitly documented style...
TBH, it is likely overlooked during review of the QTEE driver. Having a builtin warning for the undesired syntax would help the reviewers here.
-Sumit
op-tee@lists.trustedfirmware.org
-
Krzysztof Kozlowski -
Sumit Garg