On Tue, Nov 11, 2025 at 09:22:44AM +0000, Al Viro wrote:
> On Tue, Nov 11, 2025 at 07:53:16AM +0000, [email protected] wrote:
>
> > When ffs_epfiles_create() calls ffs_epfiles_destroy(epfiles, i - 1) after
> > the first ffs_sb_create_file() call fails (when i=1), it passes count=0.
> > The initialization loop starts at i=1, so epfiles[0].ffs is never
> > initialized.
>
> Incorrect. The loop in question is
Are you aware that you're replying to a bot-generated email?
>
> epfile = epfiles;
> for (i = 1; i <= count; ++i, ++epfile) {
> epfile->ffs = ffs;
> mutex_init(&epfile->mutex);
> mutex_init(&epfile->dmabufs_mutex);
> INIT_LIST_HEAD(&epfile->dmabufs);
> if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
> sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]);
> else
> sprintf(epfile->name, "ep%u", i);
> err = ffs_sb_create_file(ffs->sb, epfile->name,
> epfile, &ffs_epfile_operations);
> if (err) {
> ffs_epfiles_destroy(epfiles, i - 1);
> return err;
> }
> }
>
> and invariant maintained through the loop is epfile == epfiles + (i - 1).
> We start with i == 1 and epfile == epfiles, modify neither variable in
> the loop body and increment both i and epfile by the same amount in
> the step.
>
> In other words, on the first pass through the loop we access epfiles[0],
> not epfiles[1]. Granted, the loop could've been more idiomatic, but
> it is actually correct.
