Re: [PATCH] err_ptr.h: introduce ERR_PTR_SAFE()

[Christian Brauner]

On Thu, May 14, 2026 at 10:01:29PM +0200, Amir Goldstein wrote:
> Code using ERR_PTR() is almost certainly intending to produce a value
> which qualified as IS_ERR_OR_NULL(), but this is not the case when
> code calls ERR_PTR(err) with positive or large negative err.
> 
> Introduce a fortified variant of ERR_PTR() whose return value is
> guaranteed to qualify as IS_ERR_OR_NULL().
> 
> We add this in a new header file err_ptr.h which includes bug.h
> for the build/run time assertions.
> 
> Subsystems may opt-in for fortified ERR_PTR() for specific call sites
> or by #define ERR_PTR(err) ERR_PTR_SAFE(err).
> 
> Link: https://lore.kernel.org/r/CAOQ4uxg=gONUh5QEW5KJcyXLDF15HbLnc9Ea7RKPcgtyfPasTA@xxxxxxxxxxxxxx/
> Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
> ---

I think this is backwards. You can of course do whatever you want in
overlayfs but I think as a first-class concept in err.h it's not that
great. Then we have to separate macros/inlines and almost no one will
use ERR_PTR_SAFE().

I think the correct thing would be to add an assert into ERR_PTR() and a
debug-only one very likely at that and combine this with the static
analyzer thing mentioned in the thread below.

diff --git a/include/linux/err.h b/include/linux/err.h
index 8c37be0620ab..6bf768adf157 100644
--- a/include/linux/err.h
+++ b/include/linux/err.h
@@ -38,6 +38,9 @@
  */
 static inline void * __must_check ERR_PTR(long error)
 {
+#ifdef CONFIG_DEBUG_INFO
+       WARN_ON_ONCE(!IS_ERR_VALUE(error));
+#endif
        return (void *) error;
 }

I'm not convinced yet about ERR_PTR_SAFE().