Struct gpio_device now provides a revocable provider to the underlying
struct gpio_chip. Leverage revocable for accessing the struct
gpio_chip.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v2:
- Change usages accordingly after applying
https://lore.kernel.org/all/20260129143733.45618-4-tzungbi@kernel.org.
- Preserve a local storage for `struct revocable`.
- Combine multiple patches (see "v1:").
v1:
- https://lore.kernel.org/all/20260116081036.352286-14-tzungbi@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-15-tzungbi@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-16-tzungbi@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-17-tzungbi@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-18-tzungbi@kernel.org
drivers/gpio/gpiolib-cdev.c | 70 ++++++++++++++++++-------------------
1 file changed, 34 insertions(+), 36 deletions(-)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index aaa5de814468..ca9c04765df4 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -22,6 +22,7 @@
#include <linux/overflow.h>
#include <linux/pinctrl/consumer.h>
#include <linux/poll.h>
+#include <linux/revocable.h>
#include <linux/seq_file.h>
#include <linux/spinlock.h>
#include <linux/string.h>
@@ -210,10 +211,10 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd,
DECLARE_BITMAP(vals, GPIOHANDLES_MAX);
unsigned int i;
int ret;
+ struct gpio_chip *gc;
- guard(srcu)(&lh->gdev->srcu);
-
- if (!rcu_access_pointer(lh->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(lh->gdev->chip_rp, gc);
+ if (!gc)
return -ENODEV;
switch (cmd) {
@@ -1432,10 +1433,10 @@ static long linereq_ioctl(struct file *file, unsigned int cmd,
{
struct linereq *lr = file->private_data;
void __user *ip = (void __user *)arg;
+ struct gpio_chip *gc;
- guard(srcu)(&lr->gdev->srcu);
-
- if (!rcu_access_pointer(lr->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(lr->gdev->chip_rp, gc);
+ if (!gc)
return -ENODEV;
switch (cmd) {
@@ -1463,10 +1464,10 @@ static __poll_t linereq_poll(struct file *file,
{
struct linereq *lr = file->private_data;
__poll_t events = 0;
+ struct gpio_chip *gc;
- guard(srcu)(&lr->gdev->srcu);
-
- if (!rcu_access_pointer(lr->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(lr->gdev->chip_rp, gc);
+ if (!gc)
return EPOLLHUP | EPOLLERR;
poll_wait(file, &lr->wait, wait);
@@ -1485,10 +1486,10 @@ static ssize_t linereq_read(struct file *file, char __user *buf,
struct gpio_v2_line_event le;
ssize_t bytes_read = 0;
int ret;
+ struct gpio_chip *gc;
- guard(srcu)(&lr->gdev->srcu);
-
- if (!rcu_access_pointer(lr->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(lr->gdev->chip_rp, gc);
+ if (!gc)
return -ENODEV;
if (count < sizeof(le))
@@ -1781,10 +1782,10 @@ static __poll_t lineevent_poll(struct file *file,
{
struct lineevent_state *le = file->private_data;
__poll_t events = 0;
+ struct gpio_chip *gc;
- guard(srcu)(&le->gdev->srcu);
-
- if (!rcu_access_pointer(le->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(le->gdev->chip_rp, gc);
+ if (!gc)
return EPOLLHUP | EPOLLERR;
poll_wait(file, &le->wait, wait);
@@ -1819,10 +1820,10 @@ static ssize_t lineevent_read(struct file *file, char __user *buf,
ssize_t bytes_read = 0;
ssize_t ge_size;
int ret;
+ struct gpio_chip *gc;
- guard(srcu)(&le->gdev->srcu);
-
- if (!rcu_access_pointer(le->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(le->gdev->chip_rp, gc);
+ if (!gc)
return -ENODEV;
/*
@@ -1901,10 +1902,10 @@ static long lineevent_ioctl(struct file *file, unsigned int cmd,
struct lineevent_state *le = file->private_data;
void __user *ip = (void __user *)arg;
struct gpiohandle_data ghd;
+ struct gpio_chip *gc;
- guard(srcu)(&le->gdev->srcu);
-
- if (!rcu_access_pointer(le->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(le->gdev->chip_rp, gc);
+ if (!gc)
return -ENODEV;
/*
@@ -2434,11 +2435,11 @@ static long gpio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
struct gpio_chardev_data *cdev = file->private_data;
struct gpio_device *gdev = cdev->gdev;
void __user *ip = (void __user *)arg;
-
- guard(srcu)(&gdev->srcu);
+ struct gpio_chip *gc;
/* We fail any subsequent ioctl():s when the chip is gone */
- if (!rcu_access_pointer(gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(gdev->chip_rp, gc);
+ if (!gc)
return -ENODEV;
/* Fill in the struct and pass to userspace */
@@ -2497,12 +2498,9 @@ static void lineinfo_changed_func(struct work_struct *work)
* Pin functions are in general much more static and while it's
* not 100% bullet-proof, it's good enough for most cases.
*/
- scoped_guard(srcu, &ctx->gdev->srcu) {
- gc = srcu_dereference(ctx->gdev->chip, &ctx->gdev->srcu);
- if (gc &&
- !pinctrl_gpio_can_use_line(gc, ctx->chg.info.offset))
- ctx->chg.info.flags |= GPIO_V2_LINE_FLAG_USED;
- }
+ REVOCABLE_TRY_ACCESS_WITH(ctx->gdev->chip_rp, gc);
+ if (gc && !pinctrl_gpio_can_use_line(gc, ctx->chg.info.offset))
+ ctx->chg.info.flags |= GPIO_V2_LINE_FLAG_USED;
}
ret = kfifo_in_spinlocked(&ctx->cdev->events, &ctx->chg, 1,
@@ -2583,10 +2581,10 @@ static __poll_t lineinfo_watch_poll(struct file *file,
{
struct gpio_chardev_data *cdev = file->private_data;
__poll_t events = 0;
+ struct gpio_chip *gc;
- guard(srcu)(&cdev->gdev->srcu);
-
- if (!rcu_access_pointer(cdev->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(cdev->gdev->chip_rp, gc);
+ if (!gc)
return EPOLLHUP | EPOLLERR;
poll_wait(file, &cdev->wait, pollt);
@@ -2606,10 +2604,10 @@ static ssize_t lineinfo_watch_read(struct file *file, char __user *buf,
ssize_t bytes_read = 0;
int ret;
size_t event_size;
+ struct gpio_chip *gc;
- guard(srcu)(&cdev->gdev->srcu);
-
- if (!rcu_access_pointer(cdev->gdev->chip))
+ REVOCABLE_TRY_ACCESS_WITH(cdev->gdev->chip_rp, gc);
+ if (!gc)
return -ENODEV;
#ifndef CONFIG_GPIO_CDEV_V1
--
2.53.0.rc2.204.g2597b5adb4-googOn Tue, Feb 3, 2026 at 7:12 AM Tzung-Bi Shih <tzungbi@kernel.org> wrote:
>
> Struct gpio_device now provides a revocable provider to the underlying
> struct gpio_chip. Leverage revocable for accessing the struct
> gpio_chip.
>
> Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
> ---
[snip]
> @@ -1432,10 +1433,10 @@ static long linereq_ioctl(struct file *file, unsigned int cmd,
> {
> struct linereq *lr = file->private_data;
> void __user *ip = (void __user *)arg;
> + struct gpio_chip *gc;
>
> - guard(srcu)(&lr->gdev->srcu);
> -
> - if (!rcu_access_pointer(lr->gdev->chip))
> + REVOCABLE_TRY_ACCESS_WITH(lr->gdev->chip_rp, gc);
> + if (!gc)
> return -ENODEV;
>
If we're doing this, then I'd love to see something that actually
makes the code smaller like:
REVOCABLE_TRY_ACCESS_WITH_OR_RETURN(lr->gdev->chip_rp, gc, -ENODEV);
which would allow dropping the repeated checks.
Bart
On Tue, Feb 03, 2026 at 06:10:55AM +0000, Tzung-Bi Shih wrote: > --- > v2: > - Change usages accordingly after applying > https://lore.kernel.org/all/20260129143733.45618-4-tzungbi@kernel.org. > - Preserve a local storage for `struct revocable`. > - Combine multiple patches (see "v1:"). Forgot to mention it in the changelog: - v2 fixes a race condition reported in https://lore.kernel.org/all/CAMRc=McDaipt85OHm0MksLkuf6E79dY1uNSqqbcJnoQTUs81Pw@mail.gmail.com/ and analyzed in https://lore.kernel.org/all/aXEEUWwkxHZzCnaI@tzungbi-laptop/. In v1, the blocking_notifier_chain_unregister() will be skipped if the chip has been removed, leading an UAF in gpiolib_cdev_unregister(). In v2, it won't skip blocking_notifier_chain_unregister(). > > v1: > - https://lore.kernel.org/all/20260116081036.352286-14-tzungbi@kernel.org > - https://lore.kernel.org/all/20260116081036.352286-15-tzungbi@kernel.org > - https://lore.kernel.org/all/20260116081036.352286-16-tzungbi@kernel.org > - https://lore.kernel.org/all/20260116081036.352286-17-tzungbi@kernel.org > - https://lore.kernel.org/all/20260116081036.352286-18-tzungbi@kernel.org
© 2016 - 2026 Red Hat, Inc.