From nobody Thu Apr 2 09:20:47 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EED27342CA7; Fri, 13 Feb 2026 09:31:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770975087; cv=none; b=d+sEIxpNvboiOqZOQRHy8H5X7K1msCQ6ZInFnYEmQTawne0oZjGLn0OTObwvVgJxpczRuIGdfN7syaHp2K1b34kkgg5C2XBFFgHSb+ZCuEpEHgwCM4wKCVLs2ejHs8s4YXwi1T26Jyy5AJGb51kOXZ42OVtt3+ukrzpvZWT6XXE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770975087; c=relaxed/simple; bh=tUJZiJKQBfBigmMk6Pe8ka6NjX4yQ1Z38jqocLE+8Qs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MNcUIRXu5wZyQUilrW+sJL5PT/MB5Qw8jn0X/laHgQeoTf87nSjbswEyA3x5YdKqHFu+j71ijvEKycP3hRp8BmNPrpCfEKWRSNeBhmOiTiJMMoThjRJmuAGDizgYBuSFpRvkidQzzv+sHvrJ65CVPFbCYHjlixX0F6uz6CvhVfo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WNTrb9sg; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WNTrb9sg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E969BC116C6; Fri, 13 Feb 2026 09:31:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770975086; bh=tUJZiJKQBfBigmMk6Pe8ka6NjX4yQ1Z38jqocLE+8Qs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WNTrb9sg7prnP8BhIbE8SOF7hf+UYw1Nc3FTKKk5r+i47cgAOHtSuhCYrq/H9EwgM VkRUu5EGCRVfNwY7Zlr+cTIRPmZgO9YNKmsoJOCxfQqrrrEEhNmIeau4AElI7+i8Ru fK/q7mQB4/kUYfPn8n2N/RheDD+1zvOxS4P4gwR2+Kj1GuVFdagOqlbo6gpmumSuXs qaBEN0emqvmYWymgioE4jDVZ7coaggLEIDOFiKZi8daLdNtHLNrxSPjtzRJxTpN7zy TyLbyvgcaiIwVghXaKfLGZf4o5hSbBPUPQyWqZm9I2R5tzVpE46qERjVH8hbSBThzR 5Q8aIISuSVcMg== From: Tzung-Bi Shih To: Bartosz Golaszewski , Linus Walleij Cc: Greg Kroah-Hartman , "Rafael J. Wysocki" , Danilo Krummrich , Jonathan Corbet , Shuah Khan , Laurent Pinchart , Wolfram Sang , Jason Gunthorpe , Johan Hovold , "Paul E . McKenney" , Dan Williams , chrome-platform@lists.linux.dev, tzungbi@kernel.org, linux-gpio@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 08/11] gpio: cdev: Leverage revocable for accessing struct gpio_chip Date: Fri, 13 Feb 2026 09:29:55 +0000 Message-ID: <20260213092958.864411-9-tzungbi@kernel.org> X-Mailer: git-send-email 2.53.0.310.g728cabbaf7-goog In-Reply-To: <20260213092958.864411-1-tzungbi@kernel.org> References: <20260213092958.864411-1-tzungbi@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Struct gpio_device now provides a revocable provider to the underlying struct gpio_chip. Leverage revocable for accessing the struct gpio_chip. Signed-off-by: Tzung-Bi Shih --- v3: - Change revocable API usages accordingly. v2: https://lore.kernel.org/all/20260203061059.975605-9-tzungbi@kernel.org - Change usages accordingly after applying https://lore.kernel.org/all/20260129143733.45618-4-tzungbi@kernel.org. - Preserve a local storage for `struct revocable`. - Combine multiple patches (see "v1:"). - Fix a race condition reported in https://lore.kernel.org/all/CAMRc=3DMcDaipt85OHm0MksLkuf6E79dY1uNSqqbcJno= QTUs81Pw@mail.gmail.com/ and analyzed in https://lore.kernel.org/all/aXEEUWwkxHZzCnaI@tzungbi-laptop/. In v1, the blocking_notifier_chain_unregister() will be skipped if the chip has been removed, leading an UAF in gpiolib_cdev_unregister(). In v2, it won't skip blocking_notifier_chain_unregister(). v1: - https://lore.kernel.org/all/20260116081036.352286-14-tzungbi@kernel.org - https://lore.kernel.org/all/20260116081036.352286-15-tzungbi@kernel.org - https://lore.kernel.org/all/20260116081036.352286-16-tzungbi@kernel.org - https://lore.kernel.org/all/20260116081036.352286-17-tzungbi@kernel.org - https://lore.kernel.org/all/20260116081036.352286-18-tzungbi@kernel.org drivers/gpio/gpiolib-cdev.c | 68 ++++++++++++++----------------------- 1 file changed, 26 insertions(+), 42 deletions(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index 2e3484a89a3b..b491e2737ef2 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include #include @@ -210,11 +211,9 @@ static long linehandle_ioctl(struct file *file, unsign= ed int cmd, DECLARE_BITMAP(vals, GPIOHANDLES_MAX); unsigned int i; int ret; + struct gpio_chip *gc; =20 - guard(srcu)(&lh->gdev->srcu); - - if (!rcu_access_pointer(lh->gdev->chip)) - return -ENODEV; + revocable_try_access_or_return(lh->gdev->chip_rp, gc); =20 switch (cmd) { case GPIOHANDLE_GET_LINE_VALUES_IOCTL: @@ -1432,11 +1431,9 @@ static long linereq_ioctl(struct file *file, unsigne= d int cmd, { struct linereq *lr =3D file->private_data; void __user *ip =3D (void __user *)arg; + struct gpio_chip *gc; =20 - guard(srcu)(&lr->gdev->srcu); - - if (!rcu_access_pointer(lr->gdev->chip)) - return -ENODEV; + revocable_try_access_or_return(lr->gdev->chip_rp, gc); =20 switch (cmd) { case GPIO_V2_LINE_GET_VALUES_IOCTL: @@ -1463,10 +1460,10 @@ static __poll_t linereq_poll(struct file *file, { struct linereq *lr =3D file->private_data; __poll_t events =3D 0; + struct gpio_chip *gc; =20 - guard(srcu)(&lr->gdev->srcu); - - if (!rcu_access_pointer(lr->gdev->chip)) + revocable_try_access_with(lr->gdev->chip_rp, gc); + if (!gc) return EPOLLHUP | EPOLLERR; =20 poll_wait(file, &lr->wait, wait); @@ -1485,11 +1482,9 @@ static ssize_t linereq_read(struct file *file, char = __user *buf, struct gpio_v2_line_event le; ssize_t bytes_read =3D 0; int ret; + struct gpio_chip *gc; =20 - guard(srcu)(&lr->gdev->srcu); - - if (!rcu_access_pointer(lr->gdev->chip)) - return -ENODEV; + revocable_try_access_or_return(lr->gdev->chip_rp, gc); =20 if (count < sizeof(le)) return -EINVAL; @@ -1781,10 +1776,10 @@ static __poll_t lineevent_poll(struct file *file, { struct lineevent_state *le =3D file->private_data; __poll_t events =3D 0; + struct gpio_chip *gc; =20 - guard(srcu)(&le->gdev->srcu); - - if (!rcu_access_pointer(le->gdev->chip)) + revocable_try_access_with(le->gdev->chip_rp, gc); + if (!gc) return EPOLLHUP | EPOLLERR; =20 poll_wait(file, &le->wait, wait); @@ -1819,11 +1814,9 @@ static ssize_t lineevent_read(struct file *file, cha= r __user *buf, ssize_t bytes_read =3D 0; ssize_t ge_size; int ret; + struct gpio_chip *gc; =20 - guard(srcu)(&le->gdev->srcu); - - if (!rcu_access_pointer(le->gdev->chip)) - return -ENODEV; + revocable_try_access_or_return(le->gdev->chip_rp, gc); =20 /* * When compatible system call is being used the struct gpioevent_data, @@ -1901,11 +1894,9 @@ static long lineevent_ioctl(struct file *file, unsig= ned int cmd, struct lineevent_state *le =3D file->private_data; void __user *ip =3D (void __user *)arg; struct gpiohandle_data ghd; + struct gpio_chip *gc; =20 - guard(srcu)(&le->gdev->srcu); - - if (!rcu_access_pointer(le->gdev->chip)) - return -ENODEV; + revocable_try_access_or_return(le->gdev->chip_rp, gc); =20 /* * We can get the value for an event line but not set it, @@ -2434,12 +2425,10 @@ static long gpio_ioctl(struct file *file, unsigned = int cmd, unsigned long arg) struct gpio_chardev_data *cdev =3D file->private_data; struct gpio_device *gdev =3D cdev->gdev; void __user *ip =3D (void __user *)arg; - - guard(srcu)(&gdev->srcu); + struct gpio_chip *gc; =20 /* We fail any subsequent ioctl():s when the chip is gone */ - if (!rcu_access_pointer(gdev->chip)) - return -ENODEV; + revocable_try_access_or_return(gdev->chip_rp, gc); =20 /* Fill in the struct and pass to userspace */ switch (cmd) { @@ -2497,12 +2486,9 @@ static void lineinfo_changed_func(struct work_struct= *work) * Pin functions are in general much more static and while it's * not 100% bullet-proof, it's good enough for most cases. */ - scoped_guard(srcu, &ctx->gdev->srcu) { - gc =3D srcu_dereference(ctx->gdev->chip, &ctx->gdev->srcu); - if (gc && - !pinctrl_gpio_can_use_line(gc, ctx->chg.info.offset)) + revocable_try_access_with_scoped(ctx->gdev->chip_rp, gc) + if (!pinctrl_gpio_can_use_line(gc, ctx->chg.info.offset)) ctx->chg.info.flags |=3D GPIO_V2_LINE_FLAG_USED; - } } =20 ret =3D kfifo_in_spinlocked(&ctx->cdev->events, &ctx->chg, 1, @@ -2583,10 +2569,10 @@ static __poll_t lineinfo_watch_poll(struct file *fi= le, { struct gpio_chardev_data *cdev =3D file->private_data; __poll_t events =3D 0; + struct gpio_chip *gc; =20 - guard(srcu)(&cdev->gdev->srcu); - - if (!rcu_access_pointer(cdev->gdev->chip)) + revocable_try_access_with(cdev->gdev->chip_rp, gc); + if (!gc) return EPOLLHUP | EPOLLERR; =20 poll_wait(file, &cdev->wait, pollt); @@ -2606,11 +2592,9 @@ static ssize_t lineinfo_watch_read(struct file *file= , char __user *buf, ssize_t bytes_read =3D 0; int ret; size_t event_size; + struct gpio_chip *gc; =20 - guard(srcu)(&cdev->gdev->srcu); - - if (!rcu_access_pointer(cdev->gdev->chip)) - return -ENODEV; + revocable_try_access_or_return(cdev->gdev->chip_rp, gc); =20 #ifndef CONFIG_GPIO_CDEV_V1 event_size =3D sizeof(struct gpio_v2_line_info_changed); --=20 2.53.0.310.g728cabbaf7-goog