1. Patchew
  2. linux
  3. View series

[PATCH v10 0/9] drivers/base: Introduce revocable

Tzung-Bi Shih posted 9 patches 1 month ago
There is a newer version of this series
.../driver-api/driver-model/index.rst         |   1 +
.../driver-api/driver-model/revocable.rst     | 384 +++++++++++++++++
MAINTAINERS                                   |  10 +
drivers/base/Kconfig                          |   5 +
drivers/base/Makefile                         |   5 +-
drivers/base/revocable.c                      | 267 ++++++++++++
drivers/base/revocable_test.c                 | 405 ++++++++++++++++++
drivers/gpio/gpiolib-cdev.c                   |  77 ++--
drivers/gpio/gpiolib-sysfs.c                  |  31 +-
drivers/gpio/gpiolib.c                        | 263 +++++-------
drivers/gpio/gpiolib.h                        |  28 +-
drivers/platform/chrome/cros_ec.c             |  11 +
drivers/platform/chrome/cros_ec_chardev.c     |  80 +++-
include/linux/platform_data/cros_ec_proto.h   |   3 +
include/linux/revocable.h                     | 204 +++++++++
15 files changed, 1505 insertions(+), 269 deletions(-)
create mode 100644 Documentation/driver-api/driver-model/revocable.rst
create mode 100644 drivers/base/revocable.c
create mode 100644 drivers/base/revocable_test.c
create mode 100644 include/linux/revocable.h
[PATCH v10 0/9] drivers/base: Introduce revocable
Posted by Tzung-Bi Shih 1 month ago 
This series introduces the "revocable" mechanism, a synchronization
primitive designed to prevent Use-After-Free errors.

- Patch 1 introduces the revocable which is an implementation of ideas
  from the talk [1].

- Patch 2 adds KUnit test cases.

- Patches 3 to 7 transitions the UAF prevention logic within the GPIO
  core (gpiolib) to use the "revocable" mechanism.

  The existing code aims to prevent UAF issues when the underlying GPIO
  chip is removed.  They replace that custom logic with the generic
  "revocable" API, which is designed to handle such lifecycle
  dependencies.  There should be no changes in behavior.

- Patches 8 to 9 uses "revocable" mechanism to fix an UAF in
  cros_ec_chardev driver.  Alternatively, [2] is a series for fixing the
  same issue without using "revocable".

Since v9, there are two ways to manage the resource provider handle.
- Embedded allocation: patches 3 to 7 might be the potential user.
- Dynamic allocation: patches 8 to 9 might be the potential user.

[1] https://lpc.events/event/17/contributions/1627/
[2] https://lore.kernel.org/all/20260427134659.95181-1-tzungbi@kernel.org

---
v10:
- Unify handling of embedded and dynamic allocation.

v9: https://lore.kernel.org/all/20260427135841.96266-1-tzungbi@kernel.org
- Rebase onto v7.1-rc1.
- Remove the selftests patch as it makes less sense to test revocable
  APIs via kselftests.
- Merge patches 7 to 11 from
  https://lore.kernel.org/all/20260213092958.864411-1-tzungbi@kernel.org
  into the series.
- Merge patch from
  https://lore.kernel.org/all/20250923075302.591026-5-tzungbi@kernel.org
- Merge patch from
  https://lore.kernel.org/all/20250912081718.3827390-6-tzungbi@kernel.org

v8: https://lore.kernel.org/all/20260213092307.858908-1-tzungbi@kernel.org
- Rework on the revocable APIs.  See changelog in [PATCH v8 1/3] for details.

v7: https://lore.kernel.org/all/20260116080235.350305-1-tzungbi@kernel.org
- Rebase onto next-20260115.

v6: https://lore.kernel.org/all/20251106152330.11733-1-tzungbi@kernel.org
- Rebase onto next-20251106.
- Separate revocable core and use cases.

v5: https://lore.kernel.org/all/20251016054204.1523139-1-tzungbi@kernel.org
- Rebase onto next-20251015.
- Add more context about the PoC.
- Support multiple revocable providers in the PoC.

v4: https://lore.kernel.org/all/20250923075302.591026-1-tzungbi@kernel.org
- Rebase onto next-20250922.
- Remove the 5th patch from v3.
- Add fops replacement PoC in 5th - 7th patches.

v3: https://lore.kernel.org/all/20250912081718.3827390-1-tzungbi@kernel.org
- Rebase onto https://lore.kernel.org/all/20250828083601.856083-1-tzungbi@kernel.org
  and next-20250912.
- The 4th patch changed accordingly.

v2: https://lore.kernel.org/all/20250820081645.847919-1-tzungbi@kernel.org
- Rename "ref_proxy" -> "revocable".
- Add test cases in Kunit and selftest.

v1: https://lore.kernel.org/all/20250814091020.1302888-1-tzungbi@kernel.org

Tzung-Bi Shih (9):
  revocable: Revocable resource management
  revocable: Add KUnit test cases
  gpio: Add revocable provider handle for struct gpio_chip
  gpio: cdev: Leverage revocable for accessing struct gpio_chip
  gpio: Remove gpio_chip_guard by using revocable
  gpio: Leverage revocable for accessing struct gpio_chip
  gpio: Remove unused `chip` and `srcu` in struct gpio_device
  platform/chrome: Protect cros_ec_device lifecycle with revocable
  platform/chrome: cros_ec_chardev: Consume cros_ec_device via revocable

 .../driver-api/driver-model/index.rst         |   1 +
 .../driver-api/driver-model/revocable.rst     | 384 +++++++++++++++++
 MAINTAINERS                                   |  10 +
 drivers/base/Kconfig                          |   5 +
 drivers/base/Makefile                         |   5 +-
 drivers/base/revocable.c                      | 267 ++++++++++++
 drivers/base/revocable_test.c                 | 405 ++++++++++++++++++
 drivers/gpio/gpiolib-cdev.c                   |  77 ++--
 drivers/gpio/gpiolib-sysfs.c                  |  31 +-
 drivers/gpio/gpiolib.c                        | 263 +++++-------
 drivers/gpio/gpiolib.h                        |  28 +-
 drivers/platform/chrome/cros_ec.c             |  11 +
 drivers/platform/chrome/cros_ec_chardev.c     |  80 +++-
 include/linux/platform_data/cros_ec_proto.h   |   3 +
 include/linux/revocable.h                     | 204 +++++++++
 15 files changed, 1505 insertions(+), 269 deletions(-)
 create mode 100644 Documentation/driver-api/driver-model/revocable.rst
 create mode 100644 drivers/base/revocable.c
 create mode 100644 drivers/base/revocable_test.c
 create mode 100644 include/linux/revocable.h

-- 
2.51.0
Re: [PATCH v10 0/9] drivers/base: Introduce revocable
Posted by Bartosz Golaszewski 1 month ago 
On Fri, 8 May 2026 12:54:39 +0200, Tzung-Bi Shih <tzungbi@kernel.org> said:
> This series introduces the "revocable" mechanism, a synchronization
> primitive designed to prevent Use-After-Free errors.
>
> - Patch 1 introduces the revocable which is an implementation of ideas
>   from the talk [1].
>
> - Patch 2 adds KUnit test cases.
>
> - Patches 3 to 7 transitions the UAF prevention logic within the GPIO
>   core (gpiolib) to use the "revocable" mechanism.
>
>   The existing code aims to prevent UAF issues when the underlying GPIO
>   chip is removed.  They replace that custom logic with the generic
>   "revocable" API, which is designed to handle such lifecycle
>   dependencies.  There should be no changes in behavior.
>
> - Patches 8 to 9 uses "revocable" mechanism to fix an UAF in
>   cros_ec_chardev driver.  Alternatively, [2] is a series for fixing the
>   same issue without using "revocable".
>
> Since v9, there are two ways to manage the resource provider handle.
> - Embedded allocation: patches 3 to 7 might be the potential user.
> - Dynamic allocation: patches 8 to 9 might be the potential user.
>
> [1] https://lpc.events/event/17/contributions/1627/
> [2] https://lore.kernel.org/all/20260427134659.95181-1-tzungbi@kernel.org
>

All my tests pass with this series on top of v7.1-rc3.

Tested-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.