1. Patchew
  2. linux
  3. View series

[PATCH 0/2] gpio: core: fix const-correctness and remove UAF FIXMEs

Marco Scardovi (scardracs) posted 2 patches an hour ago 
drivers/gpio/gpiolib-acpi-core.c |  4 ----
drivers/gpio/gpiolib-swnode.c    |  4 ----
drivers/gpio/gpiolib.c           | 28 ++++++++--------------------
drivers/gpio/gpiolib.h           |  2 +-
4 files changed, 9 insertions(+), 29 deletions(-)
[PATCH 0/2] gpio: core: fix const-correctness and remove UAF FIXMEs
Posted by Marco Scardovi (scardracs) an hour ago 
This series addresses legacy "FIXME Cannot use gpio_chip_guard due to
const desc" comments and open-coded SRCU locks scattered throughout the
gpiolib core and backend lookup paths.

I am aware of the ongoing work to replace the gpio_chip_guard architecture
entirely (see the "revocable objects" patchset discussion at
https://lore.kernel.org/linux-gpio/20260513091043.6766-1-tzungbi@kernel.org/).
While that broader refactoring is being iterated upon, this patch series
provides a simple, completely type-safe fix utilizing the existing SRCU
guard infrastructure. It can be merged today to eliminate the FIXMEs
without conflicting conceptually with future revocable objects.

For clarity during review, the series relies on the following guarantees:

1. Deep Const-Correctness is Preserved:
Updating DEFINE_CLASS(gpio_chip_guard, ...) to accept a `const struct
gpio_desc *desc` does not drop const qualifiers. In C, const-propagation
does not implicitly const-qualify deep pointers. The `desc->gdev` evaluation
yields a mutable `struct gpio_device *`, making the internal guard
assignment perfectly legal and safe for fast-path read operations.

2. Identical SRCU Lifetime Scope:
The DEFINE_CLASS macro's GNU C compound statement `({ ... })` relies
on strict sequence points. Thus, `srcu_read_lock()` is fully acquired
prior to executing `srcu_dereference()`. The guard's lifetime remains
identically bound to the block scope, exactly mirroring the open-coded
`guard(srcu)(&gdev->srcu)` it replaces.

3. Lookup UAF FIXMEs are Architecturally Obsolete:
The FIXME comments removed in the ACPI and swnode backend lookup paths
(warning about dropping the device reference) are functionally obsolete.
By design, `gpiod_find_and_request()` wraps the entire backend lookup
operation inside the global `gpio_devices_srcu` read lock. The lookup
functions are entirely safe to drop their temporary references since the
caller subsequently takes its own permanent references without ever leaving
the SRCU read-side critical section.

Please note that while this patch provides a good solution to clean up the
existing codebase, I fully understand the necessity of deeper and more
radical modifications to robustly secure the subsystem's future.

Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Marco Scardovi <scardracs@disroot.org>

Marco Scardovi (scardracs) (2):
  gpio: core: fix const-correctness of gpio_chip_guard
  gpio: remove obsolete UAF FIXMEs from lookup paths

 drivers/gpio/gpiolib-acpi-core.c |  4 ----
 drivers/gpio/gpiolib-swnode.c    |  4 ----
 drivers/gpio/gpiolib.c           | 28 ++++++++--------------------
 drivers/gpio/gpiolib.h           |  2 +-
 4 files changed, 9 insertions(+), 29 deletions(-)

-- 
2.54.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.