From: Tzung-Bi Shih <tzungbi@kernel.org>
To: Johan Hovold <johan@kernel.org>
Cc: Benson Leung <bleung@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Danilo Krummrich <dakr@kernel.org>,
Bartosz Golaszewski <brgl@bgdev.pl>,
Linus Walleij <linusw@kernel.org>,
Jonathan Corbet <corbet@lwn.net>, Shuah Khan <shuah@kernel.org>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
chrome-platform@lists.linux.dev, linux-kselftest@vger.kernel.org,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Simona Vetter <simona.vetter@ffwll.ch>,
Dan Williams <dan.j.williams@intel.com>,
Jason Gunthorpe <jgg@nvidia.com>,
linux-gpio@vger.kernel.org
Subject: Re: [PATCH 22/23] gpiolib: Leverage revocable for other independent lifecycle instances
Date: Tue, 27 Jan 2026 15:56:39 +0000 [thread overview]
Message-ID: <aXjgN2jGsaNQgP9o@google.com> (raw)
In-Reply-To: <aXdy-b3GOJkzGqYo@hovoldconsulting.com>
On Mon, Jan 26, 2026 at 02:58:17PM +0100, Johan Hovold wrote:
> On Sat, Jan 24, 2026 at 05:52:53PM +0100, Johan Hovold wrote:
> > On Fri, Jan 16, 2026 at 08:10:35AM +0000, Tzung-Bi Shih wrote:
> > > There are independent lifecycle instances (e.g., other drivers) can save
> > > a raw pointer to the struct gpio_device (e.g., via gpio_device_find())
> > > or struct gpio_desc (e.g., via gpio_to_desc()). In some operations,
> > > they have to access the underlying struct gpio_chip.
> > >
> > > Leverage revocable for them so that they don't need to handle the
> > > synchronization by accessing the SRCU explicitly.
> > >
> > > Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
> >
> > > static int gpiod_get_raw_value_commit(const struct gpio_desc *desc)
> > > {
> > > - struct gpio_device *gdev;
> > > struct gpio_chip *gc;
> > > int value;
> > > + DEFINE_REVOCABLE(rev, desc->gdev->chip_rp);
> >
> > DEFINE_REVOCABLE() is racy and can lead to use-after-free since nothing
> > prevents chip_rp from being revoked and freed while the
> > revocable_alloc() hidden in DEFINE_REVOCABLE() is running.
>
> This was supposed to say "revocable_init()" (i.e. revocable_alloc()
> without the memory allocation).
I see the issue. Thanks for identifying this.
next prev parent reply other threads:[~2026-01-27 15:56 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-16 8:10 [PATCH 00/23] gpiolib: Adopt revocable mechanism for UAF prevention Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 01/23] gpiolib: Correct wrong kfree() usage for `kobj->name` Tzung-Bi Shih
2026-01-16 13:15 ` Bartosz Golaszewski
2026-01-16 13:27 ` Greg Kroah-Hartman
2026-01-16 13:30 ` Bartosz Golaszewski
2026-01-20 4:29 ` Tzung-Bi Shih
2026-01-16 14:13 ` Jason Gunthorpe
2026-01-16 14:38 ` Bartosz Golaszewski
2026-01-20 4:30 ` Tzung-Bi Shih
2026-01-20 9:43 ` Bartosz Golaszewski
2026-01-16 8:10 ` [PATCH 02/23] gpiolib: cdev: Fix resource leaks on errors in gpiolib_cdev_register() Tzung-Bi Shih
2026-01-20 8:50 ` Bartosz Golaszewski
2026-01-20 9:34 ` Tzung-Bi Shih
2026-01-20 9:39 ` Bartosz Golaszewski
2026-01-16 8:10 ` [PATCH 03/23] gpiolib: Fix resource leaks on errors in gpiochip_add_data_with_key() Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 04/23] gpiolib: Fix resource leaks on errors in lineinfo_changed_notify() Tzung-Bi Shih
2026-01-16 13:26 ` Bartosz Golaszewski
2026-01-20 3:11 ` Tzung-Bi Shih
2026-01-20 8:49 ` Bartosz Golaszewski
2026-01-16 8:10 ` [PATCH 05/23] gpiolib: cdev: Correct return code on memory allocation failure Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 06/23] gpiolib: Access `gpio_bus_type` in gpiochip_setup_dev() Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 07/23] gpiolib: Remove redundant check for struct gpio_chip Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 08/23] gpiolib: sysfs: " Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 09/23] gpiolib: Ensure struct gpio_chip for gpiochip_setup_dev() Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 10/23] gpiolib: cdev: Don't check struct gpio_chip in gpio_chrdev_open() Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 11/23] selftests: gpio: Add gpio-cdev-uaf tests Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 12/23] gpiolib: Add revocable provider handle for struct gpio_chip Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 13/23] gpiolib: cdev: Leverage revocable for gpio_fileops Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 14/23] gpiolib: cdev: Leverage revocable for linehandle_fileops Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 15/23] gpiolib: cdev: Leverage revocable for line_fileops Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 16/23] gpiolib: cdev: Leverage revocable for lineevent_fileops Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 17/23] gpiolib: cdev: Leverage revocable for lineinfo_changed_notify Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 18/23] gpiolib: Leverage revocable for gpiolib_sops Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 19/23] revocable: Support to define revocable consumer handle on stack Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 20/23] revocable: Add Kunit test case for DEFINE_REVOCABLE() Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 21/23] selftests: revocable: Add " Tzung-Bi Shih
2026-01-16 8:10 ` [PATCH 22/23] gpiolib: Leverage revocable for other independent lifecycle instances Tzung-Bi Shih
2026-01-24 16:52 ` Johan Hovold
2026-01-26 13:58 ` Johan Hovold
2026-01-27 15:56 ` Tzung-Bi Shih [this message]
2026-01-16 8:10 ` [PATCH 23/23] gpiolib: Remove unused `chip` and `srcu` in struct gpio_device Tzung-Bi Shih
2026-01-16 10:35 ` [PATCH 00/23] gpiolib: Adopt revocable mechanism for UAF prevention Bartosz Golaszewski
2026-01-16 16:07 ` Laurent Pinchart
2026-01-17 12:48 ` Tzung-Bi Shih
2026-01-19 8:33 ` Bartosz Golaszewski
2026-01-21 4:17 ` Tzung-Bi Shih
2026-01-21 10:42 ` Bartosz Golaszewski
2026-01-19 14:21 ` (subset) " Bartosz Golaszewski
2026-01-20 3:13 ` Tzung-Bi Shih
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXjgN2jGsaNQgP9o@google.com \
--to=tzungbi@kernel.org \
--cc=bleung@chromium.org \
--cc=brgl@bgdev.pl \
--cc=chrome-platform@lists.linux.dev \
--cc=corbet@lwn.net \
--cc=dakr@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=johan@kernel.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linusw@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=shuah@kernel.org \
--cc=simona.vetter@ffwll.ch \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.