* [PATCH v9 1/9] revocable: Revocable resource management
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 2/9] revocable: Add KUnit test cases Tzung-Bi Shih
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
The "revocable" mechanism is a synchronization primitive designed to
manage safe access to resources that can be asynchronously removed or
invalidated. Its primary purpose is to prevent Use-After-Free (UAF)
errors when interacting with resources whose lifetimes are not
guaranteed to outlast their consumers.
This is particularly useful in systems where resources can disappear
unexpectedly, such as those provided by hot-pluggable devices like
USB. When a consumer holds a reference to such a resource, the
underlying device might be removed, causing the resource's memory to
be freed. Subsequent access attempts by the consumer would then lead
to UAF errors.
Revocable addresses this by providing a form of "weak reference" and
a controlled access method. It allows a resource consumer to safely
attempt to access the resource. The mechanism guarantees that any
access granted is valid for the duration of its use. If the resource
has already been revoked (i.e., freed), the access attempt will fail
safely, typically by returning NULL, instead of causing a crash.
It uses a provider/consumer model built on Sleepable RCU (SRCU) to
guarantee safe memory access:
- A resource provider, such as a driver for a hot-pluggable device,
allocates a struct revocable and initializes it with a pointer
to the resource.
- A resource consumer that wants to access the resource allocates a
struct revocable_consumer containing a reference to the provider.
- To access the resource, the consumer uses revocable_try_access().
This function enters an SRCU read-side critical section and returns
the pointer to the resource. If the provider has already freed the
resource, it returns NULL. After use, the consumer calls
revocable_withdraw_access() to exit the SRCU critical section. There
are some macro level helpers for doing that.
The API provides the following contract:
- revocable_try_access() can be safely called from both process and
atomic contexts.
- It is permitted to sleep within the critical section established
between revocable_try_access() and revocable_withdraw_access().
- revocable_try_access() and the matching revocable_withdraw_access()
must occur in the same context. For example, it is illegal to
invoke revocable_withdraw_access() in an irq handler if the matching
revocable_try_access() was invoked in process context.
- When the provider needs to remove the resource, it calls
revocable_revoke(). This function sets the internal resource
pointer to NULL and then calls synchronize_srcu() to wait for all
current readers to finish before the resource can be completely torn
down.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- Add revocable_embed_init() and revocable_embed_destroy() for embedded
resource provider per
https://lore.kernel.org/all/CAMRc=MehkJc-js=Wk9vBAcXOpazqjtYDLPUEhmbN8U7Wu2YpgA@mail.gmail.com
v8: https://lore.kernel.org/all/20260213092307.858908-2-tzungbi@kernel.org
- Squash:
- fdeb3ca3cca8 revocable: Remove redundant synchronize_srcu() call
- 4d7dc4d1a62d revocable: Fix races in revocable_alloc() using RCU
- 377563ce0653 revocable: fix SRCU index corruption by requiring caller-provided storage
- Rename macro names:
- REVOCABLE_TRY_ACCESS_WITH() -> revocable_try_access_with().
- REVOCABLE_TRY_ACCESS_SCOPED() -> revocable_try_access_with_scoped().
- Rename terminologies as now normal users should only "see" provider
handles, using a shorter name for provider handle to echo the main
concept.
- struct revocable -> struct revocable_consumer.
- struct revocable_provider -> struct revocable.
- revocable_provider_alloc() -> revocable_alloc().
- revocable_provider_revoke() -> revocable_revoke().
- New APIs:
- revocable_get().
- revocable_put().
- revocable_try_access_or_return_err().
- revocable_try_access_or_return().
- revocable_try_access_or_return_void().
- revocable_try_access_or_return_err_scoped().
- revocable_try_access_or_return_scoped().
- revocable_try_access_or_void_scoped().
- revocable_try_access_or_skip_scoped().
- Add API contract that revocable_try_access() works from process and
atomic context while also allowing sleeping inside the critical
sections.
- Add revocable.h to the DRIVER CORE entry in MAINTAINERS.
v7: https://lore.kernel.org/all/20260116080235.350305-2-tzungbi@kernel.org
- "2025" -> "2026" in copyright.
- Documentation/
- Rephrase section "Revocable vs. Devres (devm)".
- Include sections for struct revocable_provider and struct revocable.
- Minor rename: "revocable" -> "access_rev" for DEFINE_FREE().
- Add Acked-by tag.
v6: https://lore.kernel.org/all/20251106152330.11733-2-tzungbi@kernel.org
- Rename REVOCABLE_TRY_ACCESS_WITH() -> REVOCABLE_TRY_ACCESS_SCOPED().
- Add new REVOCABLE_TRY_ACCESS_WITH().
- Remove Acked-by tags as the API names changed a bit.
v5: https://lore.kernel.org/all/20251016054204.1523139-2-tzungbi@kernel.org
- No changes.
v4: https://lore.kernel.org/all/20250923075302.591026-2-tzungbi@kernel.org
- Rename:
- revocable_provider_free() -> revocable_provider_revoke().
- REVOCABLE() -> REVOCABLE_TRY_ACCESS_WITH().
- revocable_release() -> revocable_withdraw_access().
- rcu_dereference() -> srcu_dereference() to fix a warning from lock debugging.
- Move most docs to kernel-doc, include them in Documentation/, and modify the
commit message accordingly.
- Fix some doc errors.
- Add Acked-by tags.
v3: https://lore.kernel.org/all/20250912081718.3827390-2-tzungbi@kernel.org
- No changes.
v2: https://lore.kernel.org/all/20250820081645.847919-2-tzungbi@kernel.org
- Rename "ref_proxy" -> "revocable".
- Add introduction in kernel-doc format in revocable.c.
- Add MAINTAINERS entry.
- Add copyright.
- Move from lib/ to drivers/base/.
- EXPORT_SYMBOL() -> EXPORT_SYMBOL_GPL().
- Add Documentation/.
- Rename _get() -> try_access(); _put() -> release().
- Fix a sparse warning by removing the redundant __rcu annotations.
- Fix a sparse warning by adding __acquires() and __releases() annotations.
v1: https://lore.kernel.org/all/20250814091020.1302888-2-tzungbi@kernel.org
A way to verify Documentation/:
- `make O=build SPHINXDIRS=driver-api/driver-model/ htmldocs`.
---
.../driver-api/driver-model/index.rst | 1 +
.../driver-api/driver-model/revocable.rst | 384 ++++++++++++++++++
MAINTAINERS | 9 +
drivers/base/Makefile | 2 +-
drivers/base/revocable.c | 298 ++++++++++++++
include/linux/revocable.h | 214 ++++++++++
6 files changed, 907 insertions(+), 1 deletion(-)
create mode 100644 Documentation/driver-api/driver-model/revocable.rst
create mode 100644 drivers/base/revocable.c
create mode 100644 include/linux/revocable.h
diff --git a/Documentation/driver-api/driver-model/index.rst b/Documentation/driver-api/driver-model/index.rst
index abeb4b36636b..cc90b20bb192 100644
--- a/Documentation/driver-api/driver-model/index.rst
+++ b/Documentation/driver-api/driver-model/index.rst
@@ -14,3 +14,4 @@ Driver Model
overview
platform
porting
+ revocable
diff --git a/Documentation/driver-api/driver-model/revocable.rst b/Documentation/driver-api/driver-model/revocable.rst
new file mode 100644
index 000000000000..025607904404
--- /dev/null
+++ b/Documentation/driver-api/driver-model/revocable.rst
@@ -0,0 +1,384 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+==============================
+Revocable Resource Management
+==============================
+
+Overview
+========
+
+.. kernel-doc:: drivers/base/revocable.c
+ :doc: Overview
+
+Revocable vs. Devres (devm)
+===========================
+
+Revocable and Devres address different problems in resource management:
+
+* **Devres:** Primarily addresses **resource leaks**. The lifetime of the
+ resources is tied to the lifetime of the device. The resource is
+ automatically freed when the device is unbound. This cleanup happens
+ irrespective of any potential active users.
+
+* **Revocable:** Primarily addresses **invalid memory access**,
+ such as Use-After-Free (UAF). It's an independent synchronization
+ primitive that decouples consumer access from the resource's actual
+ presence. Consumers interact with a "revocable object" (an intermediary),
+ not the underlying resource directly. This revocable object persists as
+ long as there are active references to it from consumer handles.
+
+**Key Distinctions & How They Complement Each Other:**
+
+1. **Reference Target:** Consumers hold a reference to the *revocable object*,
+ not the encapsulated resource itself.
+
+2. **Resource Lifetime vs. Access:** The underlying resource's lifetime is
+ independent of the number of references to the revocable object. The
+ resource can be freed at any point. A common scenario is the resource
+ being freed by `devres` when the providing device is unbound.
+
+3. **Safe Access:** Revocable provides a safe way to attempt access. Before
+ using the resource, a consumer uses the Revocable API (e.g.,
+ revocable_try_access()). This function checks if the resource is still
+ valid. It returns a pointer to the resource only if it hasn't been
+ revoked; otherwise, it returns NULL. This prevents UAF by providing a
+ clear signal that the resource is gone.
+
+4. **Complementary Usage:** `devres` and Revocable work well together.
+ `devres` can handle the automatic allocation and deallocation of a
+ resource tied to a device. The Revocable mechanism can be layered on top
+ to provide safe access for consumers whose lifetimes might extend beyond
+ the provider device's lifetime. For instance, a userspace program might
+ keep a character device file open even after the physical device has been
+ removed. In this case:
+
+ * `devres` frees the device-specific resource upon unbinding.
+ * The Revocable mechanism ensures that any subsequent operations on the
+ open file handle, which attempt to access the now-freed resource,
+ will fail gracefully (e.g., revocable_try_access() returns NULL)
+ instead of causing a UAF.
+
+In summary, `devres` ensures resources are *released* to prevent leaks, while
+the Revocable mechanism ensures that attempts to *access* these resources are
+done safely, even if the resource has been released.
+
+API and Usage
+=============
+
+For Resource Providers
+----------------------
+
+There are two ways to manage the resource provider handle (``struct revocable``):
+
+Dynamic Allocation
+~~~~~~~~~~~~~~~~~~
+
+If the lifetime of the ``struct revocable`` is not tied to another specific
+kernel object, or if multiple independent consumers need to hold references,
+dynamic allocation should be used.
+
+* **Creation:** Use revocable_alloc() to allocate and initialize.
+* **Ownership:** The caller receives a reference, and the provider holds
+ another.
+* **Revocation:** Call revocable_revoke() when the resource is going away.
+ This drops the provider's reference.
+* **Cleanup:** The caller *must* call revocable_put() to release its reference
+ when it no longer needs the handle. The memory is freed automatically when
+ the last reference is dropped.
+
+Embedded Allocation
+~~~~~~~~~~~~~~~~~~~
+
+If the ``struct revocable`` can be embedded within a parent kernel object
+(e.g., a device struct), this method can be simpler as the lifetime is
+inherently tied to the parent.
+
+* **Initialization:** Declare a ``struct revocable`` within your parent
+ structure and initialize it with revocable_embed_init().
+* **Revocation:** Call revocable_revoke() when the resource is going away.
+* **Cleanup:** The owner *must* call revocable_embed_destroy() during the
+ parent object's teardown process and ensuring no more consumers can access
+ it. This cleans up internal resources like the SRCU domain. The memory
+ for the ``struct revocable`` is freed when the parent object is freed.
+
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_get
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_put
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_alloc
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_revoke
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_embed_init
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_embed_destroy
+
+Example Usage (Dynamic Allocation)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ struct foo_device {
+ struct revocable *rev;
+ ...
+ };
+
+ int foo_device_probe(struct device *dev)
+ {
+ struct foo_device *foo_dev;
+ void *res;
+ int ret;
+
+ foo_dev = devm_kzalloc(dev, sizeof(*foo_dev), GFP_KERNEL);
+ if (!foo_dev)
+ return -ENOMEM;
+
+ // Acquire the actual resource.
+ res = ...(...);
+
+ // Allocate the revocable handle.
+ foo_dev->rev = revocable_alloc(res);
+ if (!foo_dev->rev)
+ return -ENOMEM;
+
+ dev_set_drvdata(dev, foo_dev);
+ // ... further device setup ...
+ return 0;
+ }
+
+ void foo_device_remove(struct device *dev)
+ {
+ struct foo_device *foo_dev = dev_get_drvdata(dev);
+
+ // Drop the reference.
+ revocable_put(foo_dev->rev);
+ }
+
+ // Provider side would use revocable_revoke() on foo_dev->rev.
+ // Consumer side would use revocable_try_access_* macros on foo_dev->rev.
+
+Example Usage (Embedded Allocation)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ struct foo_device {
+ struct revocable rev;
+ ...
+ };
+
+ int foo_device_probe(struct device *dev)
+ {
+ struct foo_device *foo_dev;
+ void *res;
+ int ret;
+
+ foo_dev = devm_kzalloc(dev, sizeof(*foo_dev), GFP_KERNEL);
+ if (!foo_dev)
+ return -ENOMEM;
+
+ // Acquire the actual resource.
+ res = ...(...);
+
+ // Initialize the embedded revocable.
+ ret = revocable_embed_init(&foo_dev->rev, res);
+ if (ret)
+ return ret;
+
+ dev_set_drvdata(dev, foo_dev);
+ // ... further device setup ...
+ return 0;
+ }
+
+ void foo_device_remove(struct device *dev)
+ {
+ struct foo_device *foo_dev = dev_get_drvdata(dev);
+
+ // Cleanup the embedded revocable internal state.
+ revocable_embed_destroy(&foo_dev->rev);
+ }
+
+ // Provider side would use revocable_revoke() on &foo_dev->rev.
+ // Consumer side would use revocable_try_access_* macros on &foo_dev->rev.
+
+For Resource Consumers
+----------------------
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable_consumer
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_init
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_deinit
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_try_access
+
+.. kernel-doc:: drivers/base/revocable.c
+ :identifiers: revocable_withdraw_access
+
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable_try_access_with
+
+Example Usage
+~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ int consumer_use_resource(struct revocable *rev)
+ {
+ struct foo_resource *res;
+
+ revocable_try_access_with(rev, res);
+ // Always check if the resource is valid.
+ if (!res) {
+ pr_warn("Resource is not available\n");
+ return -EAGAIN;
+ }
+
+ // 'res' is guaranteed to be valid until this function exits.
+ do_something_with(res);
+ return 0;
+ } // revocable_withdraw_access() is automatically called here.
+
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable_try_access_or_return_err
+
+Example Usage
+~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ int consumer_use_resource(struct revocable *rev)
+ {
+ struct foo_resource *res;
+
+ // Returns -ENXIO if access fails.
+ revocable_try_access_or_return_err(rev, res, -ENXIO);
+
+ // 'res' is guaranteed to be valid if we reach here.
+ do_something_with(res);
+ return 0;
+ } // revocable_withdraw_access() is automatically called here.
+
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable_try_access_or_return
+
+Example Usage
+~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ int consumer_use_resource(struct revocable *rev)
+ {
+ struct foo_resource *res;
+
+ // Returns -ENODEV if access fails.
+ revocable_try_access_or_return(rev, res);
+
+ // 'res' is guaranteed to be valid if we reach here.
+ do_something_with(res);
+ return 0;
+ } // revocable_withdraw_access() is automatically called here.
+
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable_try_access_with_scoped
+
+Example Usage
+~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ int consumer_use_resource(struct revocable *rev)
+ {
+ struct foo_resource *res;
+
+ revocable_try_access_with_scoped(rev, res) {
+ // Always check if the resource is valid.
+ if (!res) {
+ pr_warn("Resource is not available\n");
+ return -EAGAIN;
+ }
+
+ // 'res' is valid for the rest of this block.
+ do_something_with(res);
+ }
+ // revocable_withdraw_access() is automatically called here.
+
+ return 0;
+ }
+
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable_try_access_or_return_err_scoped
+
+Example Usage
+~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ int consumer_use_resource(struct revocable *rev)
+ {
+ struct foo_resource *res;
+
+ // Returns -ENXIO if access fails.
+ revocable_try_access_or_return_err_scoped(rev, res, -ENXIO) {
+ // 'res' is guaranteed to be valid in this block.
+ do_something_with(res);
+ }
+ // revocable_withdraw_access() is automatically called here.
+
+ return 0; // Only reached if resource was accessed.
+ }
+
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable_try_access_or_return_scoped
+
+Example Usage
+~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ int consumer_use_resource(struct revocable *rev)
+ {
+ struct foo_resource *res;
+
+ // Returns -ENODEV if access fails.
+ revocable_try_access_or_return_scoped(rev, res) {
+ // 'res' is guaranteed to be valid in this block.
+ do_something_with(res);
+ }
+ // revocable_withdraw_access() is automatically called here.
+
+ return 0; // Only reached if resource was accessed.
+ }
+
+.. kernel-doc:: include/linux/revocable.h
+ :identifiers: revocable_try_access_or_skip_scoped
+
+Example Usage
+~~~~~~~~~~~~~
+
+.. code-block:: c
+
+ int consumer_use_resource(struct revocable *rev)
+ {
+ struct foo_resource *res;
+
+ revocable_try_access_or_skip_scoped(rev, res) {
+ // This block is ONLY entered if 'res' is not NULL.
+ do_something_with(res);
+ }
+ // revocable_withdraw_access() is automatically called here.
+
+ return 0;
+ }
diff --git a/MAINTAINERS b/MAINTAINERS
index 2fb1c75afd16..6ec3a7cb5e6b 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7808,6 +7808,7 @@ F: include/linux/fwnode.h
F: include/linux/kobj*
F: include/linux/ksysfs.h
F: include/linux/property.h
+F: include/linux/revocable.h
F: include/linux/sysfs.h
F: kernel/ksysfs.c
F: lib/kobj*
@@ -22824,6 +22825,14 @@ F: include/uapi/linux/rseq.h
F: kernel/rseq.c
F: tools/testing/selftests/rseq/
+REVOCABLE RESOURCE MANAGEMENT
+M: Tzung-Bi Shih <tzungbi@kernel.org>
+L: driver-core@lists.linux.dev
+S: Maintained
+T: git git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git
+F: drivers/base/revocable.c
+F: include/linux/revocable.h
+
RFKILL
M: Johannes Berg <johannes@sipsolutions.net>
L: linux-wireless@vger.kernel.org
diff --git a/drivers/base/Makefile b/drivers/base/Makefile
index 8074a10183dc..bdf854694e39 100644
--- a/drivers/base/Makefile
+++ b/drivers/base/Makefile
@@ -6,7 +6,7 @@ obj-y := component.o core.o bus.o dd.o syscore.o \
cpu.o firmware.o init.o map.o devres.o \
attribute_container.o transport_class.o \
topology.o container.o property.o cacheinfo.o \
- swnode.o faux.o
+ swnode.o faux.o revocable.o
obj-$(CONFIG_AUXILIARY_BUS) += auxiliary.o
obj-$(CONFIG_DEVTMPFS) += devtmpfs.o
obj-y += power/
diff --git a/drivers/base/revocable.c b/drivers/base/revocable.c
new file mode 100644
index 000000000000..07f05e2a314b
--- /dev/null
+++ b/drivers/base/revocable.c
@@ -0,0 +1,298 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Revocable resource management
+ */
+
+#include <linux/kref.h>
+#include <linux/revocable.h>
+#include <linux/slab.h>
+#include <linux/srcu.h>
+
+/**
+ * DOC: Overview
+ *
+ * The "revocable" mechanism is a synchronization primitive designed to
+ * manage safe access to resources that can be asynchronously removed or
+ * invalidated. Its primary purpose is to prevent Use-After-Free (UAF)
+ * errors when interacting with resources whose lifetimes are not
+ * guaranteed to outlast their consumers.
+ *
+ * This is particularly useful in systems where resources can disappear
+ * unexpectedly, such as those provided by hot-pluggable devices like
+ * USB. When a consumer holds a reference to such a resource, the
+ * underlying device might be removed, causing the resource's memory to
+ * be freed. Subsequent access attempts by the consumer would then lead
+ * to UAF errors.
+ *
+ * Revocable addresses this by providing a form of "weak reference" and
+ * a controlled access method. It allows a resource consumer to safely
+ * attempt to access the resource. The mechanism guarantees that any
+ * access granted is valid for the duration of its use. If the resource
+ * has already been revoked (i.e., freed), the access attempt will fail
+ * safely, typically by returning NULL, instead of causing a crash.
+ *
+ * It uses a provider/consumer model built on Sleepable RCU (SRCU) to
+ * guarantee safe memory access:
+ *
+ * - A resource provider, such as a driver for a hot-pluggable device,
+ * allocates a struct revocable and initializes it with a pointer
+ * to the resource.
+ *
+ * - A resource consumer that wants to access the resource allocates a
+ * struct revocable_consumer containing a reference to the provider.
+ *
+ * - To access the resource, the consumer uses revocable_try_access().
+ * This function enters an SRCU read-side critical section and returns
+ * the pointer to the resource. If the provider has already freed the
+ * resource, it returns NULL. After use, the consumer calls
+ * revocable_withdraw_access() to exit the SRCU critical section. There
+ * are some macro level helpers for doing that.
+ *
+ * The API provides the following contract:
+ *
+ * - revocable_try_access() can be safely called from both process and
+ * atomic contexts.
+ * - It is permitted to sleep within the critical section established
+ * between revocable_try_access() and revocable_withdraw_access().
+ * - revocable_try_access() and the matching revocable_withdraw_access()
+ * must occur in the same context. For example, it is illegal to
+ * invoke revocable_withdraw_access() in an irq handler if the matching
+ * revocable_try_access() was invoked in process context.
+ *
+ * - When the provider needs to remove the resource, it calls
+ * revocable_revoke(). This function sets the internal resource
+ * pointer to NULL and then calls synchronize_srcu() to wait for all
+ * current readers to finish before the resource can be completely torn
+ * down.
+ */
+
+static int revocable_core_init(struct revocable *rev, void *res)
+{
+ int ret;
+
+ ret = init_srcu_struct(&rev->srcu);
+ if (ret)
+ return ret;
+
+ RCU_INIT_POINTER(rev->res, res);
+ return 0;
+}
+
+static void revocable_core_destroy(struct revocable *rev)
+{
+ cleanup_srcu_struct(&rev->srcu);
+}
+
+static void revocable_release(struct kref *kref)
+{
+ struct revocable *rev = container_of(kref, typeof(*rev), kref);
+
+ revocable_core_destroy(rev);
+ kfree(rev);
+}
+
+/**
+ * revocable_get() - Increase a reference count to the provider handle.
+ * @rev: The pointer of resource provider.
+ *
+ * This increments the reference count *only* if @rev was dynamically
+ * allocated (i.e., REVOCABLE_DYNAMIC).
+ *
+ * It is a no-op for embedded resource provider handles.
+ */
+void revocable_get(struct revocable *rev)
+{
+ if (rev->alloc_type != REVOCABLE_DYNAMIC)
+ return;
+ kref_get(&rev->kref);
+}
+EXPORT_SYMBOL_GPL(revocable_get);
+
+/**
+ * revocable_put() - Decrease a reference count to the provider handle.
+ * @rev: The pointer of resource provider.
+ *
+ * This decrements the reference count *only* if @rev was dynamically
+ * allocated (i.e., REVOCABLE_DYNAMIC). If it is the final reference,
+ * revocable_release() will be called to free the struct.
+ *
+ * It is a no-op for embedded resource provider handles.
+ */
+void revocable_put(struct revocable *rev)
+{
+ if (rev->alloc_type != REVOCABLE_DYNAMIC)
+ return;
+ kref_put(&rev->kref, revocable_release);
+}
+EXPORT_SYMBOL_GPL(revocable_put);
+
+/**
+ * revocable_alloc() - Allocate struct revocable.
+ * @res: The pointer of resource.
+ *
+ * This allocates a resource provider handle and holds 2 initial reference
+ * counts to the handle. If revocable_alloc() succeed:
+ *
+ * - The provider should call revocable_revoke() for dropping a reference.
+ * - The caller should call revocable_put() for dropping another reference.
+ *
+ * Return: The pointer of struct revocable. NULL on errors.
+ */
+struct revocable *revocable_alloc(void *res)
+{
+ struct revocable *rev;
+ int ret;
+
+ rev = kzalloc(sizeof(*rev), GFP_KERNEL);
+ if (!rev)
+ return NULL;
+
+ ret = revocable_core_init(rev, res);
+ if (ret) {
+ kfree(rev);
+ return NULL;
+ }
+
+ kref_init(&rev->kref);
+ kref_get(&rev->kref);
+ rev->alloc_type = REVOCABLE_DYNAMIC;
+ return rev;
+}
+EXPORT_SYMBOL_GPL(revocable_alloc);
+
+/**
+ * revocable_revoke() - Revoke the managed resource.
+ * @rev: The pointer of resource provider.
+ *
+ * This sets the resource `(struct revocable *)->res` to NULL to indicate
+ * the resource has gone.
+ *
+ * (Only for dynamic allocated resource provider)
+ * This drops a refcount to the resource provider. If it is the final
+ * reference, revocable_release() will be called to free the struct.
+ */
+void revocable_revoke(struct revocable *rev)
+{
+ rcu_assign_pointer(rev->res, NULL);
+ synchronize_srcu(&rev->srcu);
+ revocable_put(rev);
+}
+EXPORT_SYMBOL_GPL(revocable_revoke);
+
+/**
+ * revocable_embed_init() - Initialize an embedded struct revocable.
+ * @rev: The pointer of resource provider.
+ * @res: The pointer of resource.
+ *
+ * This initializes the embedded resource provider. The caller should call
+ * revocable_embed_destroy() after using it for destroying the internal
+ * resources.
+ */
+int revocable_embed_init(struct revocable *rev, void *res)
+{
+ int ret;
+
+ ret = revocable_core_init(rev, res);
+ if (ret)
+ return ret;
+
+ rev->alloc_type = REVOCABLE_EMBEDDED;
+ return 0;
+}
+EXPORT_SYMBOL_GPL(revocable_embed_init);
+
+/**
+ * revocable_embed_destroy() - Destroy an embedded struct revocable.
+ * @rev: The pointer of resource provider.
+ *
+ * This destroys the embedded resource provider.
+ */
+void revocable_embed_destroy(struct revocable *rev)
+{
+ WARN_ON_ONCE(rev->alloc_type != REVOCABLE_EMBEDDED);
+ revocable_core_destroy(rev);
+}
+EXPORT_SYMBOL_GPL(revocable_embed_destroy);
+
+/**
+ * revocable_init() - Initialize struct revocable_consumer.
+ * @rev: The pointer of resource provider.
+ * @rc: The pointer of resource consumer.
+ *
+ * This holds a refcount to the resource provider.
+ */
+void revocable_init(struct revocable *rev, struct revocable_consumer *rc)
+{
+ revocable_get(rev);
+ rc->rev = rev;
+}
+EXPORT_SYMBOL_GPL(revocable_init);
+
+/**
+ * revocable_deinit() - Deinitialize struct revocable_consumer.
+ * @rc: The pointer of resource consumer.
+ *
+ * (Only for dynamic allocated resource provider)
+ * This drops a refcount to the resource provider. If it is the final
+ * reference, revocable_release() will be called to free the struct.
+ */
+void revocable_deinit(struct revocable_consumer *rc)
+{
+ struct revocable *rev = rc->rev;
+
+ revocable_put(rev);
+}
+EXPORT_SYMBOL_GPL(revocable_deinit);
+
+/**
+ * revocable_try_access() - Try to access the resource.
+ * @rc: The pointer of resource consumer.
+ *
+ * This tries to de-reference to the resource and enters a SRCU critical
+ * section.
+ *
+ * The function is safe to be called from both process and atomic contexts.
+ * While holding the access (i.e. before calling revocable_withdraw_access()),
+ * the caller is allowed to sleep.
+ *
+ * Note that revocable_try_access() and the matching
+ * revocable_withdraw_access() must occur in the same context. For example, it
+ * is illegal to invoke revocable_withdraw_access() in an irq handler if the
+ * matching revocable_try_access() was invoked in process context.
+ *
+ * Return: The pointer to the resource. NULL if the resource has gone.
+ */
+void *revocable_try_access(struct revocable_consumer *rc)
+ __acquires(&rc->rev->srcu)
+{
+ struct revocable *rev = rc->rev;
+
+ rc->idx = srcu_read_lock(&rev->srcu);
+ return srcu_dereference(rev->res, &rev->srcu);
+}
+EXPORT_SYMBOL_GPL(revocable_try_access);
+
+/**
+ * revocable_withdraw_access() - Stop accessing to the resource.
+ * @rc: The pointer of resource consumer.
+ *
+ * Call this function to indicate the resource is no longer used. It exits
+ * the SRCU critical section.
+ *
+ * The function is safe to be called from both process and atomic contexts.
+ *
+ * Note that revocable_try_access() and the matching
+ * revocable_withdraw_access() must occur in the same context. For example, it
+ * is illegal to invoke revocable_withdraw_access() in an irq handler if the
+ * matching revocable_try_access() was invoked in process context.
+ */
+void revocable_withdraw_access(struct revocable_consumer *rc)
+ __releases(&rc->rev->srcu)
+{
+ struct revocable *rev = rc->rev;
+
+ srcu_read_unlock(&rev->srcu, rc->idx);
+}
+EXPORT_SYMBOL_GPL(revocable_withdraw_access);
diff --git a/include/linux/revocable.h b/include/linux/revocable.h
new file mode 100644
index 000000000000..2bcf23f01ace
--- /dev/null
+++ b/include/linux/revocable.h
@@ -0,0 +1,214 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2026 Google LLC
+ */
+
+#ifndef __LINUX_REVOCABLE_H
+#define __LINUX_REVOCABLE_H
+
+#include <linux/cleanup.h>
+#include <linux/compiler.h>
+#include <linux/kref.h>
+#include <linux/srcu.h>
+
+/**
+ * enum revocable_alloc_type - The allocation method for a revocable provider.
+ * @REVOCABLE_DYNAMIC: The struct revocable was dynamically allocated using
+ * revocable_alloc() and its lifetime is managed by
+ * reference counting.
+ * @REVOCABLE_EMBEDDED: The struct revocable is embedded within another
+ * structure. Its lifetime is tied to the parent
+ * structure and is not reference counted.
+ */
+enum revocable_alloc_type {
+ REVOCABLE_DYNAMIC,
+ REVOCABLE_EMBEDDED,
+};
+
+/**
+ * struct revocable - A handle for resource provider.
+ * @srcu: The SRCU to protect the resource.
+ * @res: The pointer of resource. It can point to anything.
+ * @kref: The refcount for this handle.
+ * @alloc_type: The memory allocation type.
+ */
+struct revocable {
+ struct srcu_struct srcu;
+ void __rcu *res;
+ struct kref kref;
+ enum revocable_alloc_type alloc_type;
+};
+
+/**
+ * struct revocable_consumer - A handle for resource consumer.
+ * @rev: The pointer of resource provider.
+ * @idx: The index for the SRCU critical section.
+ */
+struct revocable_consumer {
+ struct revocable *rev;
+ int idx;
+};
+
+void revocable_get(struct revocable *rev);
+void revocable_put(struct revocable *rev);
+
+struct revocable *revocable_alloc(void *res);
+void revocable_revoke(struct revocable *rev);
+int revocable_embed_init(struct revocable *rev, void *res);
+void revocable_embed_destroy(struct revocable *rev);
+
+void revocable_init(struct revocable *rev, struct revocable_consumer *rc);
+void revocable_deinit(struct revocable_consumer *rc);
+void *revocable_try_access(struct revocable_consumer *rc)
+ __acquires(&rc->rev->srcu);
+void revocable_withdraw_access(struct revocable_consumer *rc)
+ __releases(&rc->rev->srcu);
+
+DEFINE_FREE(access_rev, struct revocable_consumer *, {
+ revocable_withdraw_access(_T);
+ revocable_deinit(_T);
+})
+
+#define _revocable_try_access_with(_rev, _rc, _res) \
+ struct revocable_consumer _rc; \
+ struct revocable_consumer *__UNIQUE_ID(name) __free(access_rev) = &_rc; \
+ revocable_init(_rev, &_rc); \
+ _res = revocable_try_access(&_rc)
+
+/**
+ * revocable_try_access_with() - A helper for accessing revocable resource
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ *
+ * The macro simplifies the access-release cycle for consumers, ensuring that
+ * corresponding revocable_withdraw_access() and revocable_deinit() are called,
+ * even in the case of an early exit.
+ *
+ * It creates a local variable in the current scope. @_res is populated with
+ * the result of revocable_try_access(). Callers **must** check if @_res is
+ * ``NULL`` before using it. The revocable_withdraw_access() function is
+ * automatically called when the scope is exited.
+ *
+ * Note: It shares the same issue with guard() in cleanup.h. No goto statements
+ * are allowed before the helper. Otherwise, the compiler fails with
+ * "jump bypasses initialization of variable with __attribute__((cleanup))".
+ */
+#define revocable_try_access_with(_rev, _res) \
+ _revocable_try_access_with(_rev, __UNIQUE_ID(name), _res)
+
+/**
+ * revocable_try_access_or_return_err() - Variant of revocable_try_access_with()
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ * @_err: The error code to return if resource is revoked.
+ *
+ * Similar to revocable_try_access_with() but returns from the current function
+ * with @_err if the resource is revoked. Callers don't need to check @_res for
+ * ``NULL`` as this handles the revocation case by returning early.
+ */
+#define revocable_try_access_or_return_err(_rev, _res, _err) \
+ _revocable_try_access_with(_rev, __UNIQUE_ID(name), _res); \
+ if (!_res) \
+ return _err
+
+/**
+ * revocable_try_access_or_return() - Variant of revocable_try_access_with()
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ *
+ * Similar to revocable_try_access_or_return_err() but returns -ENODEV if the
+ * resource is revoked.
+ */
+#define revocable_try_access_or_return(_rev, _res) \
+ revocable_try_access_or_return_err(_rev, _res, -ENODEV)
+
+/**
+ * revocable_try_access_or_return_void() - Variant of revocable_try_access_with()
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ *
+ * Similar to revocable_try_access_or_return_err() but returns void if the
+ * resource is revoked.
+ */
+#define revocable_try_access_or_return_void(_rev, _res) \
+ revocable_try_access_or_return_err(_rev, _res, )
+
+#define _revocable_try_access_with_scoped(_rev, _rc, _label, _res) \
+ for (struct revocable_consumer _rc, \
+ *__UNIQUE_ID(name) __free(access_rev) = &_rc; \
+ ({ revocable_init(_rev, &_rc); \
+ _res = revocable_try_access(&_rc); \
+ true; }); \
+ ({ goto _label; })) \
+ if (0) { \
+_label: \
+ break; \
+ } else
+
+/**
+ * revocable_try_access_with_scoped() - Variant of revocable_try_access_with()
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ *
+ * Similar to revocable_try_access_with() but with an explicit scope from a
+ * temporary ``for`` loop.
+ */
+#define revocable_try_access_with_scoped(_rev, _res) \
+ _revocable_try_access_with_scoped(_rev, __UNIQUE_ID(name), \
+ __UNIQUE_ID(label), _res)
+
+/**
+ * revocable_try_access_or_return_err_scoped() - Variant of revocable_try_access_with_scoped()
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ * @_err: The error code to return if resource is revoked.
+ *
+ * Similar to revocable_try_access_with_scoped() but returns from the current
+ * function with @_err if the resource is revoked. Callers don't need to check
+ * @_res for ``NULL`` as this handles the revocation case by returning early.
+ */
+#define revocable_try_access_or_return_err_scoped(_rev, _res, _err) \
+ _revocable_try_access_with_scoped(_rev, __UNIQUE_ID(name), \
+ __UNIQUE_ID(label), _res) \
+ if (!_res) { \
+ return _err; \
+ } else
+
+/**
+ * revocable_try_access_or_return_scoped() - Variant of revocable_try_access_with_scoped()
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ *
+ * Similar to revocable_try_access_or_return_err_scoped() but returns -ENODEV
+ * if the resource is revoked.
+ */
+#define revocable_try_access_or_return_scoped(_rev, _res) \
+ revocable_try_access_or_return_err_scoped(_rev, _res, -ENODEV)
+
+/**
+ * revocable_try_access_or_return_void_scoped() - Variant of revocable_try_access_with_scoped()
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ *
+ * Similar to revocable_try_access_or_return_err_scoped() but returns void
+ * if the resource is revoked.
+ */
+#define revocable_try_access_or_return_void_scoped(_rev, _res) \
+ revocable_try_access_or_return_err_scoped(_rev, _res, )
+
+/**
+ * revocable_try_access_or_skip_scoped() - Variant of revocable_try_access_with_scoped()
+ * @_rev: The pointer of resource provider.
+ * @_res: A pointer variable that will be assigned the resource.
+ *
+ * Similar to revocable_try_access_with_scoped() but skips the following code
+ * block if the resource is revoked.
+ */
+#define revocable_try_access_or_skip_scoped(_rev, _res) \
+ _revocable_try_access_with_scoped(_rev, __UNIQUE_ID(name), \
+ __UNIQUE_ID(label), _res) \
+ if (!_res) { \
+ break; \
+ } else
+
+#endif /* __LINUX_REVOCABLE_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH v9 2/9] revocable: Add KUnit test cases
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 1/9] revocable: Revocable resource management Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 3/9] gpio: Add revocable provider handle for struct gpio_chip Tzung-Bi Shih
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
Add KUnit test cases for the revocable API.
The test cases cover the following scenarios:
- Basic: Verifies that a consumer can successfully access the resource.
- Revocation: Verifies that after the provider revokes the resource,
the consumer correctly receives a NULL pointer on a subsequent access.
- Try Access Macro: Same as "Revocation" but uses the macro level
helpers.
- Concurrent Access: Verifies multiple threads can access the resource.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- Add test cases for embedded resource provider.
v8: https://lore.kernel.org/all/20260213092307.858908-3-tzungbi@kernel.org
- Squash:
- c259cd7ea3c9 revocable: fix missing module license and description
- a243f7fb11fe revocable: Add KUnit test for provider lifetime races
- 988357628c2c revocable: Add KUnit test for concurrent access
- Change accordingly due to its dependency "revocable: Revocable resource
management" changes.
v7: https://lore.kernel.org/all/20260116080235.350305-3-tzungbi@kernel.org
- "2025" -> "2026" in copyright.
- Rename the test name "macro" -> "try_access_macro".
v6: https://lore.kernel.org/all/20251106152330.11733-3-tzungbi@kernel.org
- Rename REVOCABLE_TRY_ACCESS_WITH() -> REVOCABLE_TRY_ACCESS_SCOPED().
- Add tests for new REVOCABLE_TRY_ACCESS_WITH().
v5: https://lore.kernel.org/all/20251016054204.1523139-3-tzungbi@kernel.org
- No changes.
v4: https://lore.kernel.org/all/20250923075302.591026-3-tzungbi@kernel.org
- REVOCABLE() -> REVOCABLE_TRY_ACCESS_WITH().
- revocable_release() -> revocable_withdraw_access().
v3: https://lore.kernel.org/all/20250912081718.3827390-3-tzungbi@kernel.org
- No changes.
v2: https://lore.kernel.org/all/20250820081645.847919-3-tzungbi@kernel.org
- New in the series.
A way to run the test:
$ ./tools/testing/kunit/kunit.py run \
--kconfig_add CONFIG_REVOCABLE_KUNIT_TEST=y \
revocable_test
Or
$ ./tools/testing/kunit/kunit.py run \
--kconfig_add CONFIG_REVOCABLE_KUNIT_TEST=y \
--kconfig_add CONFIG_PROVE_LOCKING=y \
--kconfig_add CONFIG_DEBUG_KERNEL=y \
--kconfig_add CONFIG_DEBUG_INFO=y \
--kconfig_add CONFIG_DEBUG_INFO_DWARF5=y \
--kconfig_add CONFIG_KASAN=y \
--kconfig_add CONFIG_DETECT_HUNG_TASK=y \
--kconfig_add CONFIG_DEFAULT_HUNG_TASK_TIMEOUT="10" \
--arch=x86_64 \
--make_options="C=1 W=1" \
revocable_test
---
MAINTAINERS | 1 +
drivers/base/Kconfig | 5 +
drivers/base/Makefile | 3 +
drivers/base/revocable_test.c | 461 ++++++++++++++++++++++++++++++++++
4 files changed, 470 insertions(+)
create mode 100644 drivers/base/revocable_test.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 6ec3a7cb5e6b..14aa035ef431 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -22831,6 +22831,7 @@ L: driver-core@lists.linux.dev
S: Maintained
T: git git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git
F: drivers/base/revocable.c
+F: drivers/base/revocable_test.c
F: include/linux/revocable.h
RFKILL
diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
index f7d385cbd3ba..921f7e812ba5 100644
--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -259,3 +259,8 @@ config FW_DEVLINK_SYNC_STATE_TIMEOUT
work on.
endmenu
+
+config REVOCABLE_KUNIT_TEST
+ tristate "KUnit tests for revocable" if !KUNIT_ALL_TESTS
+ depends on KUNIT
+ default KUNIT_ALL_TESTS
diff --git a/drivers/base/Makefile b/drivers/base/Makefile
index bdf854694e39..5fd19abbc83e 100644
--- a/drivers/base/Makefile
+++ b/drivers/base/Makefile
@@ -35,3 +35,6 @@ ccflags-$(CONFIG_DEBUG_DRIVER) := -DDEBUG
# define_trace.h needs to know how to find our header
CFLAGS_trace.o := -I$(src)
obj-$(CONFIG_TRACING) += trace.o
+
+# KUnit test cases
+obj-$(CONFIG_REVOCABLE_KUNIT_TEST) += revocable_test.o
diff --git a/drivers/base/revocable_test.c b/drivers/base/revocable_test.c
new file mode 100644
index 000000000000..bdab05dfafda
--- /dev/null
+++ b/drivers/base/revocable_test.c
@@ -0,0 +1,461 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright 2026 Google LLC
+ *
+ * KUnit tests for the revocable API.
+ *
+ * The test cases cover the following scenarios:
+ *
+ * - Basic: Verifies that a consumer can successfully access the resource.
+ *
+ * - Revocation: Verifies that after the provider revokes the resource,
+ * the consumer correctly receives a NULL pointer on a subsequent access.
+ *
+ * - Try Access Macro: Same as "Revocation" but uses the macro level
+ * helpers.
+ *
+ * - Concurrent Access: Verifies multiple threads can access the resource.
+ */
+
+#include <kunit/test.h>
+#include <linux/completion.h>
+#include <linux/delay.h>
+#include <linux/kthread.h>
+#include <linux/refcount.h>
+#include <linux/revocable.h>
+
+static int get_refcount(struct revocable *rev)
+{
+ return refcount_read(&rev->kref.refcount);
+}
+
+static void revocable_test_basic(struct kunit *test)
+{
+ struct revocable *rev;
+ struct revocable_consumer rc;
+ void *real_res = (void *)0x12345678, *res;
+
+ rev = revocable_alloc(real_res);
+ KUNIT_ASSERT_NOT_NULL(test, rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ KUNIT_EXPECT_EQ(test, rev->alloc_type, REVOCABLE_DYNAMIC);
+
+ revocable_init(rev, &rc);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 3);
+
+ res = revocable_try_access(&rc);
+ KUNIT_EXPECT_PTR_EQ(test, res, real_res);
+ revocable_withdraw_access(&rc);
+
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 3);
+ revocable_deinit(&rc);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ revocable_revoke(rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+ revocable_put(rev);
+}
+
+static void revocable_embed_test_basic(struct kunit *test)
+{
+ struct revocable rev;
+ struct revocable_consumer rc;
+ void *real_res = (void *)0x12345678, *res;
+
+ revocable_embed_init(&rev, real_res);
+ KUNIT_EXPECT_EQ(test, rev.alloc_type, REVOCABLE_EMBEDDED);
+
+ revocable_init(&rev, &rc);
+
+ res = revocable_try_access(&rc);
+ KUNIT_EXPECT_PTR_EQ(test, res, real_res);
+ revocable_withdraw_access(&rc);
+
+ revocable_embed_destroy(&rev);
+}
+
+static void revocable_test_revocation(struct kunit *test)
+{
+ struct revocable *rev;
+ struct revocable_consumer rc;
+ void *real_res = (void *)0x12345678, *res;
+
+ rev = revocable_alloc(real_res);
+ KUNIT_ASSERT_NOT_NULL(test, rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ KUNIT_EXPECT_EQ(test, rev->alloc_type, REVOCABLE_DYNAMIC);
+
+ revocable_init(rev, &rc);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 3);
+
+ res = revocable_try_access(&rc);
+ KUNIT_EXPECT_PTR_EQ(test, res, real_res);
+ revocable_withdraw_access(&rc);
+
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 3);
+ revocable_revoke(rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+
+ res = revocable_try_access(&rc);
+ KUNIT_EXPECT_PTR_EQ(test, res, NULL);
+ revocable_withdraw_access(&rc);
+
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ revocable_deinit(&rc);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+ revocable_put(rev);
+}
+
+static void revocable_embed_test_revocation(struct kunit *test)
+{
+ struct revocable rev;
+ struct revocable_consumer rc;
+ void *real_res = (void *)0x12345678, *res;
+
+ revocable_embed_init(&rev, real_res);
+ KUNIT_EXPECT_EQ(test, rev.alloc_type, REVOCABLE_EMBEDDED);
+
+ revocable_init(&rev, &rc);
+
+ res = revocable_try_access(&rc);
+ KUNIT_EXPECT_PTR_EQ(test, res, real_res);
+ revocable_withdraw_access(&rc);
+
+ revocable_revoke(&rev);
+
+ res = revocable_try_access(&rc);
+ KUNIT_EXPECT_PTR_EQ(test, res, NULL);
+ revocable_withdraw_access(&rc);
+
+ revocable_embed_destroy(&rev);
+}
+
+static void revocable_test_try_access_macro1(struct kunit *test)
+{
+ struct revocable *rev;
+ void *real_res = (void *)0x12345678, *res;
+
+ rev = revocable_alloc(real_res);
+ KUNIT_ASSERT_NOT_NULL(test, rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ KUNIT_EXPECT_EQ(test, rev->alloc_type, REVOCABLE_DYNAMIC);
+
+ {
+ revocable_try_access_with(rev, res);
+ KUNIT_EXPECT_PTR_EQ(test, res, real_res);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 3);
+ }
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+
+ revocable_revoke(rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+
+ {
+ revocable_try_access_with(rev, res);
+ KUNIT_EXPECT_PTR_EQ(test, res, NULL);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ }
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+
+ revocable_put(rev);
+}
+
+static int call_revocable_try_access_or_return_err(struct revocable *rev)
+{
+ void *res;
+
+ revocable_try_access_or_return_err(rev, res, -ENXIO);
+ return 0;
+}
+
+static int call_revocable_try_access_or_return(struct revocable *rev)
+{
+ void *res;
+
+ revocable_try_access_or_return(rev, res);
+ return 0;
+}
+
+static void call_revocable_try_access_or_return_void(struct kunit *test,
+ struct revocable *rev)
+{
+ void *res;
+
+ revocable_try_access_or_return_void(rev, res);
+ KUNIT_FAIL(test, "unreachable");
+}
+
+static void revocable_test_try_access_macro2(struct kunit *test)
+{
+ struct revocable *rev;
+ void *real_res = (void *)0x12345678, *res;
+ int ret;
+
+ rev = revocable_alloc(real_res);
+ KUNIT_ASSERT_NOT_NULL(test, rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ KUNIT_EXPECT_EQ(test, rev->alloc_type, REVOCABLE_DYNAMIC);
+
+ {
+ revocable_try_access_with(rev, res);
+ KUNIT_EXPECT_PTR_EQ(test, res, real_res);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 3);
+ }
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+
+ revocable_revoke(rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+
+ ret = call_revocable_try_access_or_return_err(rev);
+ KUNIT_EXPECT_EQ(test, ret, -ENXIO);
+
+ ret = call_revocable_try_access_or_return(rev);
+ KUNIT_EXPECT_EQ(test, ret, -ENODEV);
+
+ call_revocable_try_access_or_return_void(test, rev);
+
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+ revocable_put(rev);
+}
+
+static void revocable_test_try_access_macro3(struct kunit *test)
+{
+ struct revocable *rev;
+ void *real_res = (void *)0x12345678, *res;
+ bool accessed;
+
+ rev = revocable_alloc(real_res);
+ KUNIT_ASSERT_NOT_NULL(test, rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ KUNIT_EXPECT_EQ(test, rev->alloc_type, REVOCABLE_DYNAMIC);
+
+ accessed = false;
+ revocable_try_access_with_scoped(rev, res) {
+ KUNIT_EXPECT_PTR_EQ(test, res, real_res);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 3);
+ accessed = true;
+ }
+ KUNIT_EXPECT_TRUE(test, accessed);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+
+ revocable_revoke(rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+
+ accessed = false;
+ revocable_try_access_with_scoped(rev, res) {
+ KUNIT_EXPECT_PTR_EQ(test, res, NULL);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ accessed = true;
+ }
+ KUNIT_EXPECT_TRUE(test, accessed);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+
+ revocable_put(rev);
+}
+
+static int call_revocable_try_access_or_return_err_scoped(struct revocable *rev)
+{
+ void *res;
+
+ revocable_try_access_or_return_err_scoped(rev, res, -ENXIO) {}
+ return 0;
+}
+
+static int call_revocable_try_access_or_return_scoped(struct revocable *rev)
+{
+ void *res;
+
+ revocable_try_access_or_return_scoped(rev, res) {}
+ return 0;
+}
+
+static void call_revocable_try_access_or_return_void_scoped(struct kunit *test,
+ struct revocable *rev)
+{
+ void *res;
+
+ revocable_try_access_or_return_void_scoped(rev, res) {}
+ KUNIT_FAIL(test, "unreachable");
+}
+
+static void revocable_test_try_access_macro4(struct kunit *test)
+{
+ struct revocable *rev;
+ void *real_res = (void *)0x12345678, *res;
+ bool accessed;
+ int ret;
+
+ rev = revocable_alloc(real_res);
+ KUNIT_ASSERT_NOT_NULL(test, rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ KUNIT_EXPECT_EQ(test, rev->alloc_type, REVOCABLE_DYNAMIC);
+
+ accessed = false;
+ revocable_try_access_with_scoped(rev, res) {
+ KUNIT_EXPECT_PTR_EQ(test, res, real_res);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 3);
+ accessed = true;
+ }
+ KUNIT_EXPECT_TRUE(test, accessed);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+
+ revocable_revoke(rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+
+ ret = call_revocable_try_access_or_return_err_scoped(rev);
+ KUNIT_EXPECT_EQ(test, ret, -ENXIO);
+
+ ret = call_revocable_try_access_or_return_scoped(rev);
+ KUNIT_EXPECT_EQ(test, ret, -ENODEV);
+
+ call_revocable_try_access_or_return_void_scoped(test, rev);
+
+ accessed = false;
+ revocable_try_access_or_skip_scoped(rev, res)
+ accessed = true;
+ KUNIT_EXPECT_FALSE(test, accessed);
+
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+ revocable_put(rev);
+}
+
+struct test_concurrent_access_context {
+ struct completion started, enter;
+ struct task_struct *thread;
+
+ union {
+ /* Used by test provider. */
+ struct revocable *rev;
+
+ /* Used by test consumer. */
+ struct {
+ struct completion exit;
+ struct revocable_consumer rc;
+ struct kunit *test;
+ void *expected_res;
+ };
+ };
+};
+
+static int test_concurrent_access_provider(void *data)
+{
+ struct test_concurrent_access_context *ctx = data;
+
+ complete(&ctx->started);
+
+ wait_for_completion(&ctx->enter);
+ revocable_revoke(ctx->rev);
+
+ return 0;
+}
+
+static int test_concurrent_access_consumer(void *data)
+{
+ struct test_concurrent_access_context *ctx = data;
+ void *res;
+
+ complete(&ctx->started);
+
+ wait_for_completion(&ctx->enter);
+ res = revocable_try_access(&ctx->rc);
+ KUNIT_EXPECT_PTR_EQ(ctx->test, res, ctx->expected_res);
+
+ wait_for_completion(&ctx->exit);
+ revocable_withdraw_access(&ctx->rc);
+
+ return 0;
+}
+
+static void revocable_test_concurrent_access(struct kunit *test)
+{
+ struct revocable *rev;
+ void *real_res = (void *)0x12345678;
+ struct test_concurrent_access_context *ctx;
+ int i;
+
+ rev = revocable_alloc(real_res);
+ KUNIT_ASSERT_NOT_NULL(test, rev);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2);
+ KUNIT_EXPECT_EQ(test, rev->alloc_type, REVOCABLE_DYNAMIC);
+
+ ctx = kunit_kmalloc_array(test, 3, sizeof(*ctx), GFP_KERNEL);
+ KUNIT_ASSERT_NOT_NULL(test, ctx);
+
+ for (i = 0; i < 3; ++i) {
+ ctx[i].test = test;
+ init_completion(&ctx[i].started);
+ init_completion(&ctx[i].enter);
+
+ if (i == 0) {
+ /* Transfer the ownership of provider reference too. */
+ ctx[i].rev = rev;
+ ctx[i].thread = kthread_run(
+ test_concurrent_access_provider, ctx + i,
+ "revocable_%d", i);
+ } else {
+ init_completion(&ctx[i].exit);
+ revocable_init(rev, &ctx[i].rc);
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 2 + i);
+
+ ctx[i].thread = kthread_run(
+ test_concurrent_access_consumer, ctx + i,
+ "revocable_consumer_%d", i);
+ }
+ KUNIT_ASSERT_FALSE(test, IS_ERR(ctx[i].thread));
+
+ wait_for_completion(&ctx[i].started);
+ }
+
+ ctx[1].expected_res = real_res;
+ /* consumer1 enters read-side critical section. */
+ complete(&ctx[1].enter);
+ msleep(100);
+
+ /* provider0 revokes the resource. */
+ complete(&ctx[0].enter);
+ msleep(100);
+ /* provider0 can't exit. It's waiting for the grace period. */
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 4);
+
+ ctx[2].expected_res = NULL;
+ /* consumer2 enters read-side critical section. */
+ complete(&ctx[2].enter);
+ msleep(100);
+
+ /* consumer{1,2} exit read-side critical section. */
+ for (i = 1; i < 3; ++i) {
+ complete(&ctx[i].exit);
+ kthread_stop(ctx[i].thread);
+ revocable_deinit(&ctx[i].rc);
+ }
+
+ kthread_stop(ctx[0].thread);
+ /* provider0 exits as all readers exit their critical section. */
+ KUNIT_EXPECT_EQ(test, get_refcount(rev), 1);
+
+ /* Drop the caller reference. */
+ revocable_put(rev);
+}
+
+static struct kunit_case revocable_test_cases[] = {
+ KUNIT_CASE(revocable_test_basic),
+ KUNIT_CASE(revocable_embed_test_basic),
+ KUNIT_CASE(revocable_test_revocation),
+ KUNIT_CASE(revocable_embed_test_revocation),
+ KUNIT_CASE(revocable_test_try_access_macro1),
+ KUNIT_CASE(revocable_test_try_access_macro2),
+ KUNIT_CASE(revocable_test_try_access_macro3),
+ KUNIT_CASE(revocable_test_try_access_macro4),
+ KUNIT_CASE(revocable_test_concurrent_access),
+ {}
+};
+
+static struct kunit_suite revocable_test_suite = {
+ .name = "revocable_test",
+ .test_cases = revocable_test_cases,
+};
+
+kunit_test_suite(revocable_test_suite);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Tzung-Bi Shih <tzungbi@kernel.org>");
+MODULE_DESCRIPTION("KUnit tests for the revocable API");
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH v9 3/9] gpio: Add revocable provider handle for struct gpio_chip
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 1/9] revocable: Revocable resource management Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 2/9] revocable: Add KUnit test cases Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 4/9] gpio: cdev: Leverage revocable for accessing " Tzung-Bi Shih
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
The underlying chip can be removed asynchronously. `gdev->srcu` is used
to ensure the synchronization before accessing `gdev->chip`.
Revocable encapsulates the details. Add revocable provider handle for
the corresponding struct gpio_chip in struct gpio_device so that it can
start to hide the synchronization details.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- New to the series.
- Use static allocated resource provider.
- Rename "chip_rp" -> "chip_rev".
v4 - v8:
- Doesn't exist.
v3: https://lore.kernel.org/all/20260213092958.864411-8-tzungbi@kernel.org
- Change revocable API usages accordingly.
v2: https://lore.kernel.org/all/20260203061059.975605-8-tzungbi@kernel.org
- Change usages accordingly after applying
https://lore.kernel.org/all/20260129143733.45618-2-tzungbi@kernel.org.
- Add __rcu for `chip_rp`.
- Pass pointer of pointer to revocable_provider_revoke().
- Rebase accordingly after applying
https://lore.kernel.org/all/20260203060210.972243-1-tzungbi@kernel.org.
v1: https://lore.kernel.org/all/20260116081036.352286-13-tzungbi@kernel.org
---
drivers/gpio/gpiolib.c | 7 +++++++
drivers/gpio/gpiolib.h | 3 +++
2 files changed, 10 insertions(+)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 1e6dce430dca..20448d5aab93 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -23,6 +23,7 @@
#include <linux/nospec.h>
#include <linux/of.h>
#include <linux/pinctrl/consumer.h>
+#include <linux/revocable.h>
#include <linux/seq_file.h>
#include <linux/slab.h>
#include <linux/srcu.h>
@@ -874,6 +875,7 @@ static void gpiodev_release(struct device *dev)
synchronize_srcu(&gdev->desc_srcu);
cleanup_srcu_struct(&gdev->desc_srcu);
+ revocable_embed_destroy(&gdev->chip_rev);
ida_free(&gpio_ida, gdev->id);
kfree_const(gdev->label);
kfree(gdev->descs);
@@ -1167,6 +1169,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
if (ret)
goto err_cleanup_desc_srcu;
+ ret = revocable_embed_init(&gdev->chip_rev, gc);
+ if (ret)
+ goto err_cleanup_desc_srcu;
+
device_initialize(&gdev->dev);
/*
* After this point any allocated resources to `gdev` will be
@@ -1389,6 +1395,7 @@ void gpiochip_remove(struct gpio_chip *gc)
/* Numb the device, cancelling all outstanding operations */
rcu_assign_pointer(gdev->chip, NULL);
synchronize_srcu(&gdev->srcu);
+ revocable_revoke(&gdev->chip_rev);
gpio_device_teardown_shared(gdev);
gpiochip_irqchip_remove(gc);
acpi_gpiochip_remove(gc);
diff --git a/drivers/gpio/gpiolib.h b/drivers/gpio/gpiolib.h
index dc4cb61a9318..4e2e98f61f5a 100644
--- a/drivers/gpio/gpiolib.h
+++ b/drivers/gpio/gpiolib.h
@@ -16,6 +16,7 @@
#include <linux/gpio/driver.h>
#include <linux/module.h>
#include <linux/notifier.h>
+#include <linux/revocable.h>
#include <linux/spinlock.h>
#include <linux/string.h>
#include <linux/srcu.h>
@@ -55,6 +56,7 @@ struct fwnode_handle;
* @device_notifier: used to notify character device wait queues about the GPIO
* device being unregistered
* @srcu: protects the pointer to the underlying GPIO chip
+ * @chip_rev: revocable provider handle for the corresponding struct gpio_chip.
* @pin_ranges: range of pins served by the GPIO driver
*
* This state container holds most of the runtime variable data
@@ -82,6 +84,7 @@ struct gpio_device {
struct workqueue_struct *line_state_wq;
struct blocking_notifier_head device_notifier;
struct srcu_struct srcu;
+ struct revocable chip_rev;
#ifdef CONFIG_PINCTRL
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH v9 4/9] gpio: cdev: Leverage revocable for accessing struct gpio_chip
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
` (2 preceding siblings ...)
2026-04-27 13:58 ` [PATCH v9 3/9] gpio: Add revocable provider handle for struct gpio_chip Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 5/9] gpio: Remove gpio_chip_guard by using revocable Tzung-Bi Shih
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
Struct gpio_device now provides a revocable provider to the underlying
struct gpio_chip. Leverage revocable for accessing the struct
gpio_chip.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- New to the series.
- Rename "chip_rp" -> "chip_rev".
v4 - v8:
- Doesn't exist.
v3: https://lore.kernel.org/all/20260213092958.864411-9-tzungbi@kernel.org
- Change revocable API usages accordingly.
v2: https://lore.kernel.org/all/20260203061059.975605-9-tzungbi@kernel.org
- Change usages accordingly after applying
https://lore.kernel.org/all/20260129143733.45618-4-tzungbi@kernel.org.
- Preserve a local storage for `struct revocable`.
- Combine multiple patches (see "v1:").
- Fix a race condition reported in
https://lore.kernel.org/all/CAMRc=McDaipt85OHm0MksLkuf6E79dY1uNSqqbcJnoQTUs81Pw@mail.gmail.com/
and analyzed in
https://lore.kernel.org/all/aXEEUWwkxHZzCnaI@tzungbi-laptop/.
In v1, the blocking_notifier_chain_unregister() will be skipped if the
chip has been removed, leading an UAF in gpiolib_cdev_unregister().
In v2, it won't skip blocking_notifier_chain_unregister().
v1:
- https://lore.kernel.org/all/20260116081036.352286-14-tzungbi@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-15-tzungbi@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-16-tzungbi@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-17-tzungbi@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-18-tzungbi@kernel.org
---
drivers/gpio/gpiolib-cdev.c | 68 ++++++++++++++-----------------------
1 file changed, 26 insertions(+), 42 deletions(-)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index f36b7c06996d..d8a7ccb406a5 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -22,6 +22,7 @@
#include <linux/overflow.h>
#include <linux/pinctrl/consumer.h>
#include <linux/poll.h>
+#include <linux/revocable.h>
#include <linux/seq_file.h>
#include <linux/spinlock.h>
#include <linux/string.h>
@@ -210,11 +211,9 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd,
DECLARE_BITMAP(vals, GPIOHANDLES_MAX);
unsigned int i;
int ret;
+ struct gpio_chip *gc;
- guard(srcu)(&lh->gdev->srcu);
-
- if (!rcu_access_pointer(lh->gdev->chip))
- return -ENODEV;
+ revocable_try_access_or_return(&lh->gdev->chip_rev, gc);
switch (cmd) {
case GPIOHANDLE_GET_LINE_VALUES_IOCTL:
@@ -1432,11 +1431,9 @@ static long linereq_ioctl(struct file *file, unsigned int cmd,
{
struct linereq *lr = file->private_data;
void __user *ip = (void __user *)arg;
+ struct gpio_chip *gc;
- guard(srcu)(&lr->gdev->srcu);
-
- if (!rcu_access_pointer(lr->gdev->chip))
- return -ENODEV;
+ revocable_try_access_or_return(&lr->gdev->chip_rev, gc);
switch (cmd) {
case GPIO_V2_LINE_GET_VALUES_IOCTL:
@@ -1463,10 +1460,10 @@ static __poll_t linereq_poll(struct file *file,
{
struct linereq *lr = file->private_data;
__poll_t events = 0;
+ struct gpio_chip *gc;
- guard(srcu)(&lr->gdev->srcu);
-
- if (!rcu_access_pointer(lr->gdev->chip))
+ revocable_try_access_with(&lr->gdev->chip_rev, gc);
+ if (!gc)
return EPOLLHUP | EPOLLERR;
poll_wait(file, &lr->wait, wait);
@@ -1485,11 +1482,9 @@ static ssize_t linereq_read(struct file *file, char __user *buf,
struct gpio_v2_line_event le;
ssize_t bytes_read = 0;
int ret;
+ struct gpio_chip *gc;
- guard(srcu)(&lr->gdev->srcu);
-
- if (!rcu_access_pointer(lr->gdev->chip))
- return -ENODEV;
+ revocable_try_access_or_return(&lr->gdev->chip_rev, gc);
if (count < sizeof(le))
return -EINVAL;
@@ -1759,10 +1754,10 @@ static __poll_t lineevent_poll(struct file *file,
{
struct lineevent_state *le = file->private_data;
__poll_t events = 0;
+ struct gpio_chip *gc;
- guard(srcu)(&le->gdev->srcu);
-
- if (!rcu_access_pointer(le->gdev->chip))
+ revocable_try_access_with(&le->gdev->chip_rev, gc);
+ if (!gc)
return EPOLLHUP | EPOLLERR;
poll_wait(file, &le->wait, wait);
@@ -1797,11 +1792,9 @@ static ssize_t lineevent_read(struct file *file, char __user *buf,
ssize_t bytes_read = 0;
ssize_t ge_size;
int ret;
+ struct gpio_chip *gc;
- guard(srcu)(&le->gdev->srcu);
-
- if (!rcu_access_pointer(le->gdev->chip))
- return -ENODEV;
+ revocable_try_access_or_return(&le->gdev->chip_rev, gc);
/*
* When compatible system call is being used the struct gpioevent_data,
@@ -1879,11 +1872,9 @@ static long lineevent_ioctl(struct file *file, unsigned int cmd,
struct lineevent_state *le = file->private_data;
void __user *ip = (void __user *)arg;
struct gpiohandle_data ghd;
+ struct gpio_chip *gc;
- guard(srcu)(&le->gdev->srcu);
-
- if (!rcu_access_pointer(le->gdev->chip))
- return -ENODEV;
+ revocable_try_access_or_return(&le->gdev->chip_rev, gc);
/*
* We can get the value for an event line but not set it,
@@ -2385,12 +2376,10 @@ static long gpio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
struct gpio_chardev_data *cdev = file->private_data;
struct gpio_device *gdev = cdev->gdev;
void __user *ip = (void __user *)arg;
-
- guard(srcu)(&gdev->srcu);
+ struct gpio_chip *gc;
/* We fail any subsequent ioctl():s when the chip is gone */
- if (!rcu_access_pointer(gdev->chip))
- return -ENODEV;
+ revocable_try_access_or_return(&gdev->chip_rev, gc);
/* Fill in the struct and pass to userspace */
switch (cmd) {
@@ -2448,12 +2437,9 @@ static void lineinfo_changed_func(struct work_struct *work)
* Pin functions are in general much more static and while it's
* not 100% bullet-proof, it's good enough for most cases.
*/
- scoped_guard(srcu, &ctx->gdev->srcu) {
- gc = srcu_dereference(ctx->gdev->chip, &ctx->gdev->srcu);
- if (gc &&
- !pinctrl_gpio_can_use_line(gc, ctx->chg.info.offset))
+ revocable_try_access_or_skip_scoped(&ctx->gdev->chip_rev, gc)
+ if (!pinctrl_gpio_can_use_line(gc, ctx->chg.info.offset))
ctx->chg.info.flags |= GPIO_V2_LINE_FLAG_USED;
- }
}
ret = kfifo_in_spinlocked(&ctx->cdev->events, &ctx->chg, 1,
@@ -2534,10 +2520,10 @@ static __poll_t lineinfo_watch_poll(struct file *file,
{
struct gpio_chardev_data *cdev = file->private_data;
__poll_t events = 0;
+ struct gpio_chip *gc;
- guard(srcu)(&cdev->gdev->srcu);
-
- if (!rcu_access_pointer(cdev->gdev->chip))
+ revocable_try_access_with(&cdev->gdev->chip_rev, gc);
+ if (!gc)
return EPOLLHUP | EPOLLERR;
poll_wait(file, &cdev->wait, pollt);
@@ -2557,11 +2543,9 @@ static ssize_t lineinfo_watch_read(struct file *file, char __user *buf,
ssize_t bytes_read = 0;
int ret;
size_t event_size;
+ struct gpio_chip *gc;
- guard(srcu)(&cdev->gdev->srcu);
-
- if (!rcu_access_pointer(cdev->gdev->chip))
- return -ENODEV;
+ revocable_try_access_or_return(&cdev->gdev->chip_rev, gc);
#ifndef CONFIG_GPIO_CDEV_V1
event_size = sizeof(struct gpio_v2_line_info_changed);
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH v9 5/9] gpio: Remove gpio_chip_guard by using revocable
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
` (3 preceding siblings ...)
2026-04-27 13:58 ` [PATCH v9 4/9] gpio: cdev: Leverage revocable for accessing " Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 6/9] gpio: Leverage revocable for accessing struct gpio_chip Tzung-Bi Shih
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
Struct gpio_device now provides a revocable provider to the underlying
struct gpio_chip. Leverage revocable for accessing the struct
gpio_chip instead of using gpio_chip_guard.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- New to the series.
- Rename "chip_rp" -> "chip_rev".
v4 - v8:
- Doesn't exist.
v3: https://lore.kernel.org/all/20260213092958.864411-10-tzungbi@kernel.org
- Change revocable API usages accordingly.
v2: https://lore.kernel.org/all/20260203061059.975605-10-tzungbi@kernel.org
- Separate from v1 for including gpio_chip_guard only.
v1: https://lore.kernel.org/all/20260116081036.352286-23-tzungbi@kernel.org
---
drivers/gpio/gpiolib-cdev.c | 9 +-
drivers/gpio/gpiolib-sysfs.c | 31 +++----
drivers/gpio/gpiolib.c | 164 ++++++++++++++++-------------------
drivers/gpio/gpiolib.h | 21 -----
4 files changed, 91 insertions(+), 134 deletions(-)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index d8a7ccb406a5..4837497c5e6e 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -2156,10 +2156,9 @@ static void gpio_desc_to_lineinfo(struct gpio_desc *desc,
u32 debounce_period_us;
unsigned long dflags;
const char *label;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return;
+ revocable_try_access_or_return_void(&desc->gdev->chip_rev, gc);
memset(info, 0, sizeof(*info));
info->offset = gpiod_hwgpio(desc);
@@ -2192,10 +2191,10 @@ static void gpio_desc_to_lineinfo(struct gpio_desc *desc,
test_bit(GPIOD_FLAG_IS_HOGGED, &dflags) ||
test_bit(GPIOD_FLAG_EXPORT, &dflags) ||
test_bit(GPIOD_FLAG_SYSFS, &dflags) ||
- !gpiochip_line_is_valid(guard.gc, info->offset)) {
+ !gpiochip_line_is_valid(gc, info->offset)) {
info->flags |= GPIO_V2_LINE_FLAG_USED;
} else if (!atomic) {
- if (!pinctrl_gpio_can_use_line(guard.gc, info->offset))
+ if (!pinctrl_gpio_can_use_line(gc, info->offset))
info->flags |= GPIO_V2_LINE_FLAG_USED;
}
diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c
index fc06b0c2881b..c40320433ff7 100644
--- a/drivers/gpio/gpiolib-sysfs.c
+++ b/drivers/gpio/gpiolib-sysfs.c
@@ -10,6 +10,7 @@
#include <linux/list.h>
#include <linux/mutex.h>
#include <linux/printk.h>
+#include <linux/revocable.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/srcu.h>
@@ -215,10 +216,9 @@ static int gpio_sysfs_request_irq(struct gpiod_data *data, unsigned char flags)
struct gpio_desc *desc = data->desc;
unsigned long irq_flags;
int ret;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
data->irq = gpiod_to_irq(desc);
if (data->irq < 0)
@@ -244,7 +244,7 @@ static int gpio_sysfs_request_irq(struct gpiod_data *data, unsigned char flags)
* Remove this redundant call (along with the corresponding unlock)
* when those drivers have been fixed.
*/
- ret = gpiochip_lock_as_irq(guard.gc, gpiod_hwgpio(desc));
+ ret = gpiochip_lock_as_irq(gc, gpiod_hwgpio(desc));
if (ret < 0)
goto err_clr_bits;
@@ -258,7 +258,7 @@ static int gpio_sysfs_request_irq(struct gpiod_data *data, unsigned char flags)
return 0;
err_unlock:
- gpiochip_unlock_as_irq(guard.gc, gpiod_hwgpio(desc));
+ gpiochip_unlock_as_irq(gc, gpiod_hwgpio(desc));
err_clr_bits:
clear_bit(GPIOD_FLAG_EDGE_RISING, &desc->flags);
clear_bit(GPIOD_FLAG_EDGE_FALLING, &desc->flags);
@@ -273,14 +273,13 @@ static int gpio_sysfs_request_irq(struct gpiod_data *data, unsigned char flags)
static void gpio_sysfs_free_irq(struct gpiod_data *data)
{
struct gpio_desc *desc = data->desc;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return;
+ revocable_try_access_or_return_void(&desc->gdev->chip_rev, gc);
data->irq_flags = 0;
free_irq(data->irq, data);
- gpiochip_unlock_as_irq(guard.gc, gpiod_hwgpio(desc));
+ gpiochip_unlock_as_irq(gc, gpiod_hwgpio(desc));
clear_bit(GPIOD_FLAG_EDGE_RISING, &desc->flags);
clear_bit(GPIOD_FLAG_EDGE_FALLING, &desc->flags);
}
@@ -473,13 +472,12 @@ static DEVICE_ATTR_RO(ngpio);
static int export_gpio_desc(struct gpio_desc *desc)
{
int offset, ret;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
offset = gpiod_hwgpio(desc);
- if (!gpiochip_line_is_valid(guard.gc, offset)) {
+ if (!gpiochip_line_is_valid(gc, offset)) {
pr_debug_ratelimited("%s: GPIO %d masked\n", __func__,
gpiod_hwgpio(desc));
return -EINVAL;
@@ -732,6 +730,7 @@ int gpiod_export(struct gpio_desc *desc, bool direction_may_change)
struct gpio_device *gdev;
struct attribute **attrs;
int status;
+ struct gpio_chip *gc;
/* can't export until sysfs is available ... */
if (!class_is_registered(&gpio_class)) {
@@ -744,9 +743,7 @@ int gpiod_export(struct gpio_desc *desc, bool direction_may_change)
return -EINVAL;
}
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
if (test_and_set_bit(GPIOD_FLAG_EXPORT, &desc->flags))
return -EPERM;
@@ -769,7 +766,7 @@ int gpiod_export(struct gpio_desc *desc, bool direction_may_change)
desc_data->desc = desc;
mutex_init(&desc_data->mutex);
- if (guard.gc->direction_input && guard.gc->direction_output)
+ if (gc->direction_input && gc->direction_output)
desc_data->direction_can_change = direction_may_change;
else
desc_data->direction_can_change = false;
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 20448d5aab93..2cac1e15e1e5 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -454,14 +454,13 @@ int gpiod_get_direction(struct gpio_desc *desc)
unsigned long flags;
unsigned int offset;
int ret;
+ struct gpio_chip *gc;
ret = validate_desc(desc, __func__);
if (ret <= 0)
return -EINVAL;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
offset = gpiod_hwgpio(desc);
flags = READ_ONCE(desc->flags);
@@ -474,7 +473,7 @@ int gpiod_get_direction(struct gpio_desc *desc)
test_bit(GPIOD_FLAG_IS_OUT, &flags))
return 0;
- ret = gpiochip_get_direction(guard.gc, offset);
+ ret = gpiochip_get_direction(gc, offset);
if (ret < 0)
return ret;
@@ -2561,16 +2560,15 @@ int gpiod_request_commit(struct gpio_desc *desc, const char *label)
{
unsigned int offset;
int ret;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
if (test_and_set_bit(GPIOD_FLAG_REQUESTED, &desc->flags))
return -EBUSY;
offset = gpiod_hwgpio(desc);
- if (!gpiochip_line_is_valid(guard.gc, offset)) {
+ if (!gpiochip_line_is_valid(gc, offset)) {
ret = -EINVAL;
goto out_clear_bit;
}
@@ -2579,15 +2577,15 @@ int gpiod_request_commit(struct gpio_desc *desc, const char *label)
* before IRQs are enabled, for non-sleeping (SOC) GPIOs.
*/
- if (guard.gc->request) {
- ret = guard.gc->request(guard.gc, offset);
+ if (gc->request) {
+ ret = gc->request(gc, offset);
if (ret > 0)
ret = -EBADE;
if (ret)
goto out_clear_bit;
}
- if (guard.gc->get_direction)
+ if (gc->get_direction)
gpiod_get_direction(desc);
ret = desc_set_label(desc, label ? : "?");
@@ -2624,16 +2622,17 @@ int gpiod_request(struct gpio_desc *desc, const char *label)
void gpiod_free_commit(struct gpio_desc *desc)
{
unsigned long flags;
+ struct gpio_chip *gc;
might_sleep();
- CLASS(gpio_chip_guard, guard)(desc);
+ revocable_try_access_or_return_void(&desc->gdev->chip_rev, gc);
flags = READ_ONCE(desc->flags);
- if (guard.gc && test_bit(GPIOD_FLAG_REQUESTED, &flags)) {
- if (guard.gc->free)
- guard.gc->free(guard.gc, gpiod_hwgpio(desc));
+ if (test_bit(GPIOD_FLAG_REQUESTED, &flags)) {
+ if (gc->free)
+ gc->free(gc, gpiod_hwgpio(desc));
clear_bit(GPIOD_FLAG_ACTIVE_LOW, &flags);
clear_bit(GPIOD_FLAG_REQUESTED, &flags);
@@ -2785,15 +2784,14 @@ EXPORT_SYMBOL_GPL(gpiochip_free_own_desc);
int gpio_do_set_config(struct gpio_desc *desc, unsigned long config)
{
int ret;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
- if (!guard.gc->set_config)
+ if (!gc->set_config)
return -ENOTSUPP;
- ret = guard.gc->set_config(guard.gc, gpiod_hwgpio(desc), config);
+ ret = gc->set_config(gc, gpiod_hwgpio(desc), config);
if (ret > 0)
ret = -EBADE;
@@ -2962,17 +2960,16 @@ EXPORT_SYMBOL_GPL(gpiod_direction_input);
int gpiod_direction_input_nonotify(struct gpio_desc *desc)
{
int ret = 0, dir;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
/*
* It is legal to have no .get() and .direction_input() specified if
* the chip is output-only, but you can't specify .direction_input()
* and not support the .get() operation, that doesn't make sense.
*/
- if (!guard.gc->get && guard.gc->direction_input) {
+ if (!gc->get && gc->direction_input) {
gpiod_warn(desc,
"%s: missing get() but have direction_input()\n",
__func__);
@@ -2985,11 +2982,10 @@ int gpiod_direction_input_nonotify(struct gpio_desc *desc)
* direction (if .get_direction() is supported) else we silently
* assume we are in input mode after this.
*/
- if (guard.gc->direction_input) {
- ret = gpiochip_direction_input(guard.gc,
- gpiod_hwgpio(desc));
- } else if (guard.gc->get_direction) {
- dir = gpiochip_get_direction(guard.gc, gpiod_hwgpio(desc));
+ if (gc->direction_input) {
+ ret = gpiochip_direction_input(gc, gpiod_hwgpio(desc));
+ } else if (gc->get_direction) {
+ dir = gpiochip_get_direction(gc, gpiod_hwgpio(desc));
if (dir < 0)
return dir;
@@ -3029,31 +3025,28 @@ static int gpiochip_set(struct gpio_chip *gc, unsigned int offset, int value)
static int gpiod_direction_output_raw_commit(struct gpio_desc *desc, int value)
{
int val = !!value, ret = 0, dir;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
/*
* It's OK not to specify .direction_output() if the gpiochip is
* output-only, but if there is then not even a .set() operation it
* is pretty tricky to drive the output line.
*/
- if (!guard.gc->set && !guard.gc->direction_output) {
+ if (!gc->set && !gc->direction_output) {
gpiod_warn(desc,
"%s: missing set() and direction_output() operations\n",
__func__);
return -EIO;
}
- if (guard.gc->direction_output) {
- ret = gpiochip_direction_output(guard.gc,
- gpiod_hwgpio(desc), val);
+ if (gc->direction_output) {
+ ret = gpiochip_direction_output(gc, gpiod_hwgpio(desc), val);
} else {
/* Check that we are in output mode if we can */
- if (guard.gc->get_direction) {
- dir = gpiochip_get_direction(guard.gc,
- gpiod_hwgpio(desc));
+ if (gc->get_direction) {
+ dir = gpiochip_get_direction(gc, gpiod_hwgpio(desc));
if (dir < 0)
return dir;
@@ -3068,7 +3061,7 @@ static int gpiod_direction_output_raw_commit(struct gpio_desc *desc, int value)
* If we can't actively set the direction, we are some
* output-only chip, so just drive the output as desired.
*/
- ret = gpiochip_set(guard.gc, gpiod_hwgpio(desc), val);
+ ret = gpiochip_set(gc, gpiod_hwgpio(desc), val);
if (ret)
return ret;
}
@@ -3206,20 +3199,18 @@ int gpiod_direction_output_nonotify(struct gpio_desc *desc, int value)
int gpiod_enable_hw_timestamp_ns(struct gpio_desc *desc, unsigned long flags)
{
int ret;
+ struct gpio_chip *gc;
VALIDATE_DESC(desc);
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
- if (!guard.gc->en_hw_timestamp) {
+ if (!gc->en_hw_timestamp) {
gpiod_warn(desc, "%s: hw ts not supported\n", __func__);
return -ENOTSUPP;
}
- ret = guard.gc->en_hw_timestamp(guard.gc,
- gpiod_hwgpio(desc), flags);
+ ret = gc->en_hw_timestamp(gc, gpiod_hwgpio(desc), flags);
if (ret)
gpiod_warn(desc, "%s: hw ts request failed\n", __func__);
@@ -3239,20 +3230,18 @@ EXPORT_SYMBOL_GPL(gpiod_enable_hw_timestamp_ns);
int gpiod_disable_hw_timestamp_ns(struct gpio_desc *desc, unsigned long flags)
{
int ret;
+ struct gpio_chip *gc;
VALIDATE_DESC(desc);
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
- if (!guard.gc->dis_hw_timestamp) {
+ if (!gc->dis_hw_timestamp) {
gpiod_warn(desc, "%s: hw ts not supported\n", __func__);
return -ENOTSUPP;
}
- ret = guard.gc->dis_hw_timestamp(guard.gc, gpiod_hwgpio(desc),
- flags);
+ ret = gc->dis_hw_timestamp(gc, gpiod_hwgpio(desc), flags);
if (ret)
gpiod_warn(desc, "%s: hw ts release failed\n", __func__);
@@ -3516,31 +3505,29 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep,
unsigned long *mask, *bits;
int first, j;
- CLASS(gpio_chip_guard, guard)(desc_array[i]);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc_array[i]->gdev->chip_rev, gc);
- if (likely(guard.gc->ngpio <= FASTPATH_NGPIO)) {
+ if (likely(gc->ngpio <= FASTPATH_NGPIO)) {
mask = fastpath_mask;
bits = fastpath_bits;
} else {
gfp_t flags = can_sleep ? GFP_KERNEL : GFP_ATOMIC;
- mask = bitmap_alloc(guard.gc->ngpio, flags);
+ mask = bitmap_alloc(gc->ngpio, flags);
if (!mask)
return -ENOMEM;
- bits = bitmap_alloc(guard.gc->ngpio, flags);
+ bits = bitmap_alloc(gc->ngpio, flags);
if (!bits) {
bitmap_free(mask);
return -ENOMEM;
}
}
- bitmap_zero(mask, guard.gc->ngpio);
+ bitmap_zero(mask, gc->ngpio);
if (!can_sleep)
- WARN_ON(guard.gc->can_sleep);
+ WARN_ON(gc->can_sleep);
/* collect all inputs belonging to the same chip */
first = i;
@@ -3555,9 +3542,9 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep,
i = find_next_zero_bit(array_info->get_mask,
array_size, i);
} while ((i < array_size) &&
- gpio_device_chip_cmp(desc_array[i]->gdev, guard.gc));
+ gpio_device_chip_cmp(desc_array[i]->gdev, gc));
- ret = gpio_chip_get_multiple(guard.gc, mask, bits);
+ ret = gpio_chip_get_multiple(gc, mask, bits);
if (ret) {
if (mask != fastpath_mask)
bitmap_free(mask);
@@ -3706,15 +3693,14 @@ EXPORT_SYMBOL_GPL(gpiod_get_array_value);
static int gpio_set_open_drain_value_commit(struct gpio_desc *desc, bool value)
{
int ret = 0, offset = gpiod_hwgpio(desc);
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
if (value) {
- ret = gpiochip_direction_input(guard.gc, offset);
+ ret = gpiochip_direction_input(gc, offset);
} else {
- ret = gpiochip_direction_output(guard.gc, offset, 0);
+ ret = gpiochip_direction_output(gc, offset, 0);
if (!ret)
set_bit(GPIOD_FLAG_IS_OUT, &desc->flags);
}
@@ -3735,17 +3721,16 @@ static int gpio_set_open_drain_value_commit(struct gpio_desc *desc, bool value)
static int gpio_set_open_source_value_commit(struct gpio_desc *desc, bool value)
{
int ret = 0, offset = gpiod_hwgpio(desc);
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
if (value) {
- ret = gpiochip_direction_output(guard.gc, offset, 1);
+ ret = gpiochip_direction_output(gc, offset, 1);
if (!ret)
set_bit(GPIOD_FLAG_IS_OUT, &desc->flags);
} else {
- ret = gpiochip_direction_input(guard.gc, offset);
+ ret = gpiochip_direction_input(gc, offset);
}
trace_gpio_direction(desc_to_gpio(desc), !value, ret);
if (ret < 0)
@@ -3758,15 +3743,15 @@ static int gpio_set_open_source_value_commit(struct gpio_desc *desc, bool value)
static int gpiod_set_raw_value_commit(struct gpio_desc *desc, bool value)
{
+ struct gpio_chip *gc;
+
if (unlikely(!test_bit(GPIOD_FLAG_IS_OUT, &desc->flags)))
return -EPERM;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
trace_gpio_value(desc_to_gpio(desc), 0, value);
- return gpiochip_set(guard.gc, gpiod_hwgpio(desc), value);
+ return gpiochip_set(gc, gpiod_hwgpio(desc), value);
}
/*
@@ -3861,31 +3846,30 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep,
unsigned long *mask, *bits;
int count = 0;
- CLASS(gpio_chip_guard, guard)(desc_array[i]);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc_array[i]->gdev->chip_rev,
+ gc);
- if (likely(guard.gc->ngpio <= FASTPATH_NGPIO)) {
+ if (likely(gc->ngpio <= FASTPATH_NGPIO)) {
mask = fastpath_mask;
bits = fastpath_bits;
} else {
gfp_t flags = can_sleep ? GFP_KERNEL : GFP_ATOMIC;
- mask = bitmap_alloc(guard.gc->ngpio, flags);
+ mask = bitmap_alloc(gc->ngpio, flags);
if (!mask)
return -ENOMEM;
- bits = bitmap_alloc(guard.gc->ngpio, flags);
+ bits = bitmap_alloc(gc->ngpio, flags);
if (!bits) {
bitmap_free(mask);
return -ENOMEM;
}
}
- bitmap_zero(mask, guard.gc->ngpio);
+ bitmap_zero(mask, gc->ngpio);
if (!can_sleep)
- WARN_ON(guard.gc->can_sleep);
+ WARN_ON(gc->can_sleep);
do {
struct gpio_desc *desc = desc_array[i];
@@ -3924,10 +3908,10 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep,
i = find_next_zero_bit(array_info->set_mask,
array_size, i);
} while ((i < array_size) &&
- gpio_device_chip_cmp(desc_array[i]->gdev, guard.gc));
+ gpio_device_chip_cmp(desc_array[i]->gdev, gc));
/* push collected bits to outputs */
if (count != 0) {
- ret = gpiochip_set_multiple(guard.gc, mask, bits);
+ ret = gpiochip_set_multiple(gc, mask, bits);
if (ret)
return ret;
}
@@ -5107,18 +5091,16 @@ int gpiod_hog(struct gpio_desc *desc, const char *name,
struct gpio_desc *local_desc;
int hwnum;
int ret;
+ struct gpio_chip *gc;
- CLASS(gpio_chip_guard, guard)(desc);
- if (!guard.gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
if (test_and_set_bit(GPIOD_FLAG_IS_HOGGED, &desc->flags))
return 0;
hwnum = gpiod_hwgpio(desc);
- local_desc = gpiochip_request_own_desc(guard.gc, hwnum, name,
- lflags, dflags);
+ local_desc = gpiochip_request_own_desc(gc, hwnum, name, lflags, dflags);
if (IS_ERR(local_desc)) {
clear_bit(GPIOD_FLAG_IS_HOGGED, &desc->flags);
ret = PTR_ERR(local_desc);
diff --git a/drivers/gpio/gpiolib.h b/drivers/gpio/gpiolib.h
index 4e2e98f61f5a..90ad9b7fdfdd 100644
--- a/drivers/gpio/gpiolib.h
+++ b/drivers/gpio/gpiolib.h
@@ -228,27 +228,6 @@ struct gpio_desc {
#define gpiod_not_found(desc) (IS_ERR(desc) && PTR_ERR(desc) == -ENOENT)
-struct gpio_chip_guard {
- struct gpio_device *gdev;
- struct gpio_chip *gc;
- int idx;
-};
-
-DEFINE_CLASS(gpio_chip_guard,
- struct gpio_chip_guard,
- srcu_read_unlock(&_T.gdev->srcu, _T.idx),
- ({
- struct gpio_chip_guard _guard;
-
- _guard.gdev = desc->gdev;
- _guard.idx = srcu_read_lock(&_guard.gdev->srcu);
- _guard.gc = srcu_dereference(_guard.gdev->chip,
- &_guard.gdev->srcu);
-
- _guard;
- }),
- struct gpio_desc *desc)
-
int gpiod_request(struct gpio_desc *desc, const char *label);
int gpiod_request_commit(struct gpio_desc *desc, const char *label);
void gpiod_free(struct gpio_desc *desc);
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH v9 6/9] gpio: Leverage revocable for accessing struct gpio_chip
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
` (4 preceding siblings ...)
2026-04-27 13:58 ` [PATCH v9 5/9] gpio: Remove gpio_chip_guard by using revocable Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 7/9] gpio: Remove unused `chip` and `srcu` in struct gpio_device Tzung-Bi Shih
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
Struct gpio_device now provides a revocable provider to the underlying
struct gpio_chip. Leverage revocable for accessing the struct
gpio_chip.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- New to the series.
- Rename "chip_rp" -> "chip_rev".
v4 - v8:
- Doesn't exist.
v3: https://lore.kernel.org/all/20260213092958.864411-11-tzungbi@kernel.org
- Change revocable API usages accordingly.
v2: https://lore.kernel.org/all/20260203061059.975605-11-tzungbi@kernel.org
- Separate from v1(a) for excluding gpio_chip_guard and combine v1(b).
v1(a):
- https://lore.kernel.org/all/20260116081036.352286-23-tzungbi@kernel.org
v1(b):
- https://lore.kernel.org/all/20260116081036.352286-19-tzungbi@kernel.org
---
drivers/gpio/gpiolib.c | 60 +++++++++++++-----------------------------
1 file changed, 18 insertions(+), 42 deletions(-)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 2cac1e15e1e5..798fd5f52745 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -335,7 +335,10 @@ EXPORT_SYMBOL(gpio_device_get_label);
*/
struct gpio_chip *gpio_device_get_chip(struct gpio_device *gdev)
{
- return rcu_dereference_check(gdev->chip, 1);
+ struct gpio_chip *gc;
+
+ revocable_try_access_with(&gdev->chip_rev, gc);
+ return gc;
}
EXPORT_SYMBOL_GPL(gpio_device_get_chip);
@@ -561,9 +564,7 @@ static struct gpio_desc *gpio_name_to_desc(const char * const name)
list_for_each_entry_srcu(gdev, &gpio_devices, list,
srcu_read_lock_held(&gpio_devices_srcu)) {
- guard(srcu)(&gdev->srcu);
-
- gc = srcu_dereference(gdev->chip, &gdev->srcu);
+ revocable_try_access_with(&gdev->chip_rev, gc);
if (!gc)
continue;
@@ -1050,9 +1051,7 @@ static void gpiochip_setup_devs(void)
list_for_each_entry_srcu(gdev, &gpio_devices, list,
srcu_read_lock_held(&gpio_devices_srcu)) {
- guard(srcu)(&gdev->srcu);
-
- gc = srcu_dereference(gdev->chip, &gdev->srcu);
+ revocable_try_access_with(&gdev->chip_rev, gc);
if (!gc) {
dev_err(&gdev->dev, "Underlying GPIO chip is gone\n");
continue;
@@ -1455,11 +1454,11 @@ struct gpio_device *gpio_device_find(const void *data,
if (!device_is_registered(&gdev->dev))
continue;
- guard(srcu)(&gdev->srcu);
-
- gc = srcu_dereference(gdev->chip, &gdev->srcu);
+ revocable_try_access_with(&gdev->chip_rev, gc);
+ if (!gc)
+ continue;
- if (gc && match(gc, data))
+ if (match(gc, data))
return gpio_device_get(gdev);
}
@@ -3402,18 +3401,10 @@ static int gpio_chip_get_value(struct gpio_chip *gc, const struct gpio_desc *des
static int gpiod_get_raw_value_commit(const struct gpio_desc *desc)
{
- struct gpio_device *gdev;
struct gpio_chip *gc;
int value;
- /* FIXME Unable to use gpio_chip_guard due to const desc. */
- gdev = desc->gdev;
-
- guard(srcu)(&gdev->srcu);
-
- gc = srcu_dereference(gdev->chip, &gdev->srcu);
- if (!gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
value = gpio_chip_get_value(gc, desc);
value = value < 0 ? value : !!value;
@@ -3452,9 +3443,10 @@ static int gpio_chip_get_multiple(struct gpio_chip *gc,
/* The 'other' chip must be protected with its GPIO device's SRCU. */
static bool gpio_device_chip_cmp(struct gpio_device *gdev, struct gpio_chip *gc)
{
- guard(srcu)(&gdev->srcu);
+ struct gpio_chip *chip;
- return gc == srcu_dereference(gdev->chip, &gdev->srcu);
+ revocable_try_access_with(&gdev->chip_rev, chip);
+ return chip ? chip == gc : false;
}
int gpiod_get_array_value_complex(bool raw, bool can_sleep,
@@ -3477,11 +3469,7 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep,
if (!can_sleep)
WARN_ON(array_info->gdev->can_sleep);
- guard(srcu)(&array_info->gdev->srcu);
- gc = srcu_dereference(array_info->gdev->chip,
- &array_info->gdev->srcu);
- if (!gc)
- return -ENODEV;
+ revocable_try_access_or_return(&array_info->gdev->chip_rev, gc);
ret = gpio_chip_get_multiple(gc, array_info->get_mask,
value_bitmap);
@@ -3818,11 +3806,7 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep,
return -EPERM;
}
- guard(srcu)(&array_info->gdev->srcu);
- gc = srcu_dereference(array_info->gdev->chip,
- &array_info->gdev->srcu);
- if (!gc)
- return -ENODEV;
+ revocable_try_access_or_return(&array_info->gdev->chip_rev, gc);
if (!raw && !bitmap_empty(array_info->invert_mask, array_size))
bitmap_xor(value_bitmap, value_bitmap,
@@ -4117,7 +4101,6 @@ EXPORT_SYMBOL_GPL(gpiod_is_shared);
*/
int gpiod_to_irq(const struct gpio_desc *desc)
{
- struct gpio_device *gdev;
struct gpio_chip *gc;
int offset;
int ret;
@@ -4126,12 +4109,7 @@ int gpiod_to_irq(const struct gpio_desc *desc)
if (ret <= 0)
return -EINVAL;
- gdev = desc->gdev;
- /* FIXME Cannot use gpio_chip_guard due to const desc. */
- guard(srcu)(&gdev->srcu);
- gc = srcu_dereference(gdev->chip, &gdev->srcu);
- if (!gc)
- return -ENODEV;
+ revocable_try_access_or_return(&desc->gdev->chip_rev, gc);
offset = gpiod_hwgpio(desc);
if (gc->to_irq) {
@@ -5470,9 +5448,7 @@ static int gpiolib_seq_show(struct seq_file *s, void *v)
if (priv->newline)
seq_putc(s, '\n');
- guard(srcu)(&gdev->srcu);
-
- gc = srcu_dereference(gdev->chip, &gdev->srcu);
+ revocable_try_access_with(&gdev->chip_rev, gc);
if (!gc) {
seq_printf(s, "%s: (dangling chip)\n", dev_name(&gdev->dev));
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH v9 7/9] gpio: Remove unused `chip` and `srcu` in struct gpio_device
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
` (5 preceding siblings ...)
2026-04-27 13:58 ` [PATCH v9 6/9] gpio: Leverage revocable for accessing struct gpio_chip Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 8/9] platform/chrome: Protect cros_ec_device lifecycle with revocable Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 9/9] platform/chrome: cros_ec_chardev: Consume cros_ec_device via revocable Tzung-Bi Shih
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
`chip` and `srcu` in struct gpio_device are unused as their usages are
replaced to use revocable. Remove them.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- New to the series.
- No changes.
v4 - v8:
- Doesn't exist.
v3: https://lore.kernel.org/all/20260213092958.864411-12-tzungbi@kernel.org
- No changes.
v2: https://lore.kernel.org/all/20260203061059.975605-12-tzungbi@kernel.org
- No changes.
v1: https://lore.kernel.org/all/20260116081036.352286-24-tzungbi@kernel.org
---
drivers/gpio/gpiolib.c | 26 +-------------------------
drivers/gpio/gpiolib.h | 4 ----
2 files changed, 1 insertion(+), 29 deletions(-)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 798fd5f52745..5ea9e596282a 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -428,8 +428,6 @@ static int gpiochip_get_direction(struct gpio_chip *gc, unsigned int offset)
{
int ret;
- lockdep_assert_held(&gc->gpiodev->srcu);
-
if (WARN_ON(!gc->get_direction))
return -EOPNOTSUPP;
@@ -879,7 +877,6 @@ static void gpiodev_release(struct device *dev)
ida_free(&gpio_ida, gdev->id);
kfree_const(gdev->label);
kfree(gdev->descs);
- cleanup_srcu_struct(&gdev->srcu);
kfree(gdev);
}
@@ -1154,14 +1151,9 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
goto err_free_gdev;
gdev->id = ret;
- ret = init_srcu_struct(&gdev->srcu);
- if (ret)
- goto err_free_ida;
- rcu_assign_pointer(gdev->chip, gc);
-
ret = init_srcu_struct(&gdev->desc_srcu);
if (ret)
- goto err_cleanup_gdev_srcu;
+ goto err_free_ida;
ret = dev_set_name(&gdev->dev, GPIOCHIP_NAME "%d", gdev->id);
if (ret)
@@ -1353,8 +1345,6 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
err_cleanup_desc_srcu:
cleanup_srcu_struct(&gdev->desc_srcu);
-err_cleanup_gdev_srcu:
- cleanup_srcu_struct(&gdev->srcu);
err_free_ida:
ida_free(&gpio_ida, gdev->id);
err_free_gdev:
@@ -1391,8 +1381,6 @@ void gpiochip_remove(struct gpio_chip *gc)
synchronize_srcu(&gpio_devices_srcu);
/* Numb the device, cancelling all outstanding operations */
- rcu_assign_pointer(gdev->chip, NULL);
- synchronize_srcu(&gdev->srcu);
revocable_revoke(&gdev->chip_rev);
gpio_device_teardown_shared(gdev);
gpiochip_irqchip_remove(gc);
@@ -2903,8 +2891,6 @@ static int gpiochip_direction_input(struct gpio_chip *gc, unsigned int offset)
{
int ret;
- lockdep_assert_held(&gc->gpiodev->srcu);
-
if (WARN_ON(!gc->direction_input))
return -EOPNOTSUPP;
@@ -2920,8 +2906,6 @@ static int gpiochip_direction_output(struct gpio_chip *gc, unsigned int offset,
{
int ret;
- lockdep_assert_held(&gc->gpiodev->srcu);
-
if (WARN_ON(!gc->direction_output))
return -EOPNOTSUPP;
@@ -3009,8 +2993,6 @@ static int gpiochip_set(struct gpio_chip *gc, unsigned int offset, int value)
{
int ret;
- lockdep_assert_held(&gc->gpiodev->srcu);
-
if (WARN_ON(unlikely(!gc->set)))
return -EOPNOTSUPP;
@@ -3358,8 +3340,6 @@ static int gpiochip_get(struct gpio_chip *gc, unsigned int offset)
{
int ret;
- lockdep_assert_held(&gc->gpiodev->srcu);
-
/* Make sure this is called after checking for gc->get(). */
ret = gc->get(gc, offset);
if (ret > 1) {
@@ -3415,8 +3395,6 @@ static int gpiod_get_raw_value_commit(const struct gpio_desc *desc)
static int gpio_chip_get_multiple(struct gpio_chip *gc,
unsigned long *mask, unsigned long *bits)
{
- lockdep_assert_held(&gc->gpiodev->srcu);
-
if (gc->get_multiple) {
int ret;
@@ -3760,8 +3738,6 @@ static int gpiochip_set_multiple(struct gpio_chip *gc,
unsigned int i;
int ret;
- lockdep_assert_held(&gc->gpiodev->srcu);
-
if (gc->set_multiple) {
ret = gc->set_multiple(gc, mask, bits);
if (ret > 0)
diff --git a/drivers/gpio/gpiolib.h b/drivers/gpio/gpiolib.h
index 90ad9b7fdfdd..efbff4a1cd4e 100644
--- a/drivers/gpio/gpiolib.h
+++ b/drivers/gpio/gpiolib.h
@@ -32,7 +32,6 @@ struct fwnode_handle;
* @chrdev: character device for the GPIO device
* @id: numerical ID number for the GPIO chip
* @owner: helps prevent removal of modules exporting active GPIOs
- * @chip: pointer to the corresponding gpiochip, holding static
* data for this device
* @descs: array of ngpio descriptors.
* @valid_mask: If not %NULL, holds bitmask of GPIOs which are valid to be
@@ -55,7 +54,6 @@ struct fwnode_handle;
* process context
* @device_notifier: used to notify character device wait queues about the GPIO
* device being unregistered
- * @srcu: protects the pointer to the underlying GPIO chip
* @chip_rev: revocable provider handle for the corresponding struct gpio_chip.
* @pin_ranges: range of pins served by the GPIO driver
*
@@ -69,7 +67,6 @@ struct gpio_device {
struct cdev chrdev;
int id;
struct module *owner;
- struct gpio_chip __rcu *chip;
struct gpio_desc *descs;
unsigned long *valid_mask;
struct srcu_struct desc_srcu;
@@ -83,7 +80,6 @@ struct gpio_device {
rwlock_t line_state_lock;
struct workqueue_struct *line_state_wq;
struct blocking_notifier_head device_notifier;
- struct srcu_struct srcu;
struct revocable chip_rev;
#ifdef CONFIG_PINCTRL
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH v9 8/9] platform/chrome: Protect cros_ec_device lifecycle with revocable
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
` (6 preceding siblings ...)
2026-04-27 13:58 ` [PATCH v9 7/9] gpio: Remove unused `chip` and `srcu` in struct gpio_device Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
2026-04-27 13:58 ` [PATCH v9 9/9] platform/chrome: cros_ec_chardev: Consume cros_ec_device via revocable Tzung-Bi Shih
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
The cros_ec_device can be unregistered when the underlying device is
removed. Other kernel drivers that interact with the EC may hold a
pointer to the cros_ec_device, creating a risk of a use-after-free
error if the EC device is removed while still being referenced.
To prevent this, leverage the revocable and convert the underlying
device drivers to resource providers of cros_ec_device.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- New to the series.
- Change revocable API usages accordingly.
- Rename "revocable_provider" -> "its_rev".
v5 - v8:
- Doesn't exist.
v4: https://lore.kernel.org/all/20250923075302.591026-5-tzungbi@kernel.org
- No changes.
v3: https://lore.kernel.org/all/20250912081718.3827390-5-tzungbi@kernel.org
- Initialize the revocable provider in cros_ec_device_alloc() instead of
spreading in protocol device drivers.
v2: https://lore.kernel.org/all/20250820081645.847919-5-tzungbi@kernel.org
- Rename "ref_proxy" -> "revocable".
v1: https://lore.kernel.org/all/20250814091020.1302888-3-tzungbi@kernel.org
---
drivers/platform/chrome/cros_ec.c | 11 +++++++++++
include/linux/platform_data/cros_ec_proto.h | 3 +++
2 files changed, 14 insertions(+)
diff --git a/drivers/platform/chrome/cros_ec.c b/drivers/platform/chrome/cros_ec.c
index 1da79e3d215b..2702a1bbfeb5 100644
--- a/drivers/platform/chrome/cros_ec.c
+++ b/drivers/platform/chrome/cros_ec.c
@@ -16,6 +16,7 @@
#include <linux/platform_device.h>
#include <linux/platform_data/cros_ec_commands.h>
#include <linux/platform_data/cros_ec_proto.h>
+#include <linux/revocable.h>
#include <linux/slab.h>
#include <linux/suspend.h>
@@ -37,6 +38,7 @@ static void cros_ec_device_free(void *data)
mutex_destroy(&ec_dev->lock);
lockdep_unregister_key(&ec_dev->lockdep_key);
+ revocable_revoke(ec_dev->its_rev);
}
struct cros_ec_device *cros_ec_device_alloc(struct device *dev)
@@ -47,6 +49,15 @@ struct cros_ec_device *cros_ec_device_alloc(struct device *dev)
if (!ec_dev)
return NULL;
+ ec_dev->its_rev = revocable_alloc(ec_dev);
+ if (!ec_dev->its_rev)
+ return NULL;
+ /*
+ * Drop the extra reference for the caller as the caller is the
+ * resource provider.
+ */
+ revocable_put(ec_dev->its_rev);
+
ec_dev->din_size = sizeof(struct ec_host_response) +
sizeof(struct ec_response_get_protocol_info) +
EC_MAX_RESPONSE_OVERHEAD;
diff --git a/include/linux/platform_data/cros_ec_proto.h b/include/linux/platform_data/cros_ec_proto.h
index de14923720a5..e8c3bd03403c 100644
--- a/include/linux/platform_data/cros_ec_proto.h
+++ b/include/linux/platform_data/cros_ec_proto.h
@@ -12,6 +12,7 @@
#include <linux/lockdep_types.h>
#include <linux/mutex.h>
#include <linux/notifier.h>
+#include <linux/revocable.h>
#include <linux/platform_data/cros_ec_commands.h>
@@ -165,6 +166,7 @@ struct cros_ec_command {
* @pd: The platform_device used by the mfd driver to interface with the
* PD behind an EC.
* @panic_notifier: EC panic notifier.
+ * @its_rev: The revocable_provider to this device.
*/
struct cros_ec_device {
/* These are used by other drivers that want to talk to the EC */
@@ -211,6 +213,7 @@ struct cros_ec_device {
struct platform_device *pd;
struct blocking_notifier_head panic_notifier;
+ struct revocable *its_rev;
};
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH v9 9/9] platform/chrome: cros_ec_chardev: Consume cros_ec_device via revocable
2026-04-27 13:58 [PATCH v9 0/9] drivers/base: Introduce revocable Tzung-Bi Shih
` (7 preceding siblings ...)
2026-04-27 13:58 ` [PATCH v9 8/9] platform/chrome: Protect cros_ec_device lifecycle with revocable Tzung-Bi Shih
@ 2026-04-27 13:58 ` Tzung-Bi Shih
8 siblings, 0 replies; 10+ messages in thread
From: Tzung-Bi Shih @ 2026-04-27 13:58 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Bartosz Golaszewski,
Linus Walleij
Cc: Benson Leung, tzungbi, linux-kernel, chrome-platform, driver-core,
linux-doc, linux-gpio, Rafael J. Wysocki, Danilo Krummrich,
Jonathan Corbet, Shuah Khan, Laurent Pinchart, Wolfram Sang,
Jason Gunthorpe, Johan Hovold, Paul E . McKenney, Dan Williams
The cros_ec_chardev driver provides a character device interface to the
ChromeOS EC. A file handle to this device can remain open in userspace
even if the underlying EC device is removed.
This creates a classic use-after-free vulnerability. Any file operation
(ioctl, release, etc.) on the open handle after the EC device has gone
would access a stale pointer, leading to a system crash.
To prevent this, leverage the revocable and convert cros_ec_chardev to a
resource consumer of cros_ec_device.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---
v9:
- New to the series.
- Change revocable API usages accordingly.
v4 - v8:
- Doesn't exist.
v3: https://lore.kernel.org/all/20250912081718.3827390-6-tzungbi@kernel.org
- Use specific labels for different cleanup in cros_ec_chardev_open().
v2: https://lore.kernel.org/all/20250820081645.847919-6-tzungbi@kernel.org
- Rename "ref_proxy" -> "revocable".
- Fix a sparse warning by removing the redundant __rcu annotation.
v1: https://lore.kernel.org/all/20250814091020.1302888-4-tzungbi@kernel.org
---
drivers/platform/chrome/cros_ec_chardev.c | 80 +++++++++++++++++------
1 file changed, 61 insertions(+), 19 deletions(-)
diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c
index 002be3352100..c597dc92d519 100644
--- a/drivers/platform/chrome/cros_ec_chardev.c
+++ b/drivers/platform/chrome/cros_ec_chardev.c
@@ -22,6 +22,7 @@
#include <linux/platform_data/cros_ec_proto.h>
#include <linux/platform_device.h>
#include <linux/poll.h>
+#include <linux/revocable.h>
#include <linux/slab.h>
#include <linux/types.h>
#include <linux/uaccess.h>
@@ -32,7 +33,7 @@
#define CROS_MAX_EVENT_LEN PAGE_SIZE
struct chardev_priv {
- struct cros_ec_device *ec_dev;
+ struct revocable *rev;
struct notifier_block notifier;
wait_queue_head_t wait_event;
unsigned long event_mask;
@@ -55,6 +56,7 @@ static int ec_get_version(struct chardev_priv *priv, char *str, int maxlen)
};
struct ec_response_get_version *resp;
struct cros_ec_command *msg;
+ struct cros_ec_device *ec_dev;
int ret;
msg = kzalloc(sizeof(*msg) + sizeof(*resp), GFP_KERNEL);
@@ -64,12 +66,19 @@ static int ec_get_version(struct chardev_priv *priv, char *str, int maxlen)
msg->command = EC_CMD_GET_VERSION + priv->cmd_offset;
msg->insize = sizeof(*resp);
- ret = cros_ec_cmd_xfer_status(priv->ec_dev, msg);
- if (ret < 0) {
- snprintf(str, maxlen,
- "Unknown EC version, returned error: %d\n",
- msg->result);
- goto exit;
+ revocable_try_access_with_scoped(priv->rev, ec_dev) {
+ if (!ec_dev) {
+ ret = -ENODEV;
+ goto exit;
+ }
+
+ ret = cros_ec_cmd_xfer_status(ec_dev, msg);
+ if (ret < 0) {
+ snprintf(str, maxlen,
+ "Unknown EC version, returned error: %d\n",
+ msg->result);
+ goto exit;
+ }
}
resp = (struct ec_response_get_version *)msg->data;
@@ -92,10 +101,15 @@ static int cros_ec_chardev_mkbp_event(struct notifier_block *nb,
{
struct chardev_priv *priv = container_of(nb, struct chardev_priv,
notifier);
- struct cros_ec_device *ec_dev = priv->ec_dev;
+ struct cros_ec_device *ec_dev;
struct ec_event *event;
- unsigned long event_bit = 1 << ec_dev->event_data.event_type;
- int total_size = sizeof(*event) + ec_dev->event_size;
+ unsigned long event_bit;
+ int total_size;
+
+ revocable_try_access_or_return_err(priv->rev, ec_dev, NOTIFY_DONE);
+
+ event_bit = 1 << ec_dev->event_data.event_type;
+ total_size = sizeof(*event) + ec_dev->event_size;
if (!(event_bit & priv->event_mask) ||
(priv->event_len + total_size) > CROS_MAX_EVENT_LEN)
@@ -166,7 +180,8 @@ static int cros_ec_chardev_open(struct inode *inode, struct file *filp)
if (!priv)
return -ENOMEM;
- priv->ec_dev = ec_dev;
+ priv->rev = ec_dev->its_rev;
+ revocable_get(priv->rev);
priv->cmd_offset = ec->cmd_offset;
filp->private_data = priv;
INIT_LIST_HEAD(&priv->events);
@@ -178,6 +193,7 @@ static int cros_ec_chardev_open(struct inode *inode, struct file *filp)
&priv->notifier);
if (ret) {
dev_err(ec_dev->dev, "failed to register event notifier\n");
+ revocable_put(priv->rev);
kfree(priv);
}
@@ -251,11 +267,13 @@ static ssize_t cros_ec_chardev_read(struct file *filp, char __user *buffer,
static int cros_ec_chardev_release(struct inode *inode, struct file *filp)
{
struct chardev_priv *priv = filp->private_data;
- struct cros_ec_device *ec_dev = priv->ec_dev;
+ struct cros_ec_device *ec_dev;
struct ec_event *event, *e;
- blocking_notifier_chain_unregister(&ec_dev->event_notifier,
- &priv->notifier);
+ revocable_try_access_or_skip_scoped(priv->rev, ec_dev)
+ blocking_notifier_chain_unregister(&ec_dev->event_notifier,
+ &priv->notifier);
+ revocable_put(priv->rev);
list_for_each_entry_safe(event, e, &priv->events, node) {
list_del(&event->node);
@@ -273,6 +291,7 @@ static long cros_ec_chardev_ioctl_xcmd(struct chardev_priv *priv, void __user *a
{
struct cros_ec_command *s_cmd;
struct cros_ec_command u_cmd;
+ struct cros_ec_device *ec_dev;
long ret;
if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
@@ -299,10 +318,17 @@ static long cros_ec_chardev_ioctl_xcmd(struct chardev_priv *priv, void __user *a
}
s_cmd->command += priv->cmd_offset;
- ret = cros_ec_cmd_xfer(priv->ec_dev, s_cmd);
- /* Only copy data to userland if data was received. */
- if (ret < 0)
- goto exit;
+ revocable_try_access_with_scoped(priv->rev, ec_dev) {
+ if (!ec_dev) {
+ ret = -ENODEV;
+ goto exit;
+ }
+
+ ret = cros_ec_cmd_xfer(ec_dev, s_cmd);
+ /* Only copy data to userland if data was received. */
+ if (ret < 0)
+ goto exit;
+ }
if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize))
ret = -EFAULT;
@@ -313,10 +339,12 @@ static long cros_ec_chardev_ioctl_xcmd(struct chardev_priv *priv, void __user *a
static long cros_ec_chardev_ioctl_readmem(struct chardev_priv *priv, void __user *arg)
{
- struct cros_ec_device *ec_dev = priv->ec_dev;
+ struct cros_ec_device *ec_dev;
struct cros_ec_readmem s_mem = { };
long num;
+ revocable_try_access_or_return(priv->rev, ec_dev);
+
/* Not every platform supports direct reads */
if (!ec_dev->cmd_readmem)
return -ENOTTY;
@@ -370,11 +398,25 @@ static const struct file_operations chardev_fops = {
#endif
};
+static void cros_ec_chardev_free(void *data)
+{
+ struct revocable *rev = data;
+
+ revocable_put(rev);
+}
+
static int cros_ec_chardev_probe(struct platform_device *pdev)
{
struct cros_ec_dev *ec = dev_get_drvdata(pdev->dev.parent);
struct cros_ec_platform *ec_platform = dev_get_platdata(ec->dev);
+ struct revocable *rev = ec->ec_dev->its_rev;
struct miscdevice *misc;
+ int ret;
+
+ revocable_get(rev);
+ ret = devm_add_action_or_reset(&pdev->dev, cros_ec_chardev_free, rev);
+ if (ret)
+ return ret;
/* Create a char device: we want to create it anew */
misc = devm_kzalloc(&pdev->dev, sizeof(*misc), GFP_KERNEL);
--
2.51.0
^ permalink raw reply related [flat|nested] 10+ messages in thread