[PATCH v3 08/11] gpio: cdev: Leverage revocable for accessing struct gpio_chip

[Tzung-Bi Shih]

Struct gpio_device now provides a revocable provider to the underlying
struct gpio_chip.  Leverage revocable for accessing the struct
gpio_chip.

Signed-off-by: Tzung-Bi Shih <tzun...@kernel.org>
---
v3:
- Change revocable API usages accordingly.

v2: https://lore.kernel.org/all/20260203061059.975605-9-tzun...@kernel.org
- Change usages accordingly after applying
  https://lore.kernel.org/all/20260129143733.45618-4-tzun...@kernel.org.
  - Preserve a local storage for `struct revocable`.
- Combine multiple patches (see "v1:").
- Fix a race condition reported in
  
https://lore.kernel.org/all/CAMRc=mcdaipt85ohm0mkslkuf6e79dy1unsqqbcjnoqtus8...@mail.gmail.com/
  and analyzed in
  https://lore.kernel.org/all/aXEEUWwkxHZzCnaI@tzungbi-laptop/.
  In v1, the blocking_notifier_chain_unregister() will be skipped if the
  chip has been removed, leading an UAF in gpiolib_cdev_unregister().
  In v2, it won't skip blocking_notifier_chain_unregister().

v1:
- https://lore.kernel.org/all/20260116081036.352286-14-tzun...@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-15-tzun...@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-16-tzun...@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-17-tzun...@kernel.org
- https://lore.kernel.org/all/20260116081036.352286-18-tzun...@kernel.org

 drivers/gpio/gpiolib-cdev.c | 68 ++++++++++++++-----------------------
 1 file changed, 26 insertions(+), 42 deletions(-)

diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 2e3484a89a3b..b491e2737ef2 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -22,6 +22,7 @@
 #include <linux/overflow.h>
 #include <linux/pinctrl/consumer.h>
 #include <linux/poll.h>
+#include <linux/revocable.h>
 #include <linux/seq_file.h>
 #include <linux/spinlock.h>
 #include <linux/string.h>
@@ -210,11 +211,9 @@ static long linehandle_ioctl(struct file *file, unsigned 
int cmd,
        DECLARE_BITMAP(vals, GPIOHANDLES_MAX);
        unsigned int i;
        int ret;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&lh->gdev->srcu);
-
-       if (!rcu_access_pointer(lh->gdev->chip))
-               return -ENODEV;
+       revocable_try_access_or_return(lh->gdev->chip_rp, gc);
 
        switch (cmd) {
        case GPIOHANDLE_GET_LINE_VALUES_IOCTL:
@@ -1432,11 +1431,9 @@ static long linereq_ioctl(struct file *file, unsigned 
int cmd,
 {
        struct linereq *lr = file->private_data;
        void __user *ip = (void __user *)arg;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&lr->gdev->srcu);
-
-       if (!rcu_access_pointer(lr->gdev->chip))
-               return -ENODEV;
+       revocable_try_access_or_return(lr->gdev->chip_rp, gc);
 
        switch (cmd) {
        case GPIO_V2_LINE_GET_VALUES_IOCTL:
@@ -1463,10 +1460,10 @@ static __poll_t linereq_poll(struct file *file,
 {
        struct linereq *lr = file->private_data;
        __poll_t events = 0;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&lr->gdev->srcu);
-
-       if (!rcu_access_pointer(lr->gdev->chip))
+       revocable_try_access_with(lr->gdev->chip_rp, gc);
+       if (!gc)
                return EPOLLHUP | EPOLLERR;
 
        poll_wait(file, &lr->wait, wait);
@@ -1485,11 +1482,9 @@ static ssize_t linereq_read(struct file *file, char 
__user *buf,
        struct gpio_v2_line_event le;
        ssize_t bytes_read = 0;
        int ret;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&lr->gdev->srcu);
-
-       if (!rcu_access_pointer(lr->gdev->chip))
-               return -ENODEV;
+       revocable_try_access_or_return(lr->gdev->chip_rp, gc);
 
        if (count < sizeof(le))
                return -EINVAL;
@@ -1781,10 +1776,10 @@ static __poll_t lineevent_poll(struct file *file,
 {
        struct lineevent_state *le = file->private_data;
        __poll_t events = 0;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&le->gdev->srcu);
-
-       if (!rcu_access_pointer(le->gdev->chip))
+       revocable_try_access_with(le->gdev->chip_rp, gc);
+       if (!gc)
                return EPOLLHUP | EPOLLERR;
 
        poll_wait(file, &le->wait, wait);
@@ -1819,11 +1814,9 @@ static ssize_t lineevent_read(struct file *file, char 
__user *buf,
        ssize_t bytes_read = 0;
        ssize_t ge_size;
        int ret;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&le->gdev->srcu);
-
-       if (!rcu_access_pointer(le->gdev->chip))
-               return -ENODEV;
+       revocable_try_access_or_return(le->gdev->chip_rp, gc);
 
        /*
         * When compatible system call is being used the struct gpioevent_data,
@@ -1901,11 +1894,9 @@ static long lineevent_ioctl(struct file *file, unsigned 
int cmd,
        struct lineevent_state *le = file->private_data;
        void __user *ip = (void __user *)arg;
        struct gpiohandle_data ghd;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&le->gdev->srcu);
-
-       if (!rcu_access_pointer(le->gdev->chip))
-               return -ENODEV;
+       revocable_try_access_or_return(le->gdev->chip_rp, gc);
 
        /*
         * We can get the value for an event line but not set it,
@@ -2434,12 +2425,10 @@ static long gpio_ioctl(struct file *file, unsigned int 
cmd, unsigned long arg)
        struct gpio_chardev_data *cdev = file->private_data;
        struct gpio_device *gdev = cdev->gdev;
        void __user *ip = (void __user *)arg;
-
-       guard(srcu)(&gdev->srcu);
+       struct gpio_chip *gc;
 
        /* We fail any subsequent ioctl():s when the chip is gone */
-       if (!rcu_access_pointer(gdev->chip))
-               return -ENODEV;
+       revocable_try_access_or_return(gdev->chip_rp, gc);
 
        /* Fill in the struct and pass to userspace */
        switch (cmd) {
@@ -2497,12 +2486,9 @@ static void lineinfo_changed_func(struct work_struct 
*work)
                 * Pin functions are in general much more static and while it's
                 * not 100% bullet-proof, it's good enough for most cases.
                 */
-               scoped_guard(srcu, &ctx->gdev->srcu) {
-                       gc = srcu_dereference(ctx->gdev->chip, 
&ctx->gdev->srcu);
-                       if (gc &&
-                           !pinctrl_gpio_can_use_line(gc, 
ctx->chg.info.offset))
+               revocable_try_access_with_scoped(ctx->gdev->chip_rp, gc)
+                       if (!pinctrl_gpio_can_use_line(gc, 
ctx->chg.info.offset))
                                ctx->chg.info.flags |= GPIO_V2_LINE_FLAG_USED;
-               }
        }
 
        ret = kfifo_in_spinlocked(&ctx->cdev->events, &ctx->chg, 1,
@@ -2583,10 +2569,10 @@ static __poll_t lineinfo_watch_poll(struct file *file,
 {
        struct gpio_chardev_data *cdev = file->private_data;
        __poll_t events = 0;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&cdev->gdev->srcu);
-
-       if (!rcu_access_pointer(cdev->gdev->chip))
+       revocable_try_access_with(cdev->gdev->chip_rp, gc);
+       if (!gc)
                return EPOLLHUP | EPOLLERR;
 
        poll_wait(file, &cdev->wait, pollt);
@@ -2606,11 +2592,9 @@ static ssize_t lineinfo_watch_read(struct file *file, 
char __user *buf,
        ssize_t bytes_read = 0;
        int ret;
        size_t event_size;
+       struct gpio_chip *gc;
 
-       guard(srcu)(&cdev->gdev->srcu);
-
-       if (!rcu_access_pointer(cdev->gdev->chip))
-               return -ENODEV;
+       revocable_try_access_or_return(cdev->gdev->chip_rp, gc);
 
 #ifndef CONFIG_GPIO_CDEV_V1
        event_size = sizeof(struct gpio_v2_line_info_changed);
-- 
2.53.0.310.g728cabbaf7-goog