| Message ID | 20250210-gpio-sanitize-retvals-v1-4-12ea88506cb2@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | gpiolib: sanitize return values of callbacks | expand |
On Mon, Feb 10, 2025 at 11:51:58AM +0100, Bartosz Golaszewski wrote: > From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> > > As per the API contract, the get() callback is only allowed to return 0, > 1 or a negative error number. Add a wrapper around the callback calls > that filters out anything else. ... > +static int gpiochip_get(struct gpio_chip *gc, unsigned int offset) > +{ > + int ret; > + > + lockdep_assert_held(&gc->gpiodev->srcu); > + > + if (!gc->get) > + return -EIO; > + > + ret = gc->get(gc, offset); > + if (ret > 1) Perhaps use the respective GPIO macro instead? Otherwise it's not clear what the meaning of 1 is. > + ret = -EBADE; > + > + return ret; > +} > + > static int gpio_chip_get_value(struct gpio_chip *gc, const struct gpio_desc *desc) > { > - return gc->get ? gc->get(gc, gpio_chip_hwgpio(desc)) : -EIO; > + return gpiochip_get(gc, gpio_chip_hwgpio(desc)); > } ... > for_each_set_bit(i, mask, gc->ngpio) { > - value = gc->get(gc, i); > + value = gpiochip_get(gc, i); This will delay the function for checking every time if the get() exists. Which must be here. > if (value < 0) > return value; > __assign_bit(i, bits, value); What I would expect here is something like this: static int gpio_chip_get_value_nocheck(struct gpio_chip *gc, unsigned int offset) { int ret; lockdep_assert_held(&gc->gpiodev->srcu); ret = gc->get(gc, offset); if (ret > GPIO_LINE_DIRECTION_IN) ret = -EBADE; return ret; } static int gpio_chip_get_value(struct gpio_chip *gc, const struct gpio_desc *desc) { return gc->get ? gpio_chip_get_value_nocheck(gc, gpio_chip_hwgpio(desc)) : -EIO; } But I see the downside of it as it might lurk without RCU lock if get is not defined. So, up to you.
On Mon, Feb 24, 2025 at 5:30 PM Andy Shevchenko <andriy.shevchenko@intel.com> wrote: > > On Mon, Feb 10, 2025 at 11:51:58AM +0100, Bartosz Golaszewski wrote: > > From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> > > > > As per the API contract, the get() callback is only allowed to return 0, > > 1 or a negative error number. Add a wrapper around the callback calls > > that filters out anything else. > > ... > > > +static int gpiochip_get(struct gpio_chip *gc, unsigned int offset) > > +{ > > + int ret; > > + > > + lockdep_assert_held(&gc->gpiodev->srcu); > > + > > + if (!gc->get) > > + return -EIO; > > + > > + ret = gc->get(gc, offset); > > + if (ret > 1) > > Perhaps use the respective GPIO macro instead? Otherwise it's not clear what > the meaning of 1 is. > We don't have one for GPIO values. > > + ret = -EBADE; > > + > > + return ret; > > +} > > + > > static int gpio_chip_get_value(struct gpio_chip *gc, const struct gpio_desc *desc) > > { > > - return gc->get ? gc->get(gc, gpio_chip_hwgpio(desc)) : -EIO; > > + return gpiochip_get(gc, gpio_chip_hwgpio(desc)); > > } > > ... > > > for_each_set_bit(i, mask, gc->ngpio) { > > - value = gc->get(gc, i); > > + value = gpiochip_get(gc, i); > > This will delay the function for checking every time if the get() exists. Which > must be here. > > > if (value < 0) > > return value; > > __assign_bit(i, bits, value); > > What I would expect here is something like this: > > static int gpio_chip_get_value_nocheck(struct gpio_chip *gc, unsigned int offset) > { > int ret; > > lockdep_assert_held(&gc->gpiodev->srcu); > > ret = gc->get(gc, offset); > if (ret > GPIO_LINE_DIRECTION_IN) > ret = -EBADE; > > return ret; > } > > static int gpio_chip_get_value(struct gpio_chip *gc, const struct gpio_desc *desc) > { > return gc->get ? gpio_chip_get_value_nocheck(gc, gpio_chip_hwgpio(desc)) : -EIO; > } > > But I see the downside of it as it might lurk without RCU lock if get is not > defined. So, up to you. > Makes sense, gpiochip_get() is only called in gpio_chip_get_value() and gpiochip_get_multiple() where gc->get is already checked. Bart
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 95ea300da109..7bc316154fdc 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -3097,9 +3097,25 @@ void gpiod_toggle_active_low(struct gpio_desc *desc) } EXPORT_SYMBOL_GPL(gpiod_toggle_active_low); +static int gpiochip_get(struct gpio_chip *gc, unsigned int offset) +{ + int ret; + + lockdep_assert_held(&gc->gpiodev->srcu); + + if (!gc->get) + return -EIO; + + ret = gc->get(gc, offset); + if (ret > 1) + ret = -EBADE; + + return ret; +} + static int gpio_chip_get_value(struct gpio_chip *gc, const struct gpio_desc *desc) { - return gc->get ? gc->get(gc, gpio_chip_hwgpio(desc)) : -EIO; + return gpiochip_get(gc, gpio_chip_hwgpio(desc)); } /* I/O calls are only valid after configuration completed; the relevant @@ -3154,7 +3170,7 @@ static int gpio_chip_get_multiple(struct gpio_chip *gc, int i, value; for_each_set_bit(i, mask, gc->ngpio) { - value = gc->get(gc, i); + value = gpiochip_get(gc, i); if (value < 0) return value; __assign_bit(i, bits, value);