|
|
Log in / Subscribe / Register

drivers/base: Introduce revocable

From:  Tzung-Bi Shih <tzungbi-AT-kernel.org>
To:  Arnd Bergmann <arnd-AT-arndb.de>, Greg Kroah-Hartman <gregkh-AT-linuxfoundation.org>, Bartosz Golaszewski <brgl-AT-kernel.org>, Linus Walleij <linusw-AT-kernel.org>
Subject:  [PATCH v9 0/9] drivers/base: Introduce revocable
Date:  Mon, 27 Apr 2026 21:58:32 +0800
Message-ID:  <20260427135841.96266-1-tzungbi@kernel.org>
Cc:  Benson Leung <bleung-AT-chromium.org>, tzungbi-AT-kernel.org, linux-kernel-AT-vger.kernel.org, chrome-platform-AT-lists.linux.dev, driver-core-AT-lists.linux.dev, linux-doc-AT-vger.kernel.org, linux-gpio-AT-vger.kernel.org, "Rafael J. Wysocki" <rafael-AT-kernel.org>, Danilo Krummrich <dakr-AT-kernel.org>, Jonathan Corbet <corbet-AT-lwn.net>, Shuah Khan <shuah-AT-kernel.org>, Laurent Pinchart <laurent.pinchart-AT-ideasonboard.com>, Wolfram Sang <wsa+renesas-AT-sang-engineering.com>, Jason Gunthorpe <jgg-AT-nvidia.com>, Johan Hovold <johan-AT-kernel.org>, "Paul E . McKenney" <paulmck-AT-kernel.org>, Dan Williams <dan.j.williams-AT-intel.com>
Archive-link:  Article

This series introduces the "revocable" mechanism, a synchronization
primitive designed to prevent Use-After-Free errors.

- Patch 1 introduces the revocable which is an implementation of ideas
  from the talk [1].

- Patch 2 adds KUnit test cases.

- Patches 3 to 7 transitions the UAF prevention logic within the GPIO
  core (gpiolib) to use the "revocable" mechanism.

  The existing code aims to prevent UAF issues when the underlying GPIO
  chip is removed.  They replace that custom logic with the generic
  "revocable" API, which is designed to handle such lifecycle
  dependencies.  There should be no changes in behavior.

- Patches 8 to 9 uses "revocable" mechanism to fix an UAF in
  cros_ec_chardev driver.  Alternatively, [2] is a series for fixing the
  same issue without using "revocable".

Since v9, there are two ways to manage the resource provider handle.
- Embedded allocation: patches 3 to 7 might be the potential user.
- Dynamic allocation: patches 8 to 9 might be the potential user.

[1] https://lpc.events/event/17/contributions/1627/
[2] https://lore.kernel.org/all/20260427134659.95181-1-tzungb...

---
v9:
- Rebase onto v7.1-rc1.
- Remove the selftests patch as it makes less sense to test revocable
  APIs via kselftests.
- Merge patches 7 to 11 from
  https://lore.kernel.org/all/20260213092958.864411-1-tzung...
  into the series.
- Merge patch from
  https://lore.kernel.org/all/20250923075302.591026-5-tzung...
- Merge patch from
  https://lore.kernel.org/all/20250912081718.3827390-6-tzun...

v8: https://lore.kernel.org/all/20260213092307.858908-1-tzung...
- Rework on the revocable APIs.  See changelog in [PATCH v8 1/3] for details.

v7: https://lore.kernel.org/all/20260116080235.350305-1-tzung...
- Rebase onto next-20260115.

v6: https://lore.kernel.org/all/20251106152330.11733-1-tzungb...
- Rebase onto next-20251106.
- Separate revocable core and use cases.

v5: https://lore.kernel.org/all/20251016054204.1523139-1-tzun...
- Rebase onto next-20251015.
- Add more context about the PoC.
- Support multiple revocable providers in the PoC.

v4: https://lore.kernel.org/all/20250923075302.591026-1-tzung...
- Rebase onto next-20250922.
- Remove the 5th patch from v3.
- Add fops replacement PoC in 5th - 7th patches.

v3: https://lore.kernel.org/all/20250912081718.3827390-1-tzun...
- Rebase onto https://lore.kernel.org/all/20250828083601.856083-1-tzung...
  and next-20250912.
- The 4th patch changed accordingly.

v2: https://lore.kernel.org/all/20250820081645.847919-1-tzung...
- Rename "ref_proxy" -> "revocable".
- Add test cases in Kunit and selftest.

v1: https://lore.kernel.org/all/20250814091020.1302888-1-tzun...

Tzung-Bi Shih (9):
  revocable: Revocable resource management
  revocable: Add KUnit test cases
  gpio: Add revocable provider handle for struct gpio_chip
  gpio: cdev: Leverage revocable for accessing struct gpio_chip
  gpio: Remove gpio_chip_guard by using revocable
  gpio: Leverage revocable for accessing struct gpio_chip
  gpio: Remove unused `chip` and `srcu` in struct gpio_device
  platform/chrome: Protect cros_ec_device lifecycle with revocable
  platform/chrome: cros_ec_chardev: Consume cros_ec_device via revocable

 .../driver-api/driver-model/index.rst         |   1 +
 .../driver-api/driver-model/revocable.rst     | 384 +++++++++++++++
 MAINTAINERS                                   |  10 +
 drivers/base/Kconfig                          |   5 +
 drivers/base/Makefile                         |   5 +-
 drivers/base/revocable.c                      | 298 +++++++++++
 drivers/base/revocable_test.c                 | 461 ++++++++++++++++++
 drivers/gpio/gpiolib-cdev.c                   |  77 ++-
 drivers/gpio/gpiolib-sysfs.c                  |  31 +-
 drivers/gpio/gpiolib.c                        | 255 ++++------
 drivers/gpio/gpiolib.h                        |  28 +-
 drivers/platform/chrome/cros_ec.c             |  11 +
 drivers/platform/chrome/cros_ec_chardev.c     |  80 ++-
 include/linux/platform_data/cros_ec_proto.h   |   3 +
 include/linux/revocable.h                     | 214 ++++++++
 15 files changed, 1597 insertions(+), 266 deletions(-)
 create mode 100644 Documentation/driver-api/driver-model/revocable.rst
 create mode 100644 drivers/base/revocable.c
 create mode 100644 drivers/base/revocable_test.c
 create mode 100644 include/linux/revocable.h

-- 
2.51.0

Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds