lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Z-5uJxij4jmhint3@smile.fi.intel.com>
Date: Thu, 3 Apr 2025 14:16:55 +0300
From: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
To: Bartosz Golaszewski <brgl@...ev.pl>
Cc: Bartosz Golaszewski <bartosz.golaszewski@...aro.org>,
	linux-gpio@...r.kernel.org, linux-kernel@...r.kernel.org,
	Linus Walleij <linus.walleij@...aro.org>,
	Florian Fainelli <florian.fainelli@...adcom.com>,
	Mark Brown <broonie@...nel.org>
Subject: Re: [PATCH v1 1/1] gpiolib: Make gpiod_put() error pointer aware

On Thu, Apr 03, 2025 at 10:20:08AM +0200, Bartosz Golaszewski wrote:
> On Thu, Apr 3, 2025 at 10:04 AM Andy Shevchenko
> <andriy.shevchenko@...ux.intel.com> wrote:
> > On Thu, Apr 03, 2025 at 08:58:09AM +0200, Bartosz Golaszewski wrote:
> > > On Wed, Apr 2, 2025 at 5:20 PM Andy Shevchenko
> > > <andriy.shevchenko@...ux.intel.com> wrote:

> > > > When non-optional GPIO is requested and failed, the variable that holds
> > > > the (invalid) descriptor can contain an error pointer. However, gpiod_put()
> > > > ignores that fact and tries to cleanup never requested descriptor.
> > > > Make sure gpiod_put() ignores that as well.
> > > >
> > > > While at it, do the same for the gpiod_put_array().
> > > >
> > > > Note, it arguable needs to be present in the stubs as those are usually
> > > > called when CONFIG_GPIOLIB=n and GPIOs are requested using gpiod_get_optional()
> > > > or similar APIs.
> >
> > > I'm not a fan of this. Silently ignoring NULL makes sense in the
> > > context of _optional() calls where we want to do nothing on GPIOs that
> > > aren't there.
> >
> > > But this encourages people to get sloppy and just ignore
> > > error pointers returned from gpiod_get()?
> >
> > From where did you come to this conclusion, please? We have many subsystems
> > that ignore invalid resource on the release stage, starting from platform
> > device driver core.
> 
> The fact that many people do something does not mean it's correct.

And it doesn't tell it is incorrect either. We are going to conclude that there
are pros and cons on each of the approaches, but I don't see much a point in
yours, sorry.

> Many other subsystem scream loudly when that happens, so I would be ok
> with adding a big WARN_ON(IS_ERR(desc)).

I disagree. This is not that case where passing an error pointer should be
an issue.

> > > Also: all other calls error out on IS_ERR(desc) so why would we make it an
> > > exception?
> >
> > Because it's _release_ stage that participates in the cleaning up of
> > the allocated resources in error paths. It's a common approach in
> > the kernel. I would rather ask what makes GPIOLIB so special about it?
> 
> Just because it's the release stage, does not mean you shouldn't care
> about the correctness of the consumer code. Passing an IS_ERR(descr)
> to any of the GPIO APIs can happen if the user ignores an error
> returned by gpiod_get(). That's not alright.

Have you ever seen such a code in the cases when it's okay (like in platform
device driver users)? I do not. So, the above is based on the hypothetical
assumption that somebody will make silly things. If you _really_ care about
checking the error, add __must_check to the respective functions.

-- 
With Best Regards,
Andy Shevchenko



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ