| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z-5uJxij4jmhint3@smile.fi.intel.com> Date: Thu, 3 Apr 2025 14:16:55 +0300 From: Andy Shevchenko <andriy.shevchenko@...ux.intel.com> To: Bartosz Golaszewski <brgl@...ev.pl> Cc: Bartosz Golaszewski <bartosz.golaszewski@...aro.org>, linux-gpio@...r.kernel.org, linux-kernel@...r.kernel.org, Linus Walleij <linus.walleij@...aro.org>, Florian Fainelli <florian.fainelli@...adcom.com>, Mark Brown <broonie@...nel.org> Subject: Re: [PATCH v1 1/1] gpiolib: Make gpiod_put() error pointer aware On Thu, Apr 03, 2025 at 10:20:08AM +0200, Bartosz Golaszewski wrote: > On Thu, Apr 3, 2025 at 10:04 AM Andy Shevchenko > <andriy.shevchenko@...ux.intel.com> wrote: > > On Thu, Apr 03, 2025 at 08:58:09AM +0200, Bartosz Golaszewski wrote: > > > On Wed, Apr 2, 2025 at 5:20 PM Andy Shevchenko > > > <andriy.shevchenko@...ux.intel.com> wrote: > > > > When non-optional GPIO is requested and failed, the variable that holds > > > > the (invalid) descriptor can contain an error pointer. However, gpiod_put() > > > > ignores that fact and tries to cleanup never requested descriptor. > > > > Make sure gpiod_put() ignores that as well. > > > > > > > > While at it, do the same for the gpiod_put_array(). > > > > > > > > Note, it arguable needs to be present in the stubs as those are usually > > > > called when CONFIG_GPIOLIB=n and GPIOs are requested using gpiod_get_optional() > > > > or similar APIs. > > > > > I'm not a fan of this. Silently ignoring NULL makes sense in the > > > context of _optional() calls where we want to do nothing on GPIOs that > > > aren't there. > > > > > But this encourages people to get sloppy and just ignore > > > error pointers returned from gpiod_get()? > > > > From where did you come to this conclusion, please? We have many subsystems > > that ignore invalid resource on the release stage, starting from platform > > device driver core. > > The fact that many people do something does not mean it's correct. And it doesn't tell it is incorrect either. We are going to conclude that there are pros and cons on each of the approaches, but I don't see much a point in yours, sorry. > Many other subsystem scream loudly when that happens, so I would be ok > with adding a big WARN_ON(IS_ERR(desc)). I disagree. This is not that case where passing an error pointer should be an issue. > > > Also: all other calls error out on IS_ERR(desc) so why would we make it an > > > exception? > > > > Because it's _release_ stage that participates in the cleaning up of > > the allocated resources in error paths. It's a common approach in > > the kernel. I would rather ask what makes GPIOLIB so special about it? > > Just because it's the release stage, does not mean you shouldn't care > about the correctness of the consumer code. Passing an IS_ERR(descr) > to any of the GPIO APIs can happen if the user ignores an error > returned by gpiod_get(). That's not alright. Have you ever seen such a code in the cases when it's okay (like in platform device driver users)? I do not. So, the above is based on the hypothetical assumption that somebody will make silly things. If you _really_ care about checking the error, add __must_check to the respective functions. -- With Best Regards, Andy Shevchenko
Powered by blists - more mailing lists