gpiobus: gpio_pin_release: convert checks to KASSERTs
ClosedPublic
Actions

Authored by vexeduxr on Jun 16 2025, 7:45 AM.

Details

Reviewers

imp
wulf
mmel

Commits

rG92b352f694e8: gpiobus: gpio_pin_release: convert checks to KASSERTs

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 64980
Build 61863: arc lint + arc unit

Event Timeline

vexeduxr requested review of this revision.Jun 16 2025, 7:45 AM

vexeduxr created this revision.

Harbormaster completed remote builds in B64895: Diff 157089.Jun 16 2025, 7:45 AM

vexeduxr added a child revision: D50869: gpiobus: add gpio_pin_acquire.Jun 16 2025, 7:46 AM

Motivation? Why do we need gpio_pin_release to return errors?
This creates the problem of freeing the gpio structure in case of an error.
IMHO, I think all errors in gpiobus_release_pin() and gpiobus_acquire_pin() should be converted to panic().
Also passing NULL to gpio_pin_release() should be panic().

Motivation? Why do we need gpio_pin_release to return errors?

It was to have it in line with gpio_pin_acquire. I found it a little weird that only one of them would report errors.

This creates the problem of freeing the gpio structure in case of an error.

At first I was freeing on both failure and success, but I wasn't sure that was the right thing to do..

IMHO, I think all errors in gpiobus_release_pin() and gpiobus_acquire_pin() should be converted to panic().
Also passing NULL to gpio_pin_release() should be panic().

I agree for gpiobus_release_pin, since they're all programming errors. For gpiobus_acquire_pin, I think attempting to acquire a pin twice should just return an error to the caller, it's possible the caller can just recover.

In D50868#1162636, @vexeduxr wrote:

Motivation? Why do we need gpio_pin_release to return errors?

It was to have it in line with gpio_pin_acquire. I found it a little weird that only one of them would report errors.

All *release* functions are usually very difficult to recover, especially if they are called throw multiple layers.

This creates the problem of freeing the gpio structure in case of an error.

At first I was freeing on both failure and success, but I wasn't sure that was the right thing to do..

This leading to a situation where the malloc cannot be released in any way. If gpiobus_release_pin() fails once, then it will always fail. But this is irrelevant if we replace errors with panic...

IMHO, I think all errors in gpiobus_release_pin() and gpiobus_acquire_pin() should be converted to panic().
Also passing NULL to gpio_pin_release() should be panic().

I agree for gpiobus_release_pin, since they're all programming errors. For gpiobus_acquire_pin, I think attempting to acquire a pin twice should just return an error to the caller, it's possible the caller can just recover.

Yep, exactly. I missed the multiple acquisition case originally. Only error value should be better than -1.

vexeduxr retitled this revision from gpiobus: allow gpio_pin_release to return errors to gpiobus: gpio_pin_release: convert checks to KASSERTs.Jun 19 2025, 2:27 PM

Convert checks to KASSERTs

Harbormaster completed remote builds in B64980: Diff 157309.Jun 19 2025, 2:28 PM

I went for a KASSERT instead of a panic since it's what the other gpio_* functions do. On a non-INVARIANTS kernel, if gpio is actually NULL, it will panic when we try to dereference it anyways.

vexeduxr added a parent revision: D50939: gpiobus: gpiobus_release_pin: convert errors to panic.Jun 19 2025, 2:34 PM

Thanks.

This revision is now accepted and ready to land.Jun 19 2025, 2:37 PM

imp accepted this revision.Jul 3 2025, 7:59 PM

Closed by commit rG92b352f694e8: gpiobus: gpio_pin_release: convert checks to KASSERTs (authored by vexeduxr). · Explain WhyFri, Jul 4, 8:26 PM

This revision was automatically updated to reflect the committed changes.

vexeduxr added a commit: rG92b352f694e8: gpiobus: gpio_pin_release: convert checks to KASSERTs.