On 06/09/2014 01:29 PM, Lars-Peter Clausen wrote:

On 06/09/2014 01:18 AM, Ben Dooks wrote:

quoted

On Fri, May 30, 2014 at 08:16:59PM +0200, Lars-Peter Clausen wrote:

quoted

On 05/30/2014 07:33 PM, David Daney wrote:

quoted

On 05/30/2014 04:39 AM, Geert Uytterhoeven wrote:

quoted

On Fri, May 30, 2014 at 1:30 PM, abdoulaye berthe [off-list ref]
wrote:

quoted

--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c

@@ -1263,10 +1263,9 @@ static void gpiochip_irqchip_remove(struct

gpio_chip *gpiochip);
   *
   * A gpio_chip with any GPIOs still requested may not be removed.
   */
-int gpiochip_remove(struct gpio_chip *chip)
+void gpiochip_remove(struct gpio_chip *chip)
  {
         unsigned long   flags;
-       int             status = 0;
         unsigned        id;

         acpi_gpiochip_remove(chip);

@@ -1278,24 +1277,15 @@ int gpiochip_remove(struct gpio_chip *chip)
         of_gpiochip_remove(chip);

         for (id = 0; id < chip->ngpio; id++) {
-               if (test_bit(FLAG_REQUESTED, &chip->desc[id].flags)) {
-                       status = -EBUSY;
-                       break;
-               }
-       }
-       if (status == 0) {
-               for (id = 0; id < chip->ngpio; id++)
-                       chip->desc[id].chip = NULL;
-
-               list_del(&chip->list);
+               if (test_bit(FLAG_REQUESTED, &chip->desc[id].flags))
+                       panic("gpio: removing gpiochip with gpios still

requested\n");

panic?

NACK to the patch for this reason.  The strongest thing you should do here
is WARN.

That said, I am not sure why we need this whole patch set in the first place.

Well, what currently happens when you remove a device that is a
provider of a gpio_chip which is still in use, is that the kernel
crashes. Probably with a rather cryptic error message. So this patch
doesn't really change the behavior, but makes it more explicit what
is actually wrong. And even if you replace the panic() by a WARN()
it will again just crash slightly later.

This is a design flaw in the GPIO subsystem that needs to be fixed.

Surely then the best way is to error out to the module unload and
stop the driver being unloaded?

You can't error out on module unload, although that's not really relevant 
here. gpiochip_remove() is typically called when the device that registered 
the GPIO chip is unbound. And despite some remove() callbacks having a 
return type of int you can not abort the removal of a device.

It is a design flaw in many subsystems having providers and consumers,
not only GPIO. The same situation is with clock providers, regulators,
phys, drm_panels, ..., at least it was such last time I have tested it.

The problem is that many frameworks assumes that lifetime of provider is
always bigger than lifetime of its consumers, and this is wrong
assumption - usually it is not possible to prevent unbinding driver from
device, so if the device is a provider there is no way to inform
consumers about his removal.

Some solution for such problems is to use some kind of availability
callbacks for requesting resources (gpios, clocks, regulators,...)
instead of simple 'getters' (clk_get, gpiod_get). Callbacks should
guarantee that the resource is always valid between callback reporting
its availability and callback reporting its removal. Such approach seems
to be complicated at the first sight but it should allow to make the
code safe and as a bonus it will allow to avoid deferred probing.
Btw I have send already RFC for such framework [1].

[1]: https://lkml.org/lkml/2014/4/30/345

Regards
Andrzej

- Lars