gpiolib: sanitize the return value of gpio_chip::set_config()

The return value of the set_config() callback may be propagated to
user-space. If a bad driver returns a positive number, it may confuse
user programs. Tighten the API contract and check for positive numbers
returned by GPIO controllers.

Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20250210-gpio-sanitize-retvals-v1-3-12ea88506cb2@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index a98025b..67a735d 100644 (file)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -2593,6 +2593,9 @@ int gpio_do_set_config(struct gpio_desc *desc, unsigned long config)
                return -ENOTSUPP;
 
        ret = guard.gc->set_config(guard.gc, gpio_chip_hwgpio(desc), config);
+       if (ret > 0)
+               ret = -EBADE;
+
 #ifdef CONFIG_GPIO_CDEV
        /*
         * Special case - if we're setting debounce period, we need to store

diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h
index ce22c07..f2145e9 100644 (file)
--- a/include/linux/gpio/driver.h
+++ b/include/linux/gpio/driver.h
@@ -349,7 +349,8 @@ struct gpio_irq_chip {
  * @set: assigns output value for signal "offset"
  * @set_multiple: assigns output values for multiple signals defined by "mask"
  * @set_config: optional hook for all kinds of settings. Uses the same
- *     packed config format as generic pinconf.
+ *     packed config format as generic pinconf. Must return 0 on success and
+ *     a negative error number on failure.
  * @to_irq: optional hook supporting non-static gpiod_to_irq() mappings;
  *     implementation may not sleep
  * @dbg_show: optional routine to show contents in debugfs; default code