| Message ID | 20220524181150.9240-5-ddrokosov@sberdevices.ru (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | iio: treewide: rearrange iio trig get/register | expand |
On Tue, May 24, 2022 at 8:14 PM Dmitry Rokosov <DDRokosov@sberdevices.ru> wrote: > > IIO trigger interface function iio_trigger_get() should be called after > iio_trigger_register() (or its devm analogue) strictly, because of > iio_trigger_get() acquires module refcnt based on the trigger->owner > pointer, which is initialized inside iio_trigger_register() to > THIS_MODULE. > If this call order is wrong, the next iio_trigger_put() (from sysfs > callback or "delete module" path) will dereference "default" module > refcnt, which is incorrect behaviour. Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> > Fixes: f1f065d7ac30 ("iio: chemical: ccs811: Add support for data ready trigger") > Signed-off-by: Dmitry Rokosov <ddrokosov@sberdevices.ru> > --- > drivers/iio/chemical/ccs811.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/iio/chemical/ccs811.c b/drivers/iio/chemical/ccs811.c > index 847194fa1e46..80ef1aa9aae3 100644 > --- a/drivers/iio/chemical/ccs811.c > +++ b/drivers/iio/chemical/ccs811.c > @@ -499,11 +499,11 @@ static int ccs811_probe(struct i2c_client *client, > > data->drdy_trig->ops = &ccs811_trigger_ops; > iio_trigger_set_drvdata(data->drdy_trig, indio_dev); > - indio_dev->trig = data->drdy_trig; > - iio_trigger_get(indio_dev->trig); > ret = iio_trigger_register(data->drdy_trig); > if (ret) > goto err_poweroff; > + > + indio_dev->trig = iio_trigger_get(data->drdy_trig); > } > > ret = iio_triggered_buffer_setup(indio_dev, NULL, > -- > 2.36.0
diff --git a/drivers/iio/chemical/ccs811.c b/drivers/iio/chemical/ccs811.c index 847194fa1e46..80ef1aa9aae3 100644 --- a/drivers/iio/chemical/ccs811.c +++ b/drivers/iio/chemical/ccs811.c @@ -499,11 +499,11 @@ static int ccs811_probe(struct i2c_client *client, data->drdy_trig->ops = &ccs811_trigger_ops; iio_trigger_set_drvdata(data->drdy_trig, indio_dev); - indio_dev->trig = data->drdy_trig; - iio_trigger_get(indio_dev->trig); ret = iio_trigger_register(data->drdy_trig); if (ret) goto err_poweroff; + + indio_dev->trig = iio_trigger_get(data->drdy_trig); } ret = iio_triggered_buffer_setup(indio_dev, NULL,
IIO trigger interface function iio_trigger_get() should be called after iio_trigger_register() (or its devm analogue) strictly, because of iio_trigger_get() acquires module refcnt based on the trigger->owner pointer, which is initialized inside iio_trigger_register() to THIS_MODULE. If this call order is wrong, the next iio_trigger_put() (from sysfs callback or "delete module" path) will dereference "default" module refcnt, which is incorrect behaviour. Fixes: f1f065d7ac30 ("iio: chemical: ccs811: Add support for data ready trigger") Signed-off-by: Dmitry Rokosov <ddrokosov@sberdevices.ru> --- drivers/iio/chemical/ccs811.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)