| Message ID | 20220524181150.9240-3-ddrokosov@sberdevices.ru (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | iio: treewide: rearrange iio trig get/register | expand |
On Tue, May 24, 2022 at 8:14 PM Dmitry Rokosov <DDRokosov@sberdevices.ru> wrote: > > IIO trigger interface function iio_trigger_get() should be called after > iio_trigger_register() (or its devm analogue) strictly, because of > iio_trigger_get() acquires module refcnt based on the trigger->owner > pointer, which is initialized inside iio_trigger_register() to > THIS_MODULE. > If this call order is wrong, the next iio_trigger_put() (from sysfs > callback or "delete module" path) will dereference "default" module > refcnt, which is incorrect behaviour. Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> > Fixes: c1288b833881 ("iio: accel: kxcjk-1013: Increment ref counter for indio_dev->trig") > Signed-off-by: Dmitry Rokosov <ddrokosov@sberdevices.ru> > --- > drivers/iio/accel/kxcjk-1013.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c > index ac74cdcd2bc8..748b35c2f0c3 100644 > --- a/drivers/iio/accel/kxcjk-1013.c > +++ b/drivers/iio/accel/kxcjk-1013.c > @@ -1554,12 +1554,12 @@ static int kxcjk1013_probe(struct i2c_client *client, > > data->dready_trig->ops = &kxcjk1013_trigger_ops; > iio_trigger_set_drvdata(data->dready_trig, indio_dev); > - indio_dev->trig = data->dready_trig; > - iio_trigger_get(indio_dev->trig); > ret = iio_trigger_register(data->dready_trig); > if (ret) > goto err_poweroff; > > + indio_dev->trig = iio_trigger_get(data->dready_trig); > + > data->motion_trig->ops = &kxcjk1013_trigger_ops; > iio_trigger_set_drvdata(data->motion_trig, indio_dev); > ret = iio_trigger_register(data->motion_trig); > -- > 2.36.0
diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c index ac74cdcd2bc8..748b35c2f0c3 100644 --- a/drivers/iio/accel/kxcjk-1013.c +++ b/drivers/iio/accel/kxcjk-1013.c @@ -1554,12 +1554,12 @@ static int kxcjk1013_probe(struct i2c_client *client, data->dready_trig->ops = &kxcjk1013_trigger_ops; iio_trigger_set_drvdata(data->dready_trig, indio_dev); - indio_dev->trig = data->dready_trig; - iio_trigger_get(indio_dev->trig); ret = iio_trigger_register(data->dready_trig); if (ret) goto err_poweroff; + indio_dev->trig = iio_trigger_get(data->dready_trig); + data->motion_trig->ops = &kxcjk1013_trigger_ops; iio_trigger_set_drvdata(data->motion_trig, indio_dev); ret = iio_trigger_register(data->motion_trig);
IIO trigger interface function iio_trigger_get() should be called after iio_trigger_register() (or its devm analogue) strictly, because of iio_trigger_get() acquires module refcnt based on the trigger->owner pointer, which is initialized inside iio_trigger_register() to THIS_MODULE. If this call order is wrong, the next iio_trigger_put() (from sysfs callback or "delete module" path) will dereference "default" module refcnt, which is incorrect behaviour. Fixes: c1288b833881 ("iio: accel: kxcjk-1013: Increment ref counter for indio_dev->trig") Signed-off-by: Dmitry Rokosov <ddrokosov@sberdevices.ru> --- drivers/iio/accel/kxcjk-1013.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)