Re: [PATCH 2/9] iio: orientation: hid-sensor-incl-3d: Fix race between callback registration and device exposure

From: Pandruvada, Srinivas

Date: Mon Jun 08 2026 - 12:21:26 EST

On Sat, 2026-06-06 at 17:07 +0530, Sanjay Chitroda wrote:
> From: Sanjay Chitroda <sanjayembeddedse@xxxxxxxxx>
>
> The driver registers the IIO device before completing sensor hub
> callback registration and unregisters callbacks while the IIO device
> is still exposed during teardown.
>
> This creates race windows in both probe and remove paths, which can
> lead to NULL pointer dereferences or use-after-free.

Reordering is fine, but can you show how this use after free is
possible?

Thanks,
Srinivas

>
> Fix this by correct ordering of callback registration and
> IIO device registration in probe and remove paths.
>
> Fixes: 098d3beccfb6 ("iio: hid-sensors: Added Inclinometer 3D")
> Signed-off-by: Sanjay Chitroda <sanjayembeddedse@xxxxxxxxx>
> ---
>  drivers/iio/orientation/hid-sensor-incl-3d.c | 20 ++++++++++--------
> --
>  1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/iio/orientation/hid-sensor-incl-3d.c
> b/drivers/iio/orientation/hid-sensor-incl-3d.c
> index 4e23a598a3fb..5e3d2bb9b5bf 100644
> --- a/drivers/iio/orientation/hid-sensor-incl-3d.c
> +++ b/drivers/iio/orientation/hid-sensor-incl-3d.c
> @@ -356,12 +356,6 @@ static int hid_incl_3d_probe(struct
> platform_device *pdev)
>   return ret;
>   }
>  
> - ret = iio_device_register(indio_dev);
> - if (ret) {
> - dev_err(&pdev->dev, "device register failed\n");
> - goto error_remove_trigger;
> - }
> -
>   incl_state->callbacks.send_event = incl_3d_proc_event;
>   incl_state->callbacks.capture_sample =
> incl_3d_capture_sample;
>   incl_state->callbacks.pdev = pdev;
> @@ -370,13 +364,19 @@ static int hid_incl_3d_probe(struct
> platform_device *pdev)
>   &incl_state->callbacks);
>   if (ret) {
>   dev_err(&pdev->dev, "callback reg failed\n");
> - goto error_iio_unreg;
> + goto error_remove_trigger;
> + }
> +
> + ret = iio_device_register(indio_dev);
> + if (ret) {
> + dev_err(&pdev->dev, "device register failed\n");
> + goto error_remove_callback;
>   }
>  
>   return 0;
>  
> -error_iio_unreg:
> - iio_device_unregister(indio_dev);
> +error_remove_callback:
> + sensor_hub_remove_callback(hsdev,
> HID_USAGE_SENSOR_INCLINOMETER_3D);
>  error_remove_trigger:
>   hid_sensor_remove_trigger(indio_dev, &incl_state-
> >common_attributes);
>   return ret;
> @@ -389,8 +389,8 @@ static void hid_incl_3d_remove(struct
> platform_device *pdev)
>   struct iio_dev *indio_dev = platform_get_drvdata(pdev);
>   struct incl_3d_state *incl_state = iio_priv(indio_dev);
>  
> - sensor_hub_remove_callback(hsdev,
> HID_USAGE_SENSOR_INCLINOMETER_3D);
>   iio_device_unregister(indio_dev);
> + sensor_hub_remove_callback(hsdev,
> HID_USAGE_SENSOR_INCLINOMETER_3D);
>   hid_sensor_remove_trigger(indio_dev, &incl_state-
> >common_attributes);
>  }
>