Re: [PATCH 2/9] iio: orientation: hid-sensor-incl-3d: Fix race between callback registration and device exposure

Next message: Jori Koolstra: "Re: [RFC PATCH v6 7/9] vfs: add O_CREAT|O_DIRECTORY to open*(2)"
Previous message: Hungyu Lin: "[PATCH 4/4] staging: rtl8723bs: convert update_attrib to return errno"
In reply to: Pandruvada, Srinivas: "Re: [PATCH 2/9] iio: orientation: hid-sensor-incl-3d: Fix race between callback registration and device exposure"
Next in thread: Pandruvada, Srinivas: "Re: [PATCH 2/9] iio: orientation: hid-sensor-incl-3d: Fix race between callback registration and device exposure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Cameron

Date: Sun Jun 14 2026 - 14:25:02 EST

On Mon, 8 Jun 2026 15:34:05 +0000
"Pandruvada, Srinivas" <srinivas.pandruvada@xxxxxxxxx> wrote:

> On Sat, 2026-06-06 at 17:07 +0530, Sanjay Chitroda wrote:
> > From: Sanjay Chitroda <sanjayembeddedse@xxxxxxxxx>
> >
> > The driver registers the IIO device before completing sensor hub
> > callback registration and unregisters callbacks while the IIO device
> > is still exposed during teardown.
> >
> > This creates race windows in both probe and remove paths, which can
> > lead to NULL pointer dereferences or use-after-free.
>
> Reordering is fine, but can you show how this use after free is
> possible?
Agreed - I'm not seeing a definite issue so more info needed.
For now I'm going to mark this changes-requested in patchwork.

It might be a touch slow if someone manages to get buffered capture
up before the callbacks are available, but I think that just means
dropping a few samples?

Jonathan

>
> Thanks,
> Srinivas