Re: [PATCH 2/9] iio: orientation: hid-sensor-incl-3d: Fix race between callback registration and device exposure

[Sanjay Chitroda]

On 15 June 2026 7:06:43 pm IST, "Pandruvada, Srinivas" <srinivas.pandruvada@xxxxxxxxx> wrote:
>On Sun, 2026-06-14 at 19:24 +0100, Jonathan Cameron wrote:
>> On Mon, 8 Jun 2026 15:34:05 +0000
>> "Pandruvada, Srinivas" <srinivas.pandruvada@xxxxxxxxx> wrote:
>> 
>> > On Sat, 2026-06-06 at 17:07 +0530, Sanjay Chitroda wrote:
>> > > From: Sanjay Chitroda <sanjayembeddedse@xxxxxxxxx>
>> > > 
>> > > The driver registers the IIO device before completing sensor hub
>> > > callback registration and unregisters callbacks while the IIO
>> > > device
>> > > is still exposed during teardown.
>> > > 
>> > > This creates race windows in both probe and remove paths, which
>> > > can
>> > > lead to NULL pointer dereferences or use-after-free.  
>> > 
>> > Reordering is fine, but can you show how this use after free is
>> > possible?
>> Agreed - I'm not seeing a definite issue so more info needed.
>> For now I'm going to mark this changes-requested in patchwork.
>> 
>> It might be a touch slow if someone manages to get buffered capture
>> up before the callbacks are available, but I think that just means
>> dropping a few samples?
>
>
>Correct.
>
>Thanks,
>Srinivas

Hi Jonathan and Srinivas,

Thanks for the review and for pointing this out.

After analyzing and investigating the interaction between callback registration and iio_device_register().

Found that read_raw() (on-demand access) and buffered IIO (streaming) operate via different paths. The primary impact is loss/stable samples rather than data corruption or system instability.

Given this, I believe the change does not strictly qualify as a "fix" for a user-visible regression, but rather as an improvement to tighten ordering and avoid a potential race window.

Treating this as a improvement patch rather than a bug fix with potential following commit message in v2.

.............

iio: orientation: hid-sensor-incl-3d: Avoid race between callback setup and device exposure

The driver currently exposes the IIO device to userspace before completing sensor hub callback registration, and similarly removes callbacks while the device can still be accessed during teardown.

This creates a timing window where userspace may enable the buffer before callbacks are available. In such cases:
- samples can be dropped,
- buffered reads may observe stale or no data.

Reorder probe and remove paths to ensure callbacks are active before device exposure and are removed after device is no longer accessible.

This avoids a race window leading to data loss.

.............

Welcome your feedback and valuable input for v2.

Thanks, Sanjay

>
>> 
>> Jonathan
>> 
>> > 
>> > Thanks,
>> > Srinivas
>>