Re: [PATCH 2/9] iio: orientation: hid-sensor-incl-3d: Fix race between callback registration and device exposure

From: Pandruvada, Srinivas

Date: Wed Jun 17 2026 - 15:53:36 EST

On Thu, 2026-06-18 at 00:07 +0530, Sanjay Chitroda wrote:
>
>
> On 15 June 2026 7:06:43 pm IST, "Pandruvada, Srinivas"
> <srinivas.pandruvada@xxxxxxxxx> wrote:
> > On Sun, 2026-06-14 at 19:24 +0100, Jonathan Cameron wrote:
> > > On Mon, 8 Jun 2026 15:34:05 +0000
> > > "Pandruvada, Srinivas" <srinivas.pandruvada@xxxxxxxxx> wrote:
> > >
> > > > On Sat, 2026-06-06 at 17:07 +0530, Sanjay Chitroda wrote:
> > > > > From: Sanjay Chitroda <sanjayembeddedse@xxxxxxxxx>
> > > > >
> > > > > The driver registers the IIO device before completing sensor
> > > > > hub
> > > > > callback registration and unregisters callbacks while the IIO
> > > > > device
> > > > > is still exposed during teardown.
> > > > >
> > > > > This creates race windows in both probe and remove paths,
> > > > > which
> > > > > can
> > > > > lead to NULL pointer dereferences or use-after-free. 
> > > >
> > > > Reordering is fine, but can you show how this use after free is
> > > > possible?
> > > Agreed - I'm not seeing a definite issue so more info needed.
> > > For now I'm going to mark this changes-requested in patchwork.
> > >
> > > It might be a touch slow if someone manages to get buffered
> > > capture
> > > up before the callbacks are available, but I think that just
> > > means
> > > dropping a few samples?
> >
> >
> > Correct.
> >
> > Thanks,
> > Srinivas
>
> Hi Jonathan and Srinivas,
>
Hi Sanjay,


> Thanks for the review and for pointing this out.
>
> After analyzing and investigating the interaction between callback
> registration and iio_device_register().
>
> Found that read_raw() (on-demand access) and buffered IIO (streaming)
> operate via different paths. The primary impact is loss/stable
> samples rather than data corruption or system instability.
>
> Given this, I believe the change does not strictly qualify as a "fix"
> for a user-visible regression, but rather as an improvement to
> tighten ordering and avoid a potential race window.
>
> Treating this as a improvement patch rather than a bug fix with
> potential following commit message in v2.
>
> .............
>
> iio: orientation: hid-sensor-incl-3d: Avoid race between callback
> setup and device exposure
>
> The driver currently exposes the IIO device to userspace before
> completing sensor hub callback registration, and similarly removes
> callbacks while the device can still be accessed during teardown.
>
> This creates a timing window where userspace may enable the buffer
> before callbacks are available. In such cases:
> - samples can be dropped,
> - buffered reads may observe stale or no data.
>
> Reorder probe and remove paths to ensure callbacks are active before
> device exposure and are removed after device is no longer accessible.
>
> This avoids a race window leading to data loss.
>

Looks good.

Thanks,
Srinivas


> .............
>
> Welcome your feedback and valuable input for v2.
>
> Thanks, Sanjay
>
> >
> > >
> > > Jonathan
> > >
> > > >
> > > > Thanks,
> > > > Srinivas
> > >