On Tue, May 24, 2022 at 8:14 PM Dmitry Rokosov <DDRokosov@xxxxxxxxxxxxxx> wrote:
>
> IIO trigger interface function iio_trigger_get() should be called after
> iio_trigger_register() (or its devm analogue) strictly, because of
> iio_trigger_get() acquires module refcnt based on the trigger->owner
> pointer, which is initialized inside iio_trigger_register() to
> THIS_MODULE.
> If this call order is wrong, the next iio_trigger_put() (from sysfs
> callback or "delete module" path) will dereference "default" module
> refcnt, which is incorrect behaviour.
Reviewed-by: Andy Shevchenko <andy.shevchenko@xxxxxxxxx>
> Fixes: c1288b833881 ("iio: accel: kxcjk-1013: Increment ref counter for indio_dev->trig")
> Signed-off-by: Dmitry Rokosov <ddrokosov@xxxxxxxxxxxxxx>
> ---
> drivers/iio/accel/kxcjk-1013.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c
> index ac74cdcd2bc8..748b35c2f0c3 100644
> --- a/drivers/iio/accel/kxcjk-1013.c
> +++ b/drivers/iio/accel/kxcjk-1013.c
> @@ -1554,12 +1554,12 @@ static int kxcjk1013_probe(struct i2c_client *client,
>
> data->dready_trig->ops = &kxcjk1013_trigger_ops;
> iio_trigger_set_drvdata(data->dready_trig, indio_dev);
> - indio_dev->trig = data->dready_trig;
> - iio_trigger_get(indio_dev->trig);
> ret = iio_trigger_register(data->dready_trig);
> if (ret)
> goto err_poweroff;
>
> + indio_dev->trig = iio_trigger_get(data->dready_trig);
> +
> data->motion_trig->ops = &kxcjk1013_trigger_ops;
> iio_trigger_set_drvdata(data->motion_trig, indio_dev);
> ret = iio_trigger_register(data->motion_trig);
> --
> 2.36.0
--
With Best Regards,
Andy Shevchenko
