On Tue, May 24, 2022 at 8:14 PM Dmitry Rokosov <DDRokosov@xxxxxxxxxxxxxx> wrote:
>
> IIO trigger interface function iio_trigger_get() should be called after
> iio_trigger_register() (or its devm analogue) strictly, because of
> iio_trigger_get() acquires module refcnt based on the trigger->owner
> pointer, which is initialized inside iio_trigger_register() to
> THIS_MODULE.
> If this call order is wrong, the next iio_trigger_put() (from sysfs
> callback or "delete module" path) will dereference "default" module
> refcnt, which is incorrect behaviour.
Reviewed-by: Andy Shevchenko <andy.shevchenko@xxxxxxxxx>
> Fixes: 0668a4e4d297 ("iio: accel: bma180: Fix indio_dev->trig assignment")
> Signed-off-by: Dmitry Rokosov <ddrokosov@xxxxxxxxxxxxxx>
> ---
> drivers/iio/accel/bma180.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c
> index d8a454c266d5..5d0bd0fc3018 100644
> --- a/drivers/iio/accel/bma180.c
> +++ b/drivers/iio/accel/bma180.c
> @@ -1006,11 +1006,12 @@ static int bma180_probe(struct i2c_client *client,
>
> data->trig->ops = &bma180_trigger_ops;
> iio_trigger_set_drvdata(data->trig, indio_dev);
> - indio_dev->trig = iio_trigger_get(data->trig);
>
> ret = iio_trigger_register(data->trig);
> if (ret)
> goto err_trigger_free;
> +
> + indio_dev->trig = iio_trigger_get(data->trig);
> }
>
> ret = iio_triggered_buffer_setup(indio_dev, NULL,
> --
> 2.36.0
--
With Best Regards,
Andy Shevchenko
