On Tue, 8 Nov 2022 11:28:02 +0800
Chen Zhongjin <chenzhongjin@xxxxxxxxxx> wrote:
> In iio_register_sw_trigger_type(), configfs_register_default_group() is
> possible to fail, but the entry add to iio_trigger_types_list is not
> deleted.
>
> This leaves wild in iio_trigger_types_list, which can cause page fault
> when module is loading again. So fix this by list_del(&t->list) in error
> path.
>
> BUG: unable to handle page fault for address: fffffbfff81d7400
> RIP: 0010:__iio_find_sw_trigger_type.isra.3+0x62/0xb0 [industrialio_sw_trigger]
> Call Trace:
> <TASK>
> iio_register_sw_trigger_type+0x65/0x1f0 [industrialio_sw_trigger]
> do_one_initcall+0xd0/0x4e0
> do_init_module+0x1cf/0x6b0
> load_module+0x65c2/0x7820
I dropped some of the unnecessary noise in the call trace and applied this
to the fixes-togreg branch of iio.git and marked it for stable.
Thanks,
Jonathan
> ...
>
> Fixes: b662f809d410 ("iio: core: Introduce IIO software triggers")
> Signed-off-by: Chen Zhongjin <chenzhongjin@xxxxxxxxxx>
> ---
> drivers/iio/industrialio-sw-trigger.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iio/industrialio-sw-trigger.c b/drivers/iio/industrialio-sw-trigger.c
> index 994f03a71520..d86a3305d9e8 100644
> --- a/drivers/iio/industrialio-sw-trigger.c
> +++ b/drivers/iio/industrialio-sw-trigger.c
> @@ -58,8 +58,12 @@ int iio_register_sw_trigger_type(struct iio_sw_trigger_type *t)
>
> t->group = configfs_register_default_group(iio_triggers_group, t->name,
> &iio_trigger_type_group_type);
> - if (IS_ERR(t->group))
> + if (IS_ERR(t->group)) {
> + mutex_lock(&iio_trigger_types_lock);
> + list_del(&t->list);
> + mutex_unlock(&iio_trigger_types_lock);
> ret = PTR_ERR(t->group);
> + }
>
> return ret;
> }
