From: Sanjay Chitroda <sanjayembeddedse@gmail.com>
To: "Pandruvada, Srinivas" <srinivas.pandruvada@intel.com>,
"jic23@kernel.org" <jic23@kernel.org>
Cc: "dlechner@baylibre.com" <dlechner@baylibre.com>,
"archana.patni@linux.intel.com" <archana.patni@linux.intel.com>,
"hongyan.song@intel.com" <hongyan.song@intel.com>,
"linux-iio@vger.kernel.org" <linux-iio@vger.kernel.org>,
"nuno.sa@analog.com" <nuno.sa@analog.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jikos@kernel.org" <jikos@kernel.org>,
"andy@kernel.org" <andy@kernel.org>,
"linux-input@vger.kernel.org" <linux-input@vger.kernel.org>
Subject: Re: [PATCH 2/9] iio: orientation: hid-sensor-incl-3d: Fix race between callback registration and device exposure
Date: Thu, 18 Jun 2026 00:07:40 +0530 [thread overview]
Message-ID: <3FED088A-651B-4E8B-840B-1B92CB4DF6F4@gmail.com> (raw)
In-Reply-To: <50ce20dec63080dde13336c6af41c0bf4de43426.camel@intel.com>
On 15 June 2026 7:06:43 pm IST, "Pandruvada, Srinivas" <srinivas.pandruvada@intel.com> wrote:
>On Sun, 2026-06-14 at 19:24 +0100, Jonathan Cameron wrote:
>> On Mon, 8 Jun 2026 15:34:05 +0000
>> "Pandruvada, Srinivas" <srinivas.pandruvada@intel.com> wrote:
>>
>> > On Sat, 2026-06-06 at 17:07 +0530, Sanjay Chitroda wrote:
>> > > From: Sanjay Chitroda <sanjayembeddedse@gmail.com>
>> > >
>> > > The driver registers the IIO device before completing sensor hub
>> > > callback registration and unregisters callbacks while the IIO
>> > > device
>> > > is still exposed during teardown.
>> > >
>> > > This creates race windows in both probe and remove paths, which
>> > > can
>> > > lead to NULL pointer dereferences or use-after-free.
>> >
>> > Reordering is fine, but can you show how this use after free is
>> > possible?
>> Agreed - I'm not seeing a definite issue so more info needed.
>> For now I'm going to mark this changes-requested in patchwork.
>>
>> It might be a touch slow if someone manages to get buffered capture
>> up before the callbacks are available, but I think that just means
>> dropping a few samples?
>
>
>Correct.
>
>Thanks,
>Srinivas
Hi Jonathan and Srinivas,
Thanks for the review and for pointing this out.
After analyzing and investigating the interaction between callback registration and iio_device_register().
Found that read_raw() (on-demand access) and buffered IIO (streaming) operate via different paths. The primary impact is loss/stable samples rather than data corruption or system instability.
Given this, I believe the change does not strictly qualify as a "fix" for a user-visible regression, but rather as an improvement to tighten ordering and avoid a potential race window.
Treating this as a improvement patch rather than a bug fix with potential following commit message in v2.
.............
iio: orientation: hid-sensor-incl-3d: Avoid race between callback setup and device exposure
The driver currently exposes the IIO device to userspace before completing sensor hub callback registration, and similarly removes callbacks while the device can still be accessed during teardown.
This creates a timing window where userspace may enable the buffer before callbacks are available. In such cases:
- samples can be dropped,
- buffered reads may observe stale or no data.
Reorder probe and remove paths to ensure callbacks are active before device exposure and are removed after device is no longer accessible.
This avoids a race window leading to data loss.
.............
Welcome your feedback and valuable input for v2.
Thanks, Sanjay
>
>>
>> Jonathan
>>
>> >
>> > Thanks,
>> > Srinivas
>>
next prev parent reply other threads:[~2026-06-17 18:37 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-06 11:37 [PATCH 0/9] HID: iio: Fix race condition between callback registration and device exposure Sanjay Chitroda
2026-06-06 11:37 ` [PATCH 1/9] iio: orientation: hid-sensor-rotation: Fix race " Sanjay Chitroda
2026-06-06 12:11 ` sashiko-bot
2026-06-06 11:37 ` [PATCH 2/9] iio: orientation: hid-sensor-incl-3d: " Sanjay Chitroda
2026-06-06 12:10 ` sashiko-bot
2026-06-08 15:34 ` Pandruvada, Srinivas
2026-06-14 18:24 ` Jonathan Cameron
2026-06-15 13:36 ` Pandruvada, Srinivas
2026-06-17 18:37 ` Sanjay Chitroda [this message]
2026-06-17 19:50 ` Pandruvada, Srinivas
2026-06-06 11:37 ` [PATCH 3/9] iio: gyro: hid-sensor-gyro-3d: " Sanjay Chitroda
2026-06-06 12:13 ` sashiko-bot
2026-06-06 11:37 ` [PATCH 4/9] iio: pressure: hid-sensor-press: " Sanjay Chitroda
2026-06-06 11:50 ` sashiko-bot
2026-06-06 11:37 ` [PATCH 5/9] iio: temperature: hid-sensor-temperature: switch to non-devm iio_device_register() Sanjay Chitroda
2026-06-06 12:09 ` sashiko-bot
2026-06-06 11:37 ` [PATCH 6/9] iio: light: hid-sensor-prox: Fix race between callback registration and device exposure Sanjay Chitroda
2026-06-06 12:13 ` sashiko-bot
2026-06-06 11:37 ` [PATCH 7/9] iio: light: hid-sensor-als: " Sanjay Chitroda
2026-06-06 12:11 ` sashiko-bot
2026-06-06 11:37 ` [PATCH 8/9] iio: magnetometer: hid-sensor-magn-3d: " Sanjay Chitroda
2026-06-06 12:10 ` sashiko-bot
2026-06-06 11:37 ` [PATCH 9/9] iio: accel: hid-sensor-accel-3d: " Sanjay Chitroda
2026-06-06 12:13 ` sashiko-bot
2026-06-08 13:56 ` [PATCH 0/9] HID: iio: Fix race condition " Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3FED088A-651B-4E8B-840B-1B92CB4DF6F4@gmail.com \
--to=sanjayembeddedse@gmail.com \
--cc=andy@kernel.org \
--cc=archana.patni@linux.intel.com \
--cc=dlechner@baylibre.com \
--cc=hongyan.song@intel.com \
--cc=jic23@kernel.org \
--cc=jikos@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nuno.sa@analog.com \
--cc=srinivas.pandruvada@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox