Re: [PATCH] iio: imu: kmx61: Fix TOCTOU race condition

Next message: Ian Rogers: "Re: [PATCH] perf kvm stat: Update the exit reason mappings"
Previous message: Jiri Kosina: "Re: [PATCH] HID: google: hammer: stop hardware on devres action failure"
In reply to: Jonathan Cameron: "Re: [PATCH] iio: imu: kmx61: Fix TOCTOU race condition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Lechner

Date: Tue May 12 2026 - 12:01:40 EST

On 5/12/26 7:03 AM, Maxwell Doose wrote:
> A Time-of-check to Time-of-use race condition is present in
> kmx61_write_event_config(). Move the mutex_lock() call above it to fix
> it.
>
> Fixes: fd3ae7a9f21c ("iio: imu: kmx61: Add support for any motion trigger")
> Signed-off-by: Maxwell Doose <m32285159@xxxxxxxxx>
> ---
> drivers/iio/imu/kmx61.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/iio/imu/kmx61.c b/drivers/iio/imu/kmx61.c
> index 3cd91d8a89ee..9aa00acc7f14 100644
> --- a/drivers/iio/imu/kmx61.c
> +++ b/drivers/iio/imu/kmx61.c
> @@ -942,11 +942,13 @@ static int kmx61_write_event_config(struct iio_dev *indio_dev,
> struct kmx61_data *data = kmx61_get_data(indio_dev);
> int ret = 0;
>
> - if (state && data->ev_enable_state)
> - return 0;
> -
> mutex_lock(&data->lock);
>
> + if (state && data->ev_enable_state) {
> + ret = 0;
> + goto err_unlock;
> + }
> +
> if (!state && data->motion_trig_on) {
> data->ev_enable_state = false;
> goto err_unlock;

There are actually 3 other drivers that have identical code
which likely need the same fix.

And in all of these, there is an write_event() callback that
reads ev_enable_state without holding the mutex that looks
suspicious too.