Re: [PATCH] iio: imu: kmx61: Fix TOCTOU race condition

From: Maxwell Doose

Date: Tue May 12 2026 - 13:38:16 EST

On Tue, May 12, 2026 at 12:10 PM Jonathan Cameron <jic23@xxxxxxxxxx> wrote:
>
> On Tue, 12 May 2026 10:30:42 -0500
> Maxwell Doose <m32285159@xxxxxxxxx> wrote:
>
> > On Tue, May 12, 2026 at 10:25 AM Andy Shevchenko
> > <andy.shevchenko@xxxxxxxxx> wrote:
> > >
> > > On Tue, May 12, 2026 at 6:17 PM Maxwell Doose <m32285159@xxxxxxxxx> wrote:
> > > >
> > > > On Tue May 12, 2026 at 7:03 AM CDT, Maxwell Doose wrote:
> > > > > A Time-of-check to Time-of-use race condition is present in
> > > > > kmx61_write_event_config(). Move the mutex_lock() call above it to fix
> > > > > it.
> > >
> > > I think you want to elaborate a bit more on this. Id est explain why
> > > ev_enable_state needs to be protected. Not everybody is willing to go
> > > to some site to read some AI reports and interpreted them.
> > >
> >
> > Can do that for v2. I believe that it needs to be protected since
> > later we set ev_enable_state to false (basically right after). Could
> > be wrong of course, but Jonathan did confirm the TOCTOU.
>
> I'd talk more about how we'd get a race. If two calls enter the function
> at the same time (which is easy to do) they may both pass this check before
> getting to the lock. Therefore we end up with at best pointless repeated
> work, at worst a reference or similar count issue. You'd need to look closely
> at what is protected to be sure whether it benign waste of time or a real
> bug.
>

Well, since we're accessing the shared state via kmx61_get_data (by
the way of iio_priv), we could check that value, pass the check, and
then have the value change before we acquire the lock. TOCTOU race,
no? If data->ev_enable_state is false then becomes true after we check
the value but before we get the lock, then ev_enable_state changes to
whatever the input variable state is. Anyways, just saying that this
is certainly a bug. Would coming across it be common? Probably not,
likely one of the much rarer ones, but still worth fixing.

best regards,
max




> Jonathan
>
> >
> > best regards,
> > max
> >
> >
> >
> > >
> > > > Reported-by: sashiko <sashiko-bot@xxxxxxxxxx>
> > > > Closes: https://sashiko.dev/#/patchset/20260507223337.48437-1-m32285159%40gmail.com
> > >
> > >
> > > --
> > > With Best Regards,
> > > Andy Shevchenko
>