Re: [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race
From: Maxwell Doose
Date: Tue May 12 2026 - 21:41:11 EST
On Tue, May 12, 2026 at 8:36 PM Maxwell Doose <m32285159@xxxxxxxxx> wrote:
>
> A time-of-check to time-of-use race condition exists in
> kmx61_write_event_config(). If two threads enter the function at the
> same time, both threads may pass the check and get to the lock. Thus,
> when the first thread releases the lock allowing the second thread to
> start execution after the first thread modifies data->ev_enable_state to
> force returning from the function, the second thread continues execution
> regardless. Fix this by moving the data->ev_enable_state check inside of
> the critical section.
>
> Fixes: fd3ae7a9f21c ("iio: imu: kmx61: Add support for any motion trigger")
> Reported-by: sashiko <sashiko-bot@xxxxxxxxxx>
> Closes: https://sashiko.dev/#/patchset/20260507223337.48437-1-m32285159%40gmail.com
> Signed-off-by: Maxwell Doose <m32285159@xxxxxxxxx>
> ---
> drivers/iio/imu/kmx61.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/iio/imu/kmx61.c b/drivers/iio/imu/kmx61.c
> index 3cd91d8a89ee..3afa369de3cf 100644
> --- a/drivers/iio/imu/kmx61.c
> +++ b/drivers/iio/imu/kmx61.c
> @@ -942,11 +942,11 @@ static int kmx61_write_event_config(struct iio_dev *indio_dev,
> struct kmx61_data *data = kmx61_get_data(indio_dev);
> int ret = 0;
>
> - if (state && data->ev_enable_state)
> - return 0;
> -
> mutex_lock(&data->lock);
>
> + if (state && data->ev_enable_state)
> + goto err_unlock;
> +
> if (!state && data->motion_trig_on) {
> data->ev_enable_state = false;
> goto err_unlock;
> --
> 2.54.0
>
Silly me, forgot the changelog.
v2:
- Started from scratch due to messy git tree
- Updated commit message per Andy and Jonathan
best regards,
max