[PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race

Next message: Muchun Song: "Re: [PATCH v2] drivers/base/memory: make memory block get/put explicit"
Previous message: Mark Brown: "Re: [PATCH v2] ASoC: codecs: fs210x: fix possible buffer overflow"
Next in thread: Maxwell Doose: "Re: [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maxwell Doose

Date: Tue May 12 2026 - 21:41:47 EST

A time-of-check to time-of-use race condition exists in
kmx61_write_event_config(). If two threads enter the function at the
same time, both threads may pass the check and get to the lock. Thus,
when the first thread releases the lock allowing the second thread to
start execution after the first thread modifies data->ev_enable_state to
force returning from the function, the second thread continues execution
regardless. Fix this by moving the data->ev_enable_state check inside of
the critical section.

Fixes: fd3ae7a9f21c ("iio: imu: kmx61: Add support for any motion trigger")
Reported-by: sashiko <sashiko-bot@xxxxxxxxxx>
Closes: https://sashiko.dev/#/patchset/20260507223337.48437-1-m32285159%40gmail.com
Signed-off-by: Maxwell Doose <m32285159@xxxxxxxxx>
---
drivers/iio/imu/kmx61.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/imu/kmx61.c b/drivers/iio/imu/kmx61.c
index 3cd91d8a89ee..3afa369de3cf 100644
--- a/drivers/iio/imu/kmx61.c
+++ b/drivers/iio/imu/kmx61.c
@@ -942,11 +942,11 @@ static int kmx61_write_event_config(struct iio_dev *indio_dev,
struct kmx61_data *data = kmx61_get_data(indio_dev);
int ret = 0;

- if (state && data->ev_enable_state)
- return 0;
-
mutex_lock(&data->lock);

+ if (state && data->ev_enable_state)
+ goto err_unlock;
+
if (!state && data->motion_trig_on) {
data->ev_enable_state = false;
goto err_unlock;
--
2.54.0