[PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race

Linux IIO development
 help / color / mirror / Atom feed

* [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race
@ 2026-05-13  1:36 Maxwell Doose
  2026-05-13  1:39 ` Maxwell Doose
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Maxwell Doose @ 2026-05-13  1:36 UTC (permalink / raw)
  To: jic23
  Cc: sashiko, David Lechner, Nuno Sá, Andy Shevchenko,
	Daniel Baluta, open list:IIO SUBSYSTEM AND DRIVERS, open list

A time-of-check to time-of-use race condition exists in
kmx61_write_event_config(). If two threads enter the function at the
same time, both threads may pass the check and get to the lock. Thus,
when the first thread releases the lock allowing the second thread to
start execution after the first thread modifies data->ev_enable_state to
force returning from the function, the second thread continues execution
regardless. Fix this by moving the data->ev_enable_state check inside of
the critical section.

Fixes: fd3ae7a9f21c ("iio: imu: kmx61: Add support for any motion trigger")
Reported-by: sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260507223337.48437-1-m32285159%40gmail.com
Signed-off-by: Maxwell Doose <m32285159@gmail.com>
---
 drivers/iio/imu/kmx61.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/imu/kmx61.c b/drivers/iio/imu/kmx61.c
index 3cd91d8a89ee..3afa369de3cf 100644
--- a/drivers/iio/imu/kmx61.c
+++ b/drivers/iio/imu/kmx61.c
@@ -942,11 +942,11 @@ static int kmx61_write_event_config(struct iio_dev *indio_dev,
 	struct kmx61_data *data = kmx61_get_data(indio_dev);
 	int ret = 0;
 
-	if (state && data->ev_enable_state)
-		return 0;
-
 	mutex_lock(&data->lock);
 
+	if (state && data->ev_enable_state)
+		goto err_unlock;
+
 	if (!state && data->motion_trig_on) {
 		data->ev_enable_state = false;
 		goto err_unlock;
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race
  2026-05-13  1:36 [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race Maxwell Doose
@ 2026-05-13  1:39 ` Maxwell Doose
  2026-05-13  7:35 ` Joshua Crofts
  2026-05-13 11:25 ` Andy Shevchenko
  2 siblings, 0 replies; 5+ messages in thread
From: Maxwell Doose @ 2026-05-13  1:39 UTC (permalink / raw)
  To: jic23
  Cc: sashiko, David Lechner, Nuno Sá, Andy Shevchenko,
	Daniel Baluta, open list:IIO SUBSYSTEM AND DRIVERS, open list

On Tue, May 12, 2026 at 8:36 PM Maxwell Doose <m32285159@gmail.com> wrote:
>
> A time-of-check to time-of-use race condition exists in
> kmx61_write_event_config(). If two threads enter the function at the
> same time, both threads may pass the check and get to the lock. Thus,
> when the first thread releases the lock allowing the second thread to
> start execution after the first thread modifies data->ev_enable_state to
> force returning from the function, the second thread continues execution
> regardless. Fix this by moving the data->ev_enable_state check inside of
> the critical section.
>
> Fixes: fd3ae7a9f21c ("iio: imu: kmx61: Add support for any motion trigger")
> Reported-by: sashiko <sashiko-bot@kernel.org>
> Closes: https://sashiko.dev/#/patchset/20260507223337.48437-1-m32285159%40gmail.com
> Signed-off-by: Maxwell Doose <m32285159@gmail.com>
> ---
>  drivers/iio/imu/kmx61.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/iio/imu/kmx61.c b/drivers/iio/imu/kmx61.c
> index 3cd91d8a89ee..3afa369de3cf 100644
> --- a/drivers/iio/imu/kmx61.c
> +++ b/drivers/iio/imu/kmx61.c
> @@ -942,11 +942,11 @@ static int kmx61_write_event_config(struct iio_dev *indio_dev,
>         struct kmx61_data *data = kmx61_get_data(indio_dev);
>         int ret = 0;
>
> -       if (state && data->ev_enable_state)
> -               return 0;
> -
>         mutex_lock(&data->lock);
>
> +       if (state && data->ev_enable_state)
> +               goto err_unlock;
> +
>         if (!state && data->motion_trig_on) {
>                 data->ev_enable_state = false;
>                 goto err_unlock;
> --
> 2.54.0
>

Silly me, forgot the changelog.

v2:
- Started from scratch due to messy git tree
- Updated commit message per Andy and Jonathan

best regards,
max

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race
  2026-05-13  1:36 [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race Maxwell Doose
  2026-05-13  1:39 ` Maxwell Doose
@ 2026-05-13  7:35 ` Joshua Crofts
  2026-05-13 11:25 ` Andy Shevchenko
  2 siblings, 0 replies; 5+ messages in thread
From: Joshua Crofts @ 2026-05-13  7:35 UTC (permalink / raw)
  To: Maxwell Doose
  Cc: jic23, sashiko, David Lechner, Nuno Sá, Andy Shevchenko,
	Daniel Baluta, open list:IIO SUBSYSTEM AND DRIVERS, open list

On Wed, 13 May 2026 at 03:41, Maxwell Doose <m32285159@gmail.com> wrote:
>
> A time-of-check to time-of-use race condition exists in
> kmx61_write_event_config(). If two threads enter the function at the
> same time, both threads may pass the check and get to the lock. Thus,
> when the first thread releases the lock allowing the second thread to
> start execution after the first thread modifies data->ev_enable_state to
> force returning from the function, the second thread continues execution
> regardless. Fix this by moving the data->ev_enable_state check inside of
> the critical section.
>
> Fixes: fd3ae7a9f21c ("iio: imu: kmx61: Add support for any motion trigger")
> Reported-by: sashiko <sashiko-bot@kernel.org>
> Closes: https://sashiko.dev/#/patchset/20260507223337.48437-1-m32285159%40gmail.com
> Signed-off-by: Maxwell Doose <m32285159@gmail.com>
> ---
>  drivers/iio/imu/kmx61.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/iio/imu/kmx61.c b/drivers/iio/imu/kmx61.c
> index 3cd91d8a89ee..3afa369de3cf 100644
> --- a/drivers/iio/imu/kmx61.c
> +++ b/drivers/iio/imu/kmx61.c
> @@ -942,11 +942,11 @@ static int kmx61_write_event_config(struct iio_dev *indio_dev,
>         struct kmx61_data *data = kmx61_get_data(indio_dev);
>         int ret = 0;
>
> -       if (state && data->ev_enable_state)
> -               return 0;
> -
>         mutex_lock(&data->lock);
>
> +       if (state && data->ev_enable_state)
> +               goto err_unlock;
> +
>         if (!state && data->motion_trig_on) {
>                 data->ev_enable_state = false;
>                 goto err_unlock;
> --

This seems simple enough.

Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com>

-- 
Kind regards

CJD

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race
  2026-05-13  1:36 [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race Maxwell Doose
  2026-05-13  1:39 ` Maxwell Doose
  2026-05-13  7:35 ` Joshua Crofts
@ 2026-05-13 11:25 ` Andy Shevchenko
  2026-05-13 15:00   ` Maxwell Doose
  2 siblings, 1 reply; 5+ messages in thread
From: Andy Shevchenko @ 2026-05-13 11:25 UTC (permalink / raw)
  To: Maxwell Doose
  Cc: jic23, sashiko, David Lechner, Nuno Sá, Andy Shevchenko,
	Daniel Baluta, open list:IIO SUBSYSTEM AND DRIVERS, open list

On Tue, May 12, 2026 at 08:36:38PM -0500, Maxwell Doose wrote:

The Subject can be made better:

  iio: imu: kmx61: Fix potential TOCTOU race in kmx61_write_event_config()

> A time-of-check to time-of-use race condition exists in
> kmx61_write_event_config(). If two threads enter the function at the
> same time, both threads may pass the check and get to the lock. Thus,
> when the first thread releases the lock allowing the second thread to
> start execution after the first thread modifies data->ev_enable_state to
> force returning from the function, the second thread continues execution
> regardless. Fix this by moving the data->ev_enable_state check inside of
> the critical section.

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race
  2026-05-13 11:25 ` Andy Shevchenko
@ 2026-05-13 15:00   ` Maxwell Doose
  0 siblings, 0 replies; 5+ messages in thread
From: Maxwell Doose @ 2026-05-13 15:00 UTC (permalink / raw)
  To: Andy Shevchenko
  Cc: jic23, sashiko, David Lechner, Nuno Sá, Andy Shevchenko,
	Daniel Baluta, open list:IIO SUBSYSTEM AND DRIVERS, open list

On Wed, May 13, 2026 at 6:25 AM Andy Shevchenko
<andriy.shevchenko@intel.com> wrote:
>
> On Tue, May 12, 2026 at 08:36:38PM -0500, Maxwell Doose wrote:
>
> The Subject can be made better:
>
>   iio: imu: kmx61: Fix potential TOCTOU race in kmx61_write_event_config()
>

That all sounds good. Will wait for Jonathan to see if he just wants
to merge as is, change the subject, or ask for v3.

best regards,
max



> > A time-of-check to time-of-use race condition exists in
> > kmx61_write_event_config(). If two threads enter the function at the
> > same time, both threads may pass the check and get to the lock. Thus,
> > when the first thread releases the lock allowing the second thread to
> > start execution after the first thread modifies data->ev_enable_state to
> > force returning from the function, the second thread continues execution
> > regardless. Fix this by moving the data->ev_enable_state check inside of
> > the critical section.
>
> --
> With Best Regards,
> Andy Shevchenko
>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-05-13 15:08 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-13  1:36 [PATCH v2] iio: imu: kmx61: Fix potential time-of-check to time-of-use race Maxwell Doose
2026-05-13  1:39 ` Maxwell Doose
2026-05-13  7:35 ` Joshua Crofts
2026-05-13 11:25 ` Andy Shevchenko
2026-05-13 15:00   ` Maxwell Doose

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox