From: Liem <liem16213@gmail.com>
To: Oleksij Rempel <o.rempel@pengutronix.de>
Cc: Andi Shyti <andi.shyti@kernel.org>,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Frank Li <Frank.Li@nxp.com>,
Sascha Hauer <s.hauer@pengutronix.de>,
Fabio Estevam <festevam@gmail.com>, Biwen Li <biwen.li@nxp.com>,
Wolfram Sang <wsa@kernel.org>,
linux-i2c@vger.kernel.org, imx@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Liem <liem16213@gmail.com>
Subject: [PATCH] i2c: imx: Fix slave registration error path and missing NULL check
Date: Thu, 25 Jun 2026 15:11:30 +0800 [thread overview]
Message-ID: <20260625071130.93544-1-liem16213@gmail.com> (raw)
There are two issues that affect the i2c-imx slave handling:
1. In i2c_imx_reg_slave(), i2c_imx->slave is checked at the beginning
and the function returns -EBUSY if it is non-NULL. If
pm_runtime_resume_and_get() fails later, the error path returns
without clearing i2c_imx->slave, leaving it non-NULL. Subsequent
attempts to register a slave will then immediately fail with
-EBUSY, making it impossible to register the slave again. Fix
by setting i2c_imx->slave = NULL on the error path.
2. In i2c_imx_unreg_slave(), the slave pointer is set to NULL after
disabling interrupts. However, a pending interrupt might already
have started a timer (e.g. for slave event processing) before
the pointer was cleared. The timer callback
i2c_imx_slave_event() dereferences i2c_imx->slave without a
NULL check, which results in a use-after-free / NULL pointer
dereference. Prevent this by checking that i2c_imx->slave is
valid before calling i2c_slave_event() and updating the
last_slave_event field.
Both issues can trigger a kernel oops or permanent slave
registration failure under certain race conditions. Add the
missing NULL assignment and the missing NULL check to harden
the slave path.
Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver")
Cc: stable@vger.kernel.org
Signed-off-by: Liem <liem16213@gmail.com>
---
drivers/i2c/busses/i2c-imx.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
index 28313d0fad37..4f7bcbeecfd0 100644
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -775,8 +775,10 @@ static void i2c_imx_enable_bus_idle(struct imx_i2c_struct *i2c_imx)
static void i2c_imx_slave_event(struct imx_i2c_struct *i2c_imx,
enum i2c_slave_event event, u8 *val)
{
- i2c_slave_event(i2c_imx->slave, event, val);
- i2c_imx->last_slave_event = event;
+ if (i2c_imx->slave) {
+ i2c_slave_event(i2c_imx->slave, event, val);
+ i2c_imx->last_slave_event = event;
+ }
}
static void i2c_imx_slave_finish_op(struct imx_i2c_struct *i2c_imx)
@@ -936,6 +938,7 @@ static int i2c_imx_reg_slave(struct i2c_client *client)
/* Resume */
ret = pm_runtime_resume_and_get(i2c_imx->adapter.dev.parent);
if (ret < 0) {
+ i2c_imx->slave = NULL;
dev_err(&i2c_imx->adapter.dev, "failed to resume i2c controller");
return ret;
}
--
2.34.1
next reply other threads:[~2026-06-25 7:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 7:11 Liem [this message]
2026-06-25 7:26 ` [PATCH] i2c: imx: Fix slave registration error path and missing NULL check sashiko-bot
2026-06-25 11:17 ` Carlos Song (OSS)
2026-06-25 16:02 ` [PATCH v2] i2c: imx: Fix slave registration error path and missing timer cleanup Liem
2026-06-25 16:15 ` sashiko-bot
2026-06-25 16:16 ` Frank Li
2026-06-26 1:55 ` liem
2026-06-26 2:58 ` [PATCH v3 0/2] Fix slave mode corner issues Liem
2026-06-26 2:58 ` [PATCH v3 1/2] i2c: imx: Clear slave pointer on registration error Liem
2026-06-26 6:23 ` Carlos Song (OSS)
2026-06-26 8:30 ` liem
2026-06-26 2:58 ` [PATCH v3 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer Liem
2026-06-26 6:26 ` Carlos Song (OSS)
-- strict thread matches above, loose matches on Subject: below --
2026-06-25 15:07 [PATCH] i2c: imx: Fix slave registration error path and missing NULL check liem
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625071130.93544-1-liem16213@gmail.com \
--to=liem16213@gmail.com \
--cc=Frank.Li@nxp.com \
--cc=andi.shyti@kernel.org \
--cc=biwen.li@nxp.com \
--cc=festevam@gmail.com \
--cc=imx@lists.linux.dev \
--cc=kernel@pengutronix.de \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=s.hauer@pengutronix.de \
--cc=stable@vger.kernel.org \
--cc=wsa@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.