Re: [PATCH v2] i2c: imx: Fix slave registration error path and missing timer cleanup

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

New issues:
- [High] Lockless modification of `i2c_imx->slave` in `i2c_imx_reg_slave()` introduces a data race and potential NULL pointer dereference.

Pre-existing issues:
- [High] Incomplete timer cancellation race in `i2c_imx_unreg_slave()` allows the ISR to restart the timer, leading to a kernel panic.
- [High] The shared interrupt handler `i2c_imx_isr()` accesses hardware registers without checking if the device is active, violating PM guidelines and causing bus faults.
- [High] Missing IRQ synchronization in `i2c_imx_runtime_suspend()` allows the hardware to be powered down while the shared interrupt handler is executing.
--

commit 0e234f45db94de278630074d43eb9ffb0e39884e
Author: Liem <liem16213@gmail.com>

i2c: imx: Fix slave registration error path and missing timer cleanup

This commit fixes a potential -EBUSY deadlock when slave registration fails
by properly clearing the slave pointer. It also cancels the slave hrtimer
during unregistration to prevent a system hang caused by the timer firing
after the slave pointer is cleared.

> diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
> index cf5bacf3a4884..17b54d1648441 100644
> --- a/drivers/i2c/busses/i2c-imx.c
> +++ b/drivers/i2c/busses/i2c-imx.c
> @@ -871,6 +871,7 @@ static int i2c_imx_reg_slave(struct i2c_client *client)
>  	/* Resume */
>  	ret = pm_runtime_resume_and_get(i2c_imx->adapter.dev.parent);
>  	if (ret < 0) {
> +		i2c_imx->slave = NULL;

[Severity: High]
Can this assignment race with the interrupt handler?

Because the driver uses a shared IRQ, i2c_imx_isr() could execute
concurrently if another device triggers the interrupt line.

If the ISR acquires slave_lock and evaluates i2c_imx->slave as valid, and
this error path locklessly sets it to NULL, wouldn't subsequent accesses
in the ISR dereference a NULL pointer?

>  		dev_err(&i2c_imx->adapter.dev, "failed to resume i2c controller");
>  		return ret;
>  	}

[ ... ]

> @@ -892,7 +893,7 @@ static int i2c_imx_unreg_slave(struct i2c_client *client)
>  	imx_i2c_write_reg(0, i2c_imx, IMX_I2C_IADR);
>  
>  	i2c_imx_reset_regs(i2c_imx);
> -
> +	hrtimer_cancel(&i2c_imx->slave_timer);
>  	i2c_imx->slave = NULL;

[Severity: High]
This is a pre-existing issue, but does canceling the timer here completely
prevent it from running?

Since i2c_imx_unreg_slave() doesn't synchronize with the shared interrupt
handler, i2c_imx_isr() could be actively executing on another CPU. If the
ISR finishes after hrtimer_cancel() is called, it will reach
i2c_imx_slave_handle() and unconditionally call
hrtimer_restart(&i2c_imx->slave_timer).

When the re-armed timer expires, i2c_imx_slave_timeout() will attempt to
read hardware registers that have already been powered down by
pm_runtime_put_sync(), which causes a bus fault.

[Severity: High]
This is also a pre-existing issue, but does the shared interrupt handler
safely access hardware registers?

i2c_imx_isr() unconditionally reads IMX_I2C_I2SR and IMX_I2C_I2CR. Because
it handles a shared interrupt line, it could be triggered by another device
while the I2C controller is runtime-suspended and its clock is disabled.
Should this use pm_runtime_get_if_active() before accessing the registers
to prevent a synchronous external abort?

[Severity: High]
This is another pre-existing issue, but does the runtime suspend callback
safely disable the hardware?

i2c_imx_runtime_suspend() disables the hardware clock via clk_disable()
without calling synchronize_irq(). If i2c_imx_isr() is mid-execution on
another CPU when the clock is turned off, wouldn't subsequent register
accesses within the handler fault?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260625160219.55116-1-liem16213@gmail.com?part=1