From: Liem <liem16213@gmail.com>
To: frank.li@oss.nxp.com
Cc: Frank.Li@nxp.com, andi.shyti@kernel.org, biwen.li@nxp.com,
festevam@gmail.com, imx@lists.linux.dev, kernel@pengutronix.de,
liem16213@gmail.com, linux-arm-kernel@lists.infradead.org,
linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
o.rempel@pengutronix.de, s.hauer@pengutronix.de,
stable@vger.kernel.org, wsa@kernel.org
Subject: [PATCH v3 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer
Date: Fri, 26 Jun 2026 10:58:46 +0800 [thread overview]
Message-ID: <20260626025846.106157-3-liem16213@gmail.com> (raw)
In-Reply-To: <20260626025846.106157-1-liem16213@gmail.com>
In i2c_imx_unreg_slave(), the slave pointer is set to NULL after
disabling interrupts. However, a pending interrupt might already
have started the hrtimer (i2c_imx_slave_timeout) before the pointer
was cleared. If the hrtimer fires after i2c_imx->slave is set to
NULL, the timer callback i2c_imx_slave_finish_op() will call
i2c_imx_slave_event() with a NULL slave pointer,which results in a
use-after-free / NULL pointer dereference.
Fix by canceling the hrtimer and waiting for it to complete after
disabling interrupts, before clearing the slave pointer.
Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver")
Cc: stable@vger.kernel.org
Signed-off-by: Liem <liem16213@gmail.com>
---
drivers/i2c/busses/i2c-imx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
index 17defb470776..f02c216ba299 100644
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -959,6 +959,7 @@ static int i2c_imx_unreg_slave(struct i2c_client *client)
i2c_imx_reset_regs(i2c_imx);
+ hrtimer_cancel(&i2c_imx->slave_timer);
i2c_imx->slave = NULL;
/* Suspend */
--
2.34.1
next prev parent reply other threads:[~2026-06-26 2:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 7:11 [PATCH] i2c: imx: Fix slave registration error path and missing NULL check Liem
2026-06-25 7:26 ` sashiko-bot
2026-06-25 11:17 ` Carlos Song (OSS)
2026-06-25 16:02 ` [PATCH v2] i2c: imx: Fix slave registration error path and missing timer cleanup Liem
2026-06-25 16:15 ` sashiko-bot
2026-06-25 16:16 ` Frank Li
2026-06-26 1:55 ` liem
2026-06-26 2:58 ` [PATCH v3 0/2] Fix slave mode corner issues Liem
2026-06-26 2:58 ` [PATCH v3 1/2] i2c: imx: Clear slave pointer on registration error Liem
2026-06-26 6:23 ` Carlos Song (OSS)
2026-06-26 8:30 ` liem
2026-06-26 2:58 ` Liem [this message]
2026-06-26 6:26 ` [PATCH v3 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer Carlos Song (OSS)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626025846.106157-3-liem16213@gmail.com \
--to=liem16213@gmail.com \
--cc=Frank.Li@nxp.com \
--cc=andi.shyti@kernel.org \
--cc=biwen.li@nxp.com \
--cc=festevam@gmail.com \
--cc=frank.li@oss.nxp.com \
--cc=imx@lists.linux.dev \
--cc=kernel@pengutronix.de \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=s.hauer@pengutronix.de \
--cc=stable@vger.kernel.org \
--cc=wsa@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.