From: Frank Li <Frank.li@oss.nxp.com>
To: Liem <liem16213@gmail.com>
Cc: Oleksij Rempel <o.rempel@pengutronix.de>,
Andi Shyti <andi.shyti@kernel.org>,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Frank Li <Frank.Li@nxp.com>,
Sascha Hauer <s.hauer@pengutronix.de>,
Fabio Estevam <festevam@gmail.com>, Biwen Li <biwen.li@nxp.com>,
Wolfram Sang <wsa@kernel.org>,
linux-i2c@vger.kernel.org, imx@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2] i2c: imx: Fix slave registration error path and missing timer cleanup
Date: Thu, 25 Jun 2026 11:16:07 -0500 [thread overview]
Message-ID: <aj1UR5ddawsdMbZC@SMW015318> (raw)
In-Reply-To: <20260625160219.55116-1-liem16213@gmail.com>
On Fri, Jun 26, 2026 at 12:02:19AM +0800, Liem wrote:
>
> There are two issues that affect the i2c-imx slave handling:
>
> 1. In i2c_imx_reg_slave(), i2c_imx->slave is checked at the beginning
> and the function returns -EBUSY if it is non-NULL. If
> pm_runtime_resume_and_get() fails later, the error path returns
> without clearing i2c_imx->slave, leaving it non-NULL. Subsequent
> attempts to register a slave will then immediately fail with
> -EBUSY, making it impossible to register the slave again. Fix
> by setting i2c_imx->slave = NULL on the error path.
>
> 2. In i2c_imx_unreg_slave(), the slave pointer is set to NULL after
> disabling interrupts. However, a pending interrupt might already
> have started the hrtimer (i2c_imx_slave_timeout) before the pointer
> was cleared. If the hrtimer fires after i2c_imx->slave is set to
> NULL, the timer callback i2c_imx_slave_finish_op() will call
> i2c_imx_slave_event() with a NULL slave pointer, and the
> last_slave_event check loop in i2c_imx_slave_finish_op() may cause
> a system hang because last_slave_event is no longer updated. Fix
> by canceling the hrtimer and waiting for it to complete after
> disabling interrupts, before clearing the slave pointer.
Please use two patches to fix these problem. One patch fix one problem.
Frank
>
> Both issues can trigger a kernel oops, system hang, or permanent
> slave registration failure under certain race conditions. Add the
> missing NULL assignment and the missing hrtimer cleanup to harden
> the slave path.
>
> Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Liem <liem16213@gmail.com>
> ---
> v1 -> v2:
> - Instead of adding a NULL check in i2c_imx_slave_event(), cancel
> the hrtimer and wait for it to finish in i2c_imx_unreg_slave()
> after disabling interrupts, as suggested by <Carlos Song>.
> This avoids a potential hang in the last_slave_event loop in
> i2c_imx_slave_finish_op().
> ---
> drivers/i2c/busses/i2c-imx.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
> index 28313d0fad37..04ffb927aba9 100644
> --- a/drivers/i2c/busses/i2c-imx.c
> +++ b/drivers/i2c/busses/i2c-imx.c
> @@ -936,6 +936,7 @@ static int i2c_imx_reg_slave(struct i2c_client *client)
> /* Resume */
> ret = pm_runtime_resume_and_get(i2c_imx->adapter.dev.parent);
> if (ret < 0) {
> + i2c_imx->slave = NULL;
> dev_err(&i2c_imx->adapter.dev, "failed to resume i2c controller");
> return ret;
> }
> @@ -957,7 +958,7 @@ static int i2c_imx_unreg_slave(struct i2c_client *client)
> imx_i2c_write_reg(0, i2c_imx, IMX_I2C_IADR);
>
> i2c_imx_reset_regs(i2c_imx);
> -
> + hrtimer_cancel(&i2c_imx->slave_timer);
> i2c_imx->slave = NULL;
>
> /* Suspend */
> --
> 2.53.0
>
>
next prev parent reply other threads:[~2026-06-25 16:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 7:11 [PATCH] i2c: imx: Fix slave registration error path and missing NULL check Liem
2026-06-25 7:26 ` sashiko-bot
2026-06-25 11:17 ` Carlos Song (OSS)
2026-06-25 16:02 ` [PATCH v2] i2c: imx: Fix slave registration error path and missing timer cleanup Liem
2026-06-25 16:15 ` sashiko-bot
2026-06-25 16:16 ` Frank Li [this message]
2026-06-26 1:55 ` liem
2026-06-26 2:58 ` [PATCH v3 0/2] Fix slave mode corner issues Liem
2026-06-26 2:58 ` [PATCH v3 1/2] i2c: imx: Clear slave pointer on registration error Liem
2026-06-26 6:23 ` Carlos Song (OSS)
2026-06-26 8:30 ` liem
2026-06-26 2:58 ` [PATCH v3 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer Liem
2026-06-26 6:26 ` Carlos Song (OSS)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aj1UR5ddawsdMbZC@SMW015318 \
--to=frank.li@oss.nxp.com \
--cc=Frank.Li@nxp.com \
--cc=andi.shyti@kernel.org \
--cc=biwen.li@nxp.com \
--cc=festevam@gmail.com \
--cc=imx@lists.linux.dev \
--cc=kernel@pengutronix.de \
--cc=liem16213@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=s.hauer@pengutronix.de \
--cc=stable@vger.kernel.org \
--cc=wsa@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.