[PATCH v3 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer

Next message: Alvin Sun: "Re: [PATCH v6 10/10] rust: module: update MAINTAINERS to cover module.rs"
Previous message: Liem: "[PATCH v3 1/2] i2c: imx: Clear slave pointer on registration error"
In reply to: Frank Li: "Re: [PATCH v4 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer"
Next in thread: Carlos Song (OSS): "RE: [PATCH v3 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Liem

Date: Thu Jun 25 2026 - 22:59:51 EST

In i2c_imx_unreg_slave(), the slave pointer is set to NULL after
disabling interrupts. However, a pending interrupt might already
have started the hrtimer (i2c_imx_slave_timeout) before the pointer
was cleared. If the hrtimer fires after i2c_imx->slave is set to
NULL, the timer callback i2c_imx_slave_finish_op() will call
i2c_imx_slave_event() with a NULL slave pointer,which results in a
use-after-free / NULL pointer dereference.

Fix by canceling the hrtimer and waiting for it to complete after
disabling interrupts, before clearing the slave pointer.

Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Liem <liem16213@xxxxxxxxx>
---
drivers/i2c/busses/i2c-imx.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
index 17defb470776..f02c216ba299 100644
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -959,6 +959,7 @@ static int i2c_imx_unreg_slave(struct i2c_client *client)

i2c_imx_reset_regs(i2c_imx);

+ hrtimer_cancel(&i2c_imx->slave_timer);
i2c_imx->slave = NULL;

/* Suspend */
--
2.34.1