RE: [PATCH v3 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer

From: Carlos Song (OSS)

Date: Fri Jun 26 2026 - 02:26:53 EST




> -----Original Message-----
> From: Liem <liem16213@xxxxxxxxx>
> Sent: Friday, June 26, 2026 10:59 AM
> To: Frank Li (OSS) <frank.li@xxxxxxxxxxx>
> Cc: Frank Li <frank.li@xxxxxxx>; andi.shyti@xxxxxxxxxx; Biwen Li
> <biwen.li@xxxxxxx>; festevam@xxxxxxxxx; imx@xxxxxxxxxxxxxxx;
> kernel@xxxxxxxxxxxxxx; liem16213@xxxxxxxxx;
> linux-arm-kernel@xxxxxxxxxxxxxxxxxxx; linux-i2c@xxxxxxxxxxxxxxx;
> linux-kernel@xxxxxxxxxxxxxxx; o.rempel@xxxxxxxxxxxxxx;
> s.hauer@xxxxxxxxxxxxxx; stable@xxxxxxxxxxxxxxx; wsa@xxxxxxxxxx
> Subject: [PATCH v3 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer
>
> In i2c_imx_unreg_slave(), the slave pointer is set to NULL after disabling
> interrupts. However, a pending interrupt might already have started the
> hrtimer (i2c_imx_slave_timeout) before the pointer was cleared. If the hrtimer
> fires after i2c_imx->slave is set to NULL, the timer callback
> i2c_imx_slave_finish_op() will call
> i2c_imx_slave_event() with a NULL slave pointer,which results in a use-after-free /
> NULL pointer dereference.
>
> Fix by canceling the hrtimer and waiting for it to complete after disabling
> interrupts, before clearing the slave pointer.
>
> Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Liem <liem16213@xxxxxxxxx>

Hi,

LGTM, thank you very much!

Acked-by: Carlos Song <carlos.song@xxxxxxx>

> ---
> drivers/i2c/busses/i2c-imx.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c index
> 17defb470776..f02c216ba299 100644
> --- a/drivers/i2c/busses/i2c-imx.c
> +++ b/drivers/i2c/busses/i2c-imx.c
> @@ -959,6 +959,7 @@ static int i2c_imx_unreg_slave(struct i2c_client *client)
>
> i2c_imx_reset_regs(i2c_imx);
>
> + hrtimer_cancel(&i2c_imx->slave_timer);
> i2c_imx->slave = NULL;
>
> /* Suspend */
> --
> 2.34.1
>