[PATCH v4 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer

Next message: Baoquan He: "Re: [PATCH] riscv: Fix a NULL pointer reference in machine_kexec_prepare"
Previous message: Liem: "[PATCH v4 0/2] i2c: imx: Fix slave mode corner issues"
In reply to: Frank Li: "Re: [PATCH v4 1/2] i2c: imx: Fix slave registration race and error handling"
Next in thread: Frank Li: "Re: [PATCH v4 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Liem

Date: Sun Jun 28 2026 - 22:41:08 EST

In i2c_imx_unreg_slave(), the slave pointer is set to NULL after
disabling interrupts. However, a pending interrupt might already
have started the hrtimer (i2c_imx_slave_timeout) before the pointer
was cleared. If the hrtimer fires after i2c_imx->slave is set to
NULL, the timer callback i2c_imx_slave_finish_op() will call
i2c_imx_slave_event() with a NULL slave pointer, which results in a
use-after-free / NULL pointer dereference.

Fix by canceling the hrtimer and waiting for it to complete after
disabling interrupts, before clearing the slave pointer.

Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver")
Cc: stable@xxxxxxxxxxxxxxx
Acked-by: Carlos Song <carlos.song@xxxxxxx>
Signed-off-by: Liem <liem16213@xxxxxxxxx>
---
v3 -> v4: No changes, added Acked-by from Carlos Song.
---
drivers/i2c/busses/i2c-imx.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
index 2398c406e913..b1c6581db774 100644
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -960,6 +960,7 @@ static int i2c_imx_unreg_slave(struct i2c_client *client)

i2c_imx_reset_regs(i2c_imx);

+ hrtimer_cancel(&i2c_imx->slave_timer);
i2c_imx->slave = NULL;

/* Suspend */
--
2.34.1