Re: [PATCH v4 2/2] i2c: imx: Cancel hrtimer before clearing slave pointer
From: Frank Li
Date: Mon Jun 29 2026 - 10:24:17 EST
On Mon, Jun 29, 2026 at 10:38:29AM +0800, Liem wrote:
> In i2c_imx_unreg_slave(), the slave pointer is set to NULL after
> disabling interrupts. However, a pending interrupt might already
> have started the hrtimer (i2c_imx_slave_timeout) before the pointer
> was cleared. If the hrtimer fires after i2c_imx->slave is set to
> NULL, the timer callback i2c_imx_slave_finish_op() will call
> i2c_imx_slave_event() with a NULL slave pointer, which results in a
> use-after-free / NULL pointer dereference.
>
> Fix by canceling the hrtimer and waiting for it to complete after
> disabling interrupts, before clearing the slave pointer.
>
> Fixes: f7414cd6923f ("i2c: imx: support slave mode for imx I2C driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Acked-by: Carlos Song <carlos.song@xxxxxxx>
> Signed-off-by: Liem <liem16213@xxxxxxxxx>
> ---
Reviewed-by: Frank Li <Frank.Li@xxxxxxx>
> v3 -> v4: No changes, added Acked-by from Carlos Song.
> ---
> drivers/i2c/busses/i2c-imx.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
> index 2398c406e913..b1c6581db774 100644
> --- a/drivers/i2c/busses/i2c-imx.c
> +++ b/drivers/i2c/busses/i2c-imx.c
> @@ -960,6 +960,7 @@ static int i2c_imx_unreg_slave(struct i2c_client *client)
>
> i2c_imx_reset_regs(i2c_imx);
>
> + hrtimer_cancel(&i2c_imx->slave_timer);
> i2c_imx->slave = NULL;
>
> /* Suspend */
> --
> 2.34.1
>