Commit b126097b authored by LI Qingwu's avatar LI Qingwu Committed by Wolfram Sang
Browse files

i2c: imx: preserve error state in block data length handler 



When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX,
the length handler sets the state to IMX_I2C_STATE_FAILED. However,
i2c_imx_master_isr() unconditionally overwrites this with
IMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns
buffers and crashes the system.

Guard the state transition to preserve error states set by the length
handler.

Fixes: 5f5c2d45 ("i2c: imx: prevent rescheduling in non dma mode")
Signed-off-by: default avatarLI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
Cc: <stable@vger.kernel.org> # v6.13+
Reviewed-by: default avatarStefan Eichenberger <eichest@gmail.com>
Signed-off-by: default avatarAndi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260116111906.3413346-2-Qing-wu.Li@leica-geosystems.com.cn


Signed-off-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
parent 18f7fcd5

drivers/i2c/busses/i2c-imx.c

+2 −1
Original line number Diff line number Diff line
@@ -1103,6 +1103,7 @@ static irqreturn_t i2c_imx_master_isr(struct imx_i2c_struct *i2c_imx, unsigned i 


	case IMX_I2C_STATE_READ_BLOCK_DATA_LEN:

		i2c_imx_isr_read_block_data_len(i2c_imx);

		if (i2c_imx->state == IMX_I2C_STATE_READ_BLOCK_DATA_LEN)

			i2c_imx->state = IMX_I2C_STATE_READ_CONTINUE;

		break;