lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <GV2PR06MB10809C9AF32F95388E8DBF519D785A@GV2PR06MB10809.eurprd06.prod.outlook.com>
Date: Thu, 8 Jan 2026 08:37:51 +0000
From: LI Qingwu <Qing-wu.Li@...ca-geosystems.com.cn>
To: Andi Shyti <andi.shyti@...nel.org>
CC: "o.rempel@...gutronix.de" <o.rempel@...gutronix.de>,
	"kernel@...gutronix.de" <kernel@...gutronix.de>, "shawnguo@...nel.org"
	<shawnguo@...nel.org>, "s.hauer@...gutronix.de" <s.hauer@...gutronix.de>,
	"festevam@...il.com" <festevam@...il.com>, "linux-i2c@...r.kernel.org"
	<linux-i2c@...r.kernel.org>, "imx@...ts.linux.dev" <imx@...ts.linux.dev>,
	"linux-arm-kernel@...ts.infradead.org"
	<linux-arm-kernel@...ts.infradead.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, GEO-CHHER-bsp-development
	<bsp-development.geo@...ca-geosystems.com>
Subject: RE: [PATCH V1] i2c: imx: Fix SMBus block read hang on zero length



> -----Original Message-----
> From: Andi Shyti <andi.shyti@...nel.org>
> Sent: Thursday, January 8, 2026 4:13 AM
> To: LI Qingwu <Qing-wu.Li@...ca-geosystems.com.cn>
> Cc: o.rempel@...gutronix.de; kernel@...gutronix.de; shawnguo@...nel.org;
> s.hauer@...gutronix.de; festevam@...il.com; linux-i2c@...r.kernel.org;
> imx@...ts.linux.dev; linux-arm-kernel@...ts.infradead.org;
> linux-kernel@...r.kernel.org; GEO-CHHER-bsp-development
> <bsp-development.geo@...ca-geosystems.com>
> Subject: Re: [PATCH V1] i2c: imx: Fix SMBus block read hang on zero length
> 
> [You don't often get email from andi.shyti@...nel.org. Learn why this is
> important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> This email is not from Hexagon's Office 365 instance. Please be careful while
> clicking links, opening attachments, or replying to this email.
> 
> 
> Hi,
> 
> Can anyone from Pengutronix give this patch a look and possibly a try? Oleksij?
> 
> On Mon, Dec 29, 2025 at 08:16:29AM +0000, LI Qingwu wrote:
> > SMBus block read transfers encode the payload length in the first data
> > byte. When this first byte is zero, there is no payload and the
> > transaction should terminate immediately.
> >
> > On i.MX, if the first byte of an SMBus block read is zero, the driver
> > unconditionally overwrites the state with IMX_I2C_STATE_READ_CONTINUE.
> > This causes the state machine to enter an endless read loop,
> > eventually overrunning internal buffers and leading to a crash.
> >
> > At the same time, the controller remains in master receive mode and
> > never generates a proper STOP condition, leaving the I2C bus
> > permanently busy and preventing any further transfers on the bus.
> >
> > Fix this by handling the zero-length case explicitly: when the first
> > byte is zero, ensure that a clean STOP is generated. In this situation
> > the controller is in master receive mode, so it must be switched to
> > master transmit mode before stopping. This is done by draining the
> > pending received byte from I2DR, setting I2CR_MTX to enter transmit
> > mode, waiting briefly for the mode change, and then proceeding with
> > the normal STOP sequence.
> >
> > This change has been tested on i.MX 8M Plus platform.
> >
> > Signed-off-by: LI Qingwu <Qing-wu.Li@...ca-geosystems.com.cn>
> 
> Is this a fix?

Yes, this is a fix. Without this patch, zero-length SMBus block reads cause a system crash 
and permanent bus lockup on i.MX 8M Plus. The fix ensures proper STOP generation and 
prevents buffer overruns.

> > ---
> >  drivers/i2c/busses/i2c-imx.c | 13 ++++++++++++-
> >  1 file changed, 12 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/i2c/busses/i2c-imx.c
> > b/drivers/i2c/busses/i2c-imx.c index dcce882f3eba..f40deecf0f66 100644
> > --- a/drivers/i2c/busses/i2c-imx.c
> > +++ b/drivers/i2c/busses/i2c-imx.c
> > @@ -735,6 +735,16 @@ static void i2c_imx_stop(struct imx_i2c_struct
> *i2c_imx, bool atomic)
> >               temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
> >               if (!(temp & I2CR_MSTA))
> >                       i2c_imx->stopped = 1;
> > +             if ((temp & I2CR_MSTA) && !(temp & I2CR_MTX)) {
> > +                     (void)imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR);
> 
> why do we need a cast here?

The void cast explicitly marks this as a dummy read. We're reading I2DR solely to drain the
receive buffer (a required side effect before mode switching), not because we need the value.
This makes the intent clear to both the compiler and code reviewers.

> 
> > +                     temp |= I2CR_MTX;
> > +                     imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
> > +                     if (atomic)
> > +                             udelay(25);
> 
> where is this 25 coming from?

It's a conservative value derived from practical testing. at standard mode (100kHz),
this equals ~2.5 I2C clock periods; at fast mode (400kHz), ~10 periods

> 
> > +                     else
> > +                             usleep_range(25, 50);
> > +                     temp = imx_i2c_read_reg(i2c_imx,
> IMX_I2C_I2CR);
> 
> Thanks,
> Andi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ