--- /dev/null
+From b126097b0327437048bd045a0e4d273dea2910dd Mon Sep 17 00:00:00 2001
+From: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
+Date: Fri, 16 Jan 2026 11:19:05 +0000
+Subject: i2c: imx: preserve error state in block data length handler
+
+From: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
+
+commit b126097b0327437048bd045a0e4d273dea2910dd upstream.
+
+When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX,
+the length handler sets the state to IMX_I2C_STATE_FAILED. However,
+i2c_imx_master_isr() unconditionally overwrites this with
+IMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns
+buffers and crashes the system.
+
+Guard the state transition to preserve error states set by the length
+handler.
+
+Fixes: 5f5c2d4579ca ("i2c: imx: prevent rescheduling in non dma mode")
+Signed-off-by: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
+Cc: <stable@vger.kernel.org> # v6.13+
+Reviewed-by: Stefan Eichenberger <eichest@gmail.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260116111906.3413346-2-Qing-wu.Li@leica-geosystems.com.cn
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-imx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -1103,7 +1103,8 @@ static irqreturn_t i2c_imx_master_isr(st
+
+ case IMX_I2C_STATE_READ_BLOCK_DATA_LEN:
+ i2c_imx_isr_read_block_data_len(i2c_imx);
+- i2c_imx->state = IMX_I2C_STATE_READ_CONTINUE;
++ if (i2c_imx->state == IMX_I2C_STATE_READ_BLOCK_DATA_LEN)
++ i2c_imx->state = IMX_I2C_STATE_READ_CONTINUE;
+ break;
+
+ case IMX_I2C_STATE_WRITE:
projects / thirdparty / kernel / stable-queue.git / commitdiff
