i2c: imx: preserve error state in block data length handler

When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX,
the length handler sets the state to IMX_I2C_STATE_FAILED. However,
i2c_imx_master_isr() unconditionally overwrites this with
IMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns
buffers and crashes the system.

Guard the state transition to preserve error states set by the length
handler.

Fixes: 5f5c2d4579ca ("i2c: imx: prevent rescheduling in non dma mode")
Signed-off-by: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
Cc: <stable@vger.kernel.org> # v6.13+
Reviewed-by: Stefan Eichenberger <eichest@gmail.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260116111906.3413346-2-Qing-wu.Li@leica-geosystems.com.cn
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>

diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
index dcce882f3ebaaf1771e26478d666ab9a9bf2d68a..85f554044cf1eec7d28310c3d9e7a7346237afdb 100644 (file)
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -1103,7 +1103,8 @@ static irqreturn_t i2c_imx_master_isr(struct imx_i2c_struct *i2c_imx, unsigned i
 
        case IMX_I2C_STATE_READ_BLOCK_DATA_LEN:
                i2c_imx_isr_read_block_data_len(i2c_imx);
-               i2c_imx->state = IMX_I2C_STATE_READ_CONTINUE;
+               if (i2c_imx->state == IMX_I2C_STATE_READ_BLOCK_DATA_LEN)
+                       i2c_imx->state = IMX_I2C_STATE_READ_CONTINUE;
                break;
 
        case IMX_I2C_STATE_WRITE: