From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 9 Feb 2026 12:37:16 +0000 (+0100)
Subject: 6.18-stable patches
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=710aafc8c95e7410805928b897e4ae45e61284bf;p=thirdparty%2Fkernel%2Fstable-queue.git

6.18-stable patches

added patches:
	i2c-imx-preserve-error-state-in-block-data-length-handler.patch
---

diff --git a/queue-6.18/i2c-imx-preserve-error-state-in-block-data-length-handler.patch b/queue-6.18/i2c-imx-preserve-error-state-in-block-data-length-handler.patch
new file mode 100644
index 0000000000..8e4dc503e4
--- /dev/null
+++ b/queue-6.18/i2c-imx-preserve-error-state-in-block-data-length-handler.patch
@@ -0,0 +1,42 @@
+From b126097b0327437048bd045a0e4d273dea2910dd Mon Sep 17 00:00:00 2001
+From: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
+Date: Fri, 16 Jan 2026 11:19:05 +0000
+Subject: i2c: imx: preserve error state in block data length handler
+
+From: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
+
+commit b126097b0327437048bd045a0e4d273dea2910dd upstream.
+
+When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX,
+the length handler sets the state to IMX_I2C_STATE_FAILED. However,
+i2c_imx_master_isr() unconditionally overwrites this with
+IMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns
+buffers and crashes the system.
+
+Guard the state transition to preserve error states set by the length
+handler.
+
+Fixes: 5f5c2d4579ca ("i2c: imx: prevent rescheduling in non dma mode")
+Signed-off-by: LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>
+Cc: <stable@vger.kernel.org> # v6.13+
+Reviewed-by: Stefan Eichenberger <eichest@gmail.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260116111906.3413346-2-Qing-wu.Li@leica-geosystems.com.cn
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-imx.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -1103,7 +1103,8 @@ static irqreturn_t i2c_imx_master_isr(st
+ 
+ 	case IMX_I2C_STATE_READ_BLOCK_DATA_LEN:
+ 		i2c_imx_isr_read_block_data_len(i2c_imx);
+-		i2c_imx->state = IMX_I2C_STATE_READ_CONTINUE;
++		if (i2c_imx->state == IMX_I2C_STATE_READ_BLOCK_DATA_LEN)
++			i2c_imx->state = IMX_I2C_STATE_READ_CONTINUE;
+ 		break;
+ 
+ 	case IMX_I2C_STATE_WRITE:
diff --git a/queue-6.18/series b/queue-6.18/series
index 2f973d848f..9e568a051e 100644
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -160,3 +160,4 @@ firmware-cs_dsp-rate-limit-log-messages-in-kunit-bui.patch
 alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch
 asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch
 gpio-loongson-64bit-fix-incorrect-null-check-after-d.patch
+i2c-imx-preserve-error-state-in-block-data-length-handler.patch