[PATCH 10/12] i2c: rk3x: fix NULL pointer dereference on repeated NACK
Ahmad Fatoum
a.fatoum at pengutronix.de
Mon Feb 16 00:42:26 PST 2026
In the polling loop, if a NAKRCV interrupt triggers rk3x_i2c_stop()
which sets i2c->msg to NULL, a subsequent iteration with NAKRCV
still asserted will dereference the NULL msg pointer when checking
I2C_M_IGNORE_NAK. Add a NULL check so that a NULL msg falls through
to rk3x_i2c_stop(), which handles this case safely.
Reported-by: GCC 14.2 -fanalyzer
Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
drivers/i2c/busses/i2c-rk3x.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c
index 1fdce1c8de84..d35f3e1c15c8 100644
--- a/drivers/i2c/busses/i2c-rk3x.c
+++ b/drivers/i2c/busses/i2c-rk3x.c
@@ -462,7 +462,8 @@ static void rk3x_i2c_irq(struct rk3x_i2c *i2c)
ipd &= ~REG_INT_NAKRCV;
- if (!(i2c->msg->flags & I2C_M_IGNORE_NAK))
+ if (!i2c->msg ||
+ !(i2c->msg->flags & I2C_M_IGNORE_NAK))
rk3x_i2c_stop(i2c, -ENXIO);
}
--
2.47.3
More information about the barebox
mailing list