On Fri, Apr 03, 2026 at 05:05:58PM +0800, Jian Zhang wrote: > The response timer can stay armed across device teardown. If it fires after > remove, the callback dereferences the SSIF context and the i2c client after > teardown has started. > > Cancel the timer in remove so the callback cannot run after the device is > unregistered.
Thanks for the updates on this. I have the new version in my tree. I have one question on the kunit patch, I'll ask it there. -corey > > Signed-off-by: Jian Zhang <[email protected]> > --- > v2: use timer_delete_sync() to cancel the timer > > drivers/char/ipmi/ssif_bmc.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c > index 7a52e3ea49ed..dc1d5bb4a460 100644 > --- a/drivers/char/ipmi/ssif_bmc.c > +++ b/drivers/char/ipmi/ssif_bmc.c > @@ -843,6 +843,7 @@ static void ssif_bmc_remove(struct i2c_client *client) > { > struct ssif_bmc_ctx *ssif_bmc = i2c_get_clientdata(client); > > + timer_delete_sync(&ssif_bmc->response_timer); > i2c_slave_unregister(client); > misc_deregister(&ssif_bmc->miscdev); > } > -- > 2.20.1 _______________________________________________ Openipmi-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openipmi-developer
