On Thu, Feb 16, 2017 at 09:20:45PM +0000, Stefan Wahren wrote:
> Since commit e2474541032d ("bcm2835: Fix hang for writing messages
> larger than 16 bytes") the interrupt handler is prone to a possible
> NULL pointer dereference. This could happen if an interrupt fires
> before curr_msg is set by bcm2835_i2c_xfer_msg() and randomly occurs
> on the RPi 3. Even this is an unexpected behavior the driver must
> handle that with an error instead of a crash.
> 
> CC: Noralf Trønnes <noralf@tronnes.org>
> CC: Martin Sperl <kernel@martin.sperl.org>
> Reported-by: Peter Robinson <pbrobinson@gmail.com>
> Fixes: e2474541032d ("bcm2835: Fix hang for writing messages larger than 16 bytes")
> Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>

Applied to for-next, thanks (will be in 4.11)!

Note for patches 2+3: I usually don't take DTS changes via I2C, so this
likely needs to go via arm-soc or some other bcm tree.