Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp184330imn; Thu, 4 Aug 2022 01:42:48 -0700 (PDT) X-Google-Smtp-Source: AA6agR6foBpHXlvumupNkhAzfK4VoAo/nDtAXnqnTEG00IvvTjJ3Na4TURRyr2h4d/rUkeSzAEth X-Received: by 2002:a05:6402:2b98:b0:43e:107:183d with SMTP id fj24-20020a0564022b9800b0043e0107183dmr955084edb.366.1659602568645; Thu, 04 Aug 2022 01:42:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659602568; cv=none; d=google.com; s=arc-20160816; b=JFV9hPfg7txB2Wn3w97h9b9mVNvvaYKWTlMw7HOKAe07zHSoJP5i9RzHl4aQ8dS1ul Hi7GYJRx8cU4ZQZkz5fGKGovgcLEjYU/NvTMOgOqrqZ+t5nKGv0893qYex8ALf5FmFpX JWT7Eii0I+TmsCkCtjwJFqSsu6hgvGi0IS4rh8FDp1k7RvkZ13Iw9I0rxiIApb9GkJby +4s29Tu3A1Jasgq3P9mBrSdFdHG/tjxMWg714ZvmtbgJPovmgg+rOW7ppXqod1LjDSeP 2Ssii6KvMIlrlNg0eNGivLXeRusHcrd97M4Zw5XqRSG3Thty92VpdAZRJLT/N0YyWGNj 5Q0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ZmSGwqc22zHtNCEdp7Vy7QwaMLxmz8BdxpDnQjqdtXg=; b=H9pW50FYNaTT1aJFpdBfv/ItQlABkHwNzPD4Fun6t2K5/EcmmoriT8aBqWcxC0zrOZ dQDjMzHifj5lAFNkU+rqAE/mQWNTngVzdNO5H7apZwrB23+zACOefGo4sQRheZrBAQ28 spjGq6AqWiFcXah6ABw87WvvJaV/d8t652R51v1Tr+2ltpGJUxNyt5lCX0aX804iOPNt 7p0dYFdpDgGcP3zOmkyrANZKCjYQj9ZPwmryC2WBJr6S/E0c4KOaORPOIhKwlCsJWcTz 6uOZ4qHNfoYAqVG4byjBaejMTxPbr3vSP59PjjuS8N42v2JI/hI0Eh526oOXoVW9e9IE +FCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ororatech.com header.s=google header.b=KIkxKI6l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d7-20020a1709061f4700b00730a2c0256csi157911ejk.856.2022.08.04.01.42.20; Thu, 04 Aug 2022 01:42:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ororatech.com header.s=google header.b=KIkxKI6l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229571AbiHDIBG (ORCPT + 99 others); Thu, 4 Aug 2022 04:01:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49172 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239363AbiHDIAp (ORCPT ); Thu, 4 Aug 2022 04:00:45 -0400 Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5798214012 for ; Thu, 4 Aug 2022 01:00:43 -0700 (PDT) Received: by mail-wm1-x330.google.com with SMTP id c22so9890894wmr.2 for ; Thu, 04 Aug 2022 01:00:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ororatech.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=ZmSGwqc22zHtNCEdp7Vy7QwaMLxmz8BdxpDnQjqdtXg=; b=KIkxKI6luZq5tLkph4q7fQi4668NPC6UFYLq0iwb+oG0K7RPx8awcoUYNCkNvbmfN+ XYp4xqDMW8NWA0U1fD/R57XN8pMjg671P/jSqu2+aab+0CE60Zu6tzbi1C1yfl0peZ/a o1AmiIahXnT3P49w4n+R/8iSJN//zocvmMt/nkYWRP4m+82w8udfImtdwzL+QEhVgp+3 mqSPeZCjaSmhIvMtdgF3SywUSSBia+tUk/Ir4U5jmNs0j9Teriy5T82GWYdkwFpXrWjR X7Vb+ZjAeZdjjxFxYq3dSkIjPcPEtogHnVrn0CgnVcPHMTzSjMpk4IFYiwwV68XGQVOh MXBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=ZmSGwqc22zHtNCEdp7Vy7QwaMLxmz8BdxpDnQjqdtXg=; b=XN0lDNKma3qRlZkodzoBm8ekeIbgELQg+B7KJ1yCtFc7bi6yYQ8KTG4QvvNb9Pq1Sk 1tOr1tLUScCL4I2MO7KI4WgGeJNpcpnUE33TOkJwgGZOvfwypqJWMrg2+KoObEFGnFtv +KEyIGC7GIumnoiu6v0LS+oKV8A3Y9zj/JP6mMQ4iOaqVkkUAIia5e9D1C4sZeLDRT2u YempnkERWXPr9u52R1hOm6WcCn9ZsvOidZAwBHX3dk/JNF4V0Z3FHvsJjg66wUZGHmxS vvqEKu98wyCKyWW8hQYLwi2lpjDp8gdC5CBThBTfnFiyJOEQcu87XYq964gvKMrAbkcW 1mJw== X-Gm-Message-State: ACgBeo1UwveS3/2snkoFFuMIvcNuwcyVvvcj+3PeQbIbGP8xTlTPO7BE vXtlDvat2Rb76RDmi8mNQO2uiA== X-Received: by 2002:a7b:ca47:0:b0:3a3:1874:648 with SMTP id m7-20020a7bca47000000b003a318740648mr489939wml.139.1659600041325; Thu, 04 Aug 2022 01:00:41 -0700 (PDT) Received: from toolbox.dsn.orora.tech (host-88-217-137-115.customer.m-online.net. [88.217.137.115]) by smtp.googlemail.com with ESMTPSA id bv20-20020a0560001f1400b0021d6d18a9f8sm335653wrb.76.2022.08.04.01.00.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Aug 2022 01:00:40 -0700 (PDT) From: =?UTF-8?q?Sebastian=20W=C3=BCrl?= To: sebastian.wuerl@ororatech.com Cc: Wolfgang Grandegger , Marc Kleine-Budde , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Vincent Mailhol , Andy Shevchenko , Oliver Hartkopp , =?UTF-8?q?Stefan=20M=C3=A4tje?= , =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= , Sebastian Andrzej Siewior , Christian Pellegrin , linux-can@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] can: mcp251x: Fix race condition on receive interrupt Date: Thu, 4 Aug 2022 09:59:14 +0200 Message-Id: <20220804075914.67569-1-sebastian.wuerl@ororatech.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220804075152.kqlp5weoz4grzbpp@pengutronix.de> References: <20220804075152.kqlp5weoz4grzbpp@pengutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The mcp251x driver uses both receiving mailboxes of the CAN controller chips. For retrieving the CAN frames from the controller via SPI, it checks once per interrupt which mailboxes have been filled and will retrieve the messages accordingly. This introduces a race condition, as another CAN frame can enter mailbox 1 while mailbox 0 is emptied. If now another CAN frame enters mailbox 0 until the interrupt handler is called next, mailbox 0 is emptied before mailbox 1, leading to out-of-order CAN frames in the network device. This is fixed by checking the interrupt flags once again after freeing mailbox 0, to correctly also empty mailbox 1 before leaving the handler. For reproducing the bug I created the following setup: - Two CAN devices, one Raspberry Pi with MCP2515, the other can be any. - Setup CAN to 1 MHz - Spam bursts of 5 CAN-messages with increasing CAN-ids - Continue sending the bursts while sleeping a second between the bursts - Check on the RPi whether the received messages have increasing CAN-ids - Without this patch, every burst of messages will contain a flipped pair Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.") Signed-off-by: Sebastian Würl --- drivers/net/can/spi/mcp251x.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c index 89897a2d41fa..df748b2e7421 100644 --- a/drivers/net/can/spi/mcp251x.c +++ b/drivers/net/can/spi/mcp251x.c @@ -1068,15 +1068,12 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) mutex_lock(&priv->mcp_lock); while (!priv->force_quit) { enum can_state new_state; - u8 intf, eflag; + u8 intf, intf1, eflag, eflag1; u8 clear_intf = 0; int can_id = 0, data1 = 0; mcp251x_read_2regs(spi, CANINTF, &intf, &eflag); - /* mask out flags we don't care about */ - intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR; - /* receive buffer 0 */ if (intf & CANINTF_RX0IF) { mcp251x_hw_rx(spi, 0); @@ -1086,6 +1083,16 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) if (mcp251x_is_2510(spi)) mcp251x_write_bits(spi, CANINTF, CANINTF_RX0IF, 0x00); + + /* check ifbuffer 1 is already known to be full, no need to re-read */ + if (!(intf & CANINTF_RX1IF)) { + /* intf needs to be read again to avoid a race condition */ + mcp251x_read_2regs(spi, CANINTF, &intf1, &eflag1); + + /* combine flags from both operations for error handling */ + intf |= intf1; + eflag |= eflag1; + } } /* receive buffer 1 */ @@ -1096,6 +1103,9 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) clear_intf |= CANINTF_RX1IF; } + /* mask out flags we don't care about */ + intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR; + /* any error or tx interrupt we need to clear? */ if (intf & (CANINTF_ERR | CANINTF_TX)) clear_intf |= intf & (CANINTF_ERR | CANINTF_TX); -- 2.30.2