Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp184402imn; Thu, 4 Aug 2022 01:43:01 -0700 (PDT) X-Google-Smtp-Source: AA6agR6cx4u1VlyCnokbpW5x73UICJuDqSy9hFkty9P4yewIyF/rvKqky2Vy6qfeBv7xGaV1XLwT X-Received: by 2002:a05:6402:12cb:b0:43d:6e77:19a7 with SMTP id k11-20020a05640212cb00b0043d6e7719a7mr968786edx.342.1659602581417; Thu, 04 Aug 2022 01:43:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659602581; cv=none; d=google.com; s=arc-20160816; b=FX7yqimWcorNfhFqsBhiKUjpIeYswxxWHFOp9VZcRIpQxUE9tmrqoddfrSDxyTGQx/ juFSsezsE8DF0lS6+qBc2SfwGm6m7kj6rDtmiOrGapNFUD3CDZETqHt6UL9b+BoodRBk O3Jpo8RJASgblIBy66sqG7fAhOSauPi55WwF9P1nikmmVCbyJFC5h2hKkqO7e0OTzI5U IPYmyL2L2Giv3miB3t6xxfrPkeQeVC44iqYepytZUgoo+K1MC0Uv5xL2m4ZZJO5zbZv1 PQiLHvz1nhDJIssRwcJwbfcs5No7nNzu3M0hH+AmXHwSg1kwUE0WM5mrXz5GxxU3fpnu gd8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=u0fPxWrfHBCAK7CNXAq0lMMiBJFpcqgKyrM33HYWfD0=; b=PeK2cv6y1IqVeQJbeP74VeIy//84olhTFF5YzPrICEIWNB7Nr/SJBWrzdU/rrU6A2G ED9/AuQgCggO7fmaOclKm+skDQEyD0BtTp7EYbrfOntr4mDomLe826oCqTAYzLcY8oSh bJmyhXRZoxAoiHOHz7+i1gNpBGWoDoFpKAKqG6PFC+8hBZqmVCWVpSoupGwjMIrK8/76 0OXmLOeYqaSfq06tmXrrFSDqvoBvHUd0r1gFaYRVtHqlH4TB2nFGRXe1g0N4UhmZ4QJZ FY5i20b5oJMeBKwUQX3VCjwupvQe+VwL0AG3WhxKyoLFOE7R7YdE3OxoBb4y2fZYHoVz 5sVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ororatech.com header.s=google header.b=H5zNallH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hq34-20020a1709073f2200b0073075179ad5si328372ejc.460.2022.08.04.01.42.32; Thu, 04 Aug 2022 01:43:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ororatech.com header.s=google header.b=H5zNallH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238986AbiHDIPU (ORCPT + 99 others); Thu, 4 Aug 2022 04:15:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233114AbiHDIPT (ORCPT ); Thu, 4 Aug 2022 04:15:19 -0400 Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCB27266B for ; Thu, 4 Aug 2022 01:15:17 -0700 (PDT) Received: by mail-wr1-x434.google.com with SMTP id q30so19885091wra.11 for ; Thu, 04 Aug 2022 01:15:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ororatech.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=u0fPxWrfHBCAK7CNXAq0lMMiBJFpcqgKyrM33HYWfD0=; b=H5zNallHCpcL7sb5swZAjzXZw+V6YuNIbp89IVNGRlgT4nRgYWMFgVahqaE0rqvM// 0N929iUQFhKUM0RMw5l/+FAo40iWhAnEtIOTS4QredVKptpHM7CTgqhG41CNoQfDdjE/ BoentPZMZNJxIS5H2nmrZN8YmHKwJzqtHOMc/V9lC/mgqdYek8O8Exd182pD7oF36iXB 3MXhc6VzCh0XQq6uSs7BpfO/uzI8T+frMWRtWZgr7oU4eiVBCUxT0s6cLlRmsZiC0zKy AKrosg1hUuAoAn/jvYhE1OuENnPDGqYRluuPKiaODAdT2aGZqC3HBl0y/YAr0+hiyIhH lALQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=u0fPxWrfHBCAK7CNXAq0lMMiBJFpcqgKyrM33HYWfD0=; b=fVva8ehOBXU1ppCh4YoQ7twMIkwa8RpllhgrNeqHoaq58V+gJyin93nSrzPZsX5xdB EzeosdxkXDe/MLrm431eeGu7FPCmt/2yHpfJKOGWpgLw9tXzjg7qzQqwSEh4Z7vheU1h /VzyKmQRRb7hM/KJ4Zqy3emdswXH/n7wyM0IY3Vtn5oCRo8nXHJDkki20vJth6dtfjMt xk8acVIh5yabHS2qjrPpvxwzuT2XneTvdsTsIE4kNOy4CSjG+DjJm0SGCgjH9iOIwi/e RcOhFq+32aDtWT21/y0c/ZiuNWifC0t72j3naKPfWN/MmjXxguAnoakXkzTfibeKWzsM hiDQ== X-Gm-Message-State: ACgBeo33anQQtni0YIVIaXjSc9jWY/0OmnFERRuUwmOLLSwiRbYBUk5p UlT8ZRjJioFylMtsDbcLqN7Msg== X-Received: by 2002:a5d:63cb:0:b0:21e:b81d:8b0d with SMTP id c11-20020a5d63cb000000b0021eb81d8b0dmr568865wrw.526.1659600916294; Thu, 04 Aug 2022 01:15:16 -0700 (PDT) Received: from toolbox.dsn.orora.tech (host-88-217-137-115.customer.m-online.net. [88.217.137.115]) by smtp.googlemail.com with ESMTPSA id e39-20020a5d5967000000b002205cbc1c74sm332505wri.101.2022.08.04.01.15.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Aug 2022 01:15:15 -0700 (PDT) From: =?UTF-8?q?Sebastian=20W=C3=BCrl?= To: sebastian.wuerl@ororatech.com Cc: Wolfgang Grandegger , Marc Kleine-Budde , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Vincent Mailhol , Andy Shevchenko , Oliver Hartkopp , =?UTF-8?q?Stefan=20M=C3=A4tje?= , =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= , Sebastian Andrzej Siewior , Christian Pellegrin , linux-can@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4] can: mcp251x: Fix race condition on receive interrupt Date: Thu, 4 Aug 2022 10:14:11 +0200 Message-Id: <20220804081411.68567-1-sebastian.wuerl@ororatech.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220804075914.67569-1-sebastian.wuerl@ororatech.com> References: <20220804075914.67569-1-sebastian.wuerl@ororatech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The mcp251x driver uses both receiving mailboxes of the CAN controller chips. For retrieving the CAN frames from the controller via SPI, it checks once per interrupt which mailboxes have been filled and will retrieve the messages accordingly. This introduces a race condition, as another CAN frame can enter mailbox 1 while mailbox 0 is emptied. If now another CAN frame enters mailbox 0 until the interrupt handler is called next, mailbox 0 is emptied before mailbox 1, leading to out-of-order CAN frames in the network device. This is fixed by checking the interrupt flags once again after freeing mailbox 0, to correctly also empty mailbox 1 before leaving the handler. For reproducing the bug I created the following setup: - Two CAN devices, one Raspberry Pi with MCP2515, the other can be any. - Setup CAN to 1 MHz - Spam bursts of 5 CAN-messages with increasing CAN-ids - Continue sending the bursts while sleeping a second between the bursts - Check on the RPi whether the received messages have increasing CAN-ids - Without this patch, every burst of messages will contain a flipped pair Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.") Signed-off-by: Sebastian Würl --- drivers/net/can/spi/mcp251x.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c index 89897a2d41fa..df748b2e7421 100644 --- a/drivers/net/can/spi/mcp251x.c +++ b/drivers/net/can/spi/mcp251x.c @@ -1068,15 +1068,12 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) mutex_lock(&priv->mcp_lock); while (!priv->force_quit) { enum can_state new_state; - u8 intf, eflag; + u8 intf, intf1, eflag, eflag1; u8 clear_intf = 0; int can_id = 0, data1 = 0; mcp251x_read_2regs(spi, CANINTF, &intf, &eflag); - /* mask out flags we don't care about */ - intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR; - /* receive buffer 0 */ if (intf & CANINTF_RX0IF) { mcp251x_hw_rx(spi, 0); @@ -1086,6 +1083,16 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) if (mcp251x_is_2510(spi)) mcp251x_write_bits(spi, CANINTF, CANINTF_RX0IF, 0x00); + + /* check if buffer 1 is already known to be full, no need to re-read */ + if (!(intf & CANINTF_RX1IF)) { + /* intf needs to be read again to avoid a race condition */ + mcp251x_read_2regs(spi, CANINTF, &intf1, &eflag1); + + /* combine flags from both operations for error handling */ + intf |= intf1; + eflag |= eflag1; + } } /* receive buffer 1 */ @@ -1096,6 +1103,9 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) clear_intf |= CANINTF_RX1IF; } + /* mask out flags we don't care about */ + intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR; + /* any error or tx interrupt we need to clear? */ if (intf & (CANINTF_ERR | CANINTF_TX)) clear_intf |= intf & (CANINTF_ERR | CANINTF_TX); -- 2.30.2