Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3414171rwa; Tue, 23 Aug 2022 04:30:23 -0700 (PDT) X-Google-Smtp-Source: AA6agR4HLVK4jvkykr0UfKVJ8ZuYRpV++FMV8IWVLT3Nd2uUsU7bsizSHaKTswSTec2P0UwJhgEC X-Received: by 2002:a17:907:3f88:b0:73d:7e00:4437 with SMTP id hr8-20020a1709073f8800b0073d7e004437mr6713350ejc.490.1661254129901; Tue, 23 Aug 2022 04:28:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661254129; cv=none; d=google.com; s=arc-20160816; b=i4/xYGgjJmSX+StZMTcE56MpLFMAUFM9ovy3wMelPWgg8UJqvUIACKuDUWnPVZleBw wr2b68veGyCDN30PtUpHT3BMqT3DDzv6UQCHAHs79nXUYEbKlftIevTobsAMi7IbZ9M7 oMBB/I7+lndp56vAR1Z9JgZ3eOdmuZw5Pv282r7qcvNPHHleejdUnXlaSqGBiYUD1mIw vUhXo1BdQIQz60HGcCSV4mEcCewu9wn2BgahQ4G98jkFFzv+RYluED7iV2sBNPwPovU6 uv58J/9HfOXW1bxjdVhxEAFDBO2b0zkfXPWAD9uuA/gcMXwM61kMgV72S0ietdcTOlaw Qmww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=U8Vr3sY7xiPjms16aundAK1ngynPlPYlpGxBVggOh7g=; b=0OXGh4ihcQdwu7dk1zb8w1VFVEhvPUjvaEswSQhrnj6YBsmLun21GrhXZPTk0MF7KO 0C6GjaosPO9p1/Xi/IhRO8e+uAPAX0Lf5hCYwHVDubgUKZ2OoReUEBzrqSqiOYW8CJqn WSDxhNAa4XrGfjzmoe+EgXHCBgPRbtpx8CM4UcTusEVu3DYddfKh9Vg7aX7Wm2exikzO V3KekbxWAw2INeOeevlB7PIoThQYMKxojDrd6msOHOgJbB0cEjS9WQ5HU/cm0tVrrKcu weE1bU0pG8XZxthegze/dAeE2iG0JoGp7w358RIXfkc7jCICEeKvfrKOCq/nMmwPGolC M94Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="WET/zY6+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i8-20020a50d748000000b00445bd4d6989si1723463edj.473.2022.08.23.04.28.21; Tue, 23 Aug 2022 04:28:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="WET/zY6+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242793AbiHWJtd (ORCPT + 99 others); Tue, 23 Aug 2022 05:49:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352587AbiHWJqg (ORCPT ); Tue, 23 Aug 2022 05:46:36 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABE679C21C; Tue, 23 Aug 2022 01:44:13 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7B5FAB81C60; Tue, 23 Aug 2022 08:43:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DB030C433D7; Tue, 23 Aug 2022 08:43:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661244193; bh=Da3VX1ansjmk8r5ZZzofsjUfgE11Ot+/ZhI1/uTkoJo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WET/zY6+4Tw47dXgf+D0BZOgzNItYoKJR1fb2ydMccJpRxvXjQwxYABeFwJK+9REX 9iR08aeXOicB1BPbbF2CIvsrc19pXSVavcZ42ehx2Q3fPl5qYHgTp//dXWxD4fm/+R zOqlZFzak2tLxix+v7+GzwMtkjx/KCexx50QXhkg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Sebastian=20W=C3=BCrl?= , Marc Kleine-Budde Subject: [PATCH 5.15 049/244] can: mcp251x: Fix race condition on receive interrupt Date: Tue, 23 Aug 2022 10:23:28 +0200 Message-Id: <20220823080100.702485928@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080059.091088642@linuxfoundation.org> References: <20220823080059.091088642@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sebastian Würl commit d80d60b0db6ff3dd2e29247cc2a5166d7e9ae37e upstream. The mcp251x driver uses both receiving mailboxes of the CAN controller chips. For retrieving the CAN frames from the controller via SPI, it checks once per interrupt which mailboxes have been filled and will retrieve the messages accordingly. This introduces a race condition, as another CAN frame can enter mailbox 1 while mailbox 0 is emptied. If now another CAN frame enters mailbox 0 until the interrupt handler is called next, mailbox 0 is emptied before mailbox 1, leading to out-of-order CAN frames in the network device. This is fixed by checking the interrupt flags once again after freeing mailbox 0, to correctly also empty mailbox 1 before leaving the handler. For reproducing the bug I created the following setup: - Two CAN devices, one Raspberry Pi with MCP2515, the other can be any. - Setup CAN to 1 MHz - Spam bursts of 5 CAN-messages with increasing CAN-ids - Continue sending the bursts while sleeping a second between the bursts - Check on the RPi whether the received messages have increasing CAN-ids - Without this patch, every burst of messages will contain a flipped pair v3: https://lore.kernel.org/all/20220804075914.67569-1-sebastian.wuerl@ororatech.com v2: https://lore.kernel.org/all/20220804064803.63157-1-sebastian.wuerl@ororatech.com v1: https://lore.kernel.org/all/20220803153300.58732-1-sebastian.wuerl@ororatech.com Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.") Signed-off-by: Sebastian Würl Link: https://lore.kernel.org/all/20220804081411.68567-1-sebastian.wuerl@ororatech.com [mkl: reduce scope of intf1, eflag1] Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman --- drivers/net/can/spi/mcp251x.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) --- a/drivers/net/can/spi/mcp251x.c +++ b/drivers/net/can/spi/mcp251x.c @@ -1074,9 +1074,6 @@ static irqreturn_t mcp251x_can_ist(int i mcp251x_read_2regs(spi, CANINTF, &intf, &eflag); - /* mask out flags we don't care about */ - intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR; - /* receive buffer 0 */ if (intf & CANINTF_RX0IF) { mcp251x_hw_rx(spi, 0); @@ -1086,6 +1083,18 @@ static irqreturn_t mcp251x_can_ist(int i if (mcp251x_is_2510(spi)) mcp251x_write_bits(spi, CANINTF, CANINTF_RX0IF, 0x00); + + /* check if buffer 1 is already known to be full, no need to re-read */ + if (!(intf & CANINTF_RX1IF)) { + u8 intf1, eflag1; + + /* intf needs to be read again to avoid a race condition */ + mcp251x_read_2regs(spi, CANINTF, &intf1, &eflag1); + + /* combine flags from both operations for error handling */ + intf |= intf1; + eflag |= eflag1; + } } /* receive buffer 1 */ @@ -1096,6 +1105,9 @@ static irqreturn_t mcp251x_can_ist(int i clear_intf |= CANINTF_RX1IF; } + /* mask out flags we don't care about */ + intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR; + /* any error or tx interrupt we need to clear? */ if (intf & (CANINTF_ERR | CANINTF_TX)) clear_intf |= intf & (CANINTF_ERR | CANINTF_TX);