The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
Possible dependencies:
2871edb32f46 ("can: kvaser_usb: Fix possible completions during init_completion") aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family") 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c") e0543f2479f8 ("can: kvaser_usb: Add SPDX GPL-2.0 license identifier") 2b049c150080 ("can: kvaser_usb: Fix typos") 6ba0b9294bca ("can: kvaser_usb: Improve logging messages") 7c4780146177 ("can: kvaser_usb: Refactor kvaser_usb_init_one()") 99ce1bc17462 ("can: kvaser_usb: Refactor kvaser_usb_get_endpoints()") 0e30619fd6fa ("can: kvaser_usb: Add pointer to struct usb_interface into struct kvaser_usb") 75d2b4c3e399 ("can: kvaser_usb: Replace USB timeout constants with one define") f741f938556d ("can: kvaser_usb: Rename message/msg to command/cmd") 237572220121 ("can: kvaser_usb: Remove unused commands and defines") deaa1c984be7 ("can: kvaser_usb: Remove unnecessary return") ffbdd9172ee2 ("can: usb: Kconfig/Makefile: sort alphabetically") 6ee00865ffe4 ("can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()") 6aa8d5945502 ("can: kvaser_usb: cancel urb on -EPIPE and -EPROTO") 8bd13bd522ff ("can: kvaser_usb: ratelimit errors if incomplete messages are received") e84f44eb5523 ("can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()") 435019b48033 ("can: kvaser_usb: free buf in error paths") e1d2d1329a57 ("can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 2871edb32f4622c3a25ce4b3977bad9050b91974 Mon Sep 17 00:00:00 2001 From: Anssi Hannula anssi.hannula@bitwise.fi Date: Mon, 10 Oct 2022 20:52:27 +0200 Subject: [PATCH] can: kvaser_usb: Fix possible completions during init_completion
kvaser_usb uses completions to signal when a response event is received for outgoing commands.
However, it uses init_completion() to reinitialize the start_comp and stop_comp completions before sending the start/stop commands.
In case the device sends the corresponding response just before the actual command is sent, complete() may be called concurrently with init_completion() which is not safe.
This might be triggerable even with a properly functioning device by stopping the interface (CMD_STOP_CHIP) just after it goes bus-off (which also causes the driver to send CMD_STOP_CHIP when restart-ms is off), but that was not tested.
Fix the issue by using reinit_completion() instead.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Tested-by: Jimmy Assarsson extja@kvaser.com Signed-off-by: Anssi Hannula anssi.hannula@bitwise.fi Signed-off-by: Jimmy Assarsson extja@kvaser.com Link: https://lore.kernel.org/all/20221010185237.319219-2-extja@kvaser.com Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c index 7b52fda73d82..66f672ea631b 100644 --- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c @@ -1875,7 +1875,7 @@ static int kvaser_usb_hydra_start_chip(struct kvaser_usb_net_priv *priv) { int err;
- init_completion(&priv->start_comp); + reinit_completion(&priv->start_comp);
err = kvaser_usb_hydra_send_simple_cmd(priv->dev, CMD_START_CHIP_REQ, priv->channel); @@ -1893,7 +1893,7 @@ static int kvaser_usb_hydra_stop_chip(struct kvaser_usb_net_priv *priv) { int err;
- init_completion(&priv->stop_comp); + reinit_completion(&priv->stop_comp);
/* Make sure we do not report invalid BUS_OFF from CMD_CHIP_STATE_EVENT * see comment in kvaser_usb_hydra_update_state() diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c index 50f2ac8319ff..19958037720f 100644 --- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c @@ -1320,7 +1320,7 @@ static int kvaser_usb_leaf_start_chip(struct kvaser_usb_net_priv *priv) { int err;
- init_completion(&priv->start_comp); + reinit_completion(&priv->start_comp);
err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_START_CHIP, priv->channel); @@ -1338,7 +1338,7 @@ static int kvaser_usb_leaf_stop_chip(struct kvaser_usb_net_priv *priv) { int err;
- init_completion(&priv->stop_comp); + reinit_completion(&priv->stop_comp);
err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_STOP_CHIP, priv->channel);