From: Anssi Hannula anssi.hannula@bitwise.fi
kvaser_usb uses completions to signal when a response event is received for outgoing commands.
However, it uses init_completion() to reinitialize the start_comp and stop_comp completions before sending the start/stop commands.
In case the device sends the corresponding response just before the actual command is sent, complete() may be called concurrently with init_completion() which is not safe.
This might be triggerable even with a properly functioning device by stopping the interface (CMD_STOP_CHIP) just after it goes bus-off (which also causes the driver to send CMD_STOP_CHIP when restart-ms is off), but that was not tested.
Fix the issue by using reinit_completion() instead.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Tested-by: Jimmy Assarsson extja@kvaser.com Signed-off-by: Anssi Hannula anssi.hannula@bitwise.fi Signed-off-by: Jimmy Assarsson extja@kvaser.com Link: https://lore.kernel.org/all/20221010185237.319219-2-extja@kvaser.com Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de --- drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 4 ++-- drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c index 7b52fda73d82..66f672ea631b 100644 --- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c @@ -1875,7 +1875,7 @@ static int kvaser_usb_hydra_start_chip(struct kvaser_usb_net_priv *priv) { int err;
- init_completion(&priv->start_comp); + reinit_completion(&priv->start_comp);
err = kvaser_usb_hydra_send_simple_cmd(priv->dev, CMD_START_CHIP_REQ, priv->channel); @@ -1893,7 +1893,7 @@ static int kvaser_usb_hydra_stop_chip(struct kvaser_usb_net_priv *priv) { int err;
- init_completion(&priv->stop_comp); + reinit_completion(&priv->stop_comp);
/* Make sure we do not report invalid BUS_OFF from CMD_CHIP_STATE_EVENT * see comment in kvaser_usb_hydra_update_state() diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c index 50f2ac8319ff..19958037720f 100644 --- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c @@ -1320,7 +1320,7 @@ static int kvaser_usb_leaf_start_chip(struct kvaser_usb_net_priv *priv) { int err;
- init_completion(&priv->start_comp); + reinit_completion(&priv->start_comp);
err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_START_CHIP, priv->channel); @@ -1338,7 +1338,7 @@ static int kvaser_usb_leaf_stop_chip(struct kvaser_usb_net_priv *priv) { int err;
- init_completion(&priv->stop_comp); + reinit_completion(&priv->stop_comp);
err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_STOP_CHIP, priv->channel);
base-commit: e2badb4bd33abe13ddc35975bd7f7f8693955a4b
Hello:
This series was applied to netdev/net.git (master) by Marc Kleine-Budde mkl@pengutronix.de:
On Thu, 27 Oct 2022 13:43:53 +0200 you wrote:
From: Anssi Hannula anssi.hannula@bitwise.fi
kvaser_usb uses completions to signal when a response event is received for outgoing commands.
However, it uses init_completion() to reinitialize the start_comp and stop_comp completions before sending the start/stop commands.
[...]
Here is the summary with links: - [net,1/4] can: kvaser_usb: Fix possible completions during init_completion https://git.kernel.org/netdev/net/c/2871edb32f46 - [net,2/4] can: rcar_canfd: rcar_canfd_handle_global_receive(): fix IRQ storm on global FIFO receive https://git.kernel.org/netdev/net/c/702de2c21eed - [net,3/4] can: rcar_canfd: fix channel specific IRQ handling for RZ/G2L https://git.kernel.org/netdev/net/c/d887087c8968 - [net,4/4] can: j1939: transport: j1939_session_skb_drop_old(): spin_unlock_irqrestore() before kfree_skb() https://git.kernel.org/netdev/net/c/c3c06c61890d
You are awesome, thank you!
linux-stable-mirror@lists.linaro.org