linux/drivers/net/can
Lukas Wunner 5cec9425b4 can: hi311x: Acquire SPI lock on ->do_get_berr_counter
hi3110_get_berr_counter() may run concurrently to the rest of the driver
but neglects to acquire the lock protecting access to the SPI device.
As a result, it and the rest of the driver may clobber each other's tx
and rx buffers.

We became aware of this issue because transmission of packets with
"cangen -g 0 -i -x" frequently hung.  It turns out that agetty executes
->do_get_berr_counter every few seconds via the following call stack:

    CPU: 2 PID: 1605 Comm: agetty
    [<7f3f7500>] (hi3110_get_berr_counter [hi311x])
    [<7f130204>] (can_fill_info [can_dev])
    [<80693bc0>] (rtnl_fill_ifinfo)
    [<806949ec>] (rtnl_dump_ifinfo)
    [<806b4834>] (netlink_dump)
    [<806b4bc8>] (netlink_recvmsg)
    [<8065f180>] (sock_recvmsg)
    [<80660f90>] (___sys_recvmsg)
    [<80661e7c>] (__sys_recvmsg)
    [<80661ec0>] (SyS_recvmsg)
    [<80108b20>] (ret_fast_syscall+0x0/0x1c)

agetty listens to netlink messages in order to update the login prompt
when IP addresses change (if /etc/issue contains \4 or \6 escape codes):
https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=e36deb6424e8

It's a useful feature, though it seems questionable that it causes CAN
bit error statistics to be queried.

Be that as it may, if hi3110_get_berr_counter() is invoked while a frame
is sent by hi3110_hw_tx(), bogus SPI transfers like the following may
occur:

    => 12 00             (hi3110_get_berr_counter() wanted to transmit
                          EC 00 to query the transmit error counter,
                          but the first byte was overwritten by
                          hi3110_hw_tx_frame())

    => EA 00 3E 80 01 FB (hi3110_hw_tx_frame() wanted to transmit a
                          frame, but the first byte was overwritten by
                          hi3110_get_berr_counter() because it wanted
                          to query the receive error counter)

This sequence hangs the transmission because the driver believes it has
sent a frame and waits for the interrupt signaling completion, but in
reality the chip has never sent away the frame since the commands it
received were malformed.

Fix by acquiring the SPI lock in hi3110_get_berr_counter().

I've scrutinized the entire driver for further unlocked SPI accesses but
found no others.

Cc: Mathias Duckeck <m.duckeck@kunbus.de>
Cc: Akshay Bhat <akshay.bhat@timesys.com>
Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com>
Cc: Stef Walter <stefw@redhat.com>
Cc: Karel Zak <kzak@redhat.com>
Cc: stable@vger.kernel.org # v4.12+
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Akshay Bhat <akshay.bhat@timesys.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2018-05-10 18:20:51 +02:00
..
c_can can: c_can_pci: make c_can_pci_data const 2017-12-01 09:14:22 +01:00
cc770 drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
ifi_canfd can: ifi: Repair the error handling 2018-03-12 09:55:12 +01:00
m_can can: m_can: select pinctrl state in each suspend/resume function 2018-03-12 10:38:20 +01:00
mscan treewide: replace dev->trans_start update with helper 2016-05-04 14:16:49 -04:00
peak_canfd can: peak/pcie_fd: remove useless code when interface starts 2018-03-12 09:55:12 +01:00
rcar scripts/spelling.txt: add regsiter -> register spelling mistake 2017-05-08 17:15:13 -07:00
sja1000 drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
softing drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
spi can: hi311x: Acquire SPI lock on ->do_get_berr_counter 2018-05-10 18:20:51 +02:00
usb can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() 2018-05-08 10:41:38 +02:00
at91_can.c drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
dev.c can: dev: increase bus-off message severity 2018-05-08 10:41:38 +02:00
flexcan.c can: flexcan: fix endianess detection 2018-05-08 10:41:38 +02:00
grcan.c drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
janz-ican3.c drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
Kconfig can: remove bfin_can driver 2018-03-26 15:57:02 +02:00
led.c
Makefile can: remove bfin_can driver 2018-03-26 15:57:02 +02:00
pch_can.c can: fix assignment of error location in CAN error messages 2015-11-23 09:37:34 +01:00
rx-offload.c can: rx-offload: can_rx_offload_add_timestamp: remove duplicate semicolon at return statement 2018-01-05 11:12:08 +01:00
slcan.c can: slcan: slc_alloc(): remove unused parameter "dev_t line" 2018-01-05 11:12:08 +01:00
sun4i_can.c can: sun4i: handle overrun in RX FIFO 2017-11-10 09:15:28 +01:00
ti_hecc.c can: ti_hecc: Fix napi poll return value for repoll 2017-12-01 11:20:52 +01:00
vcan.c drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
vxcan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-09 10:37:00 -05:00
xilinx_can.c drivers: net: generalize napi_complete_done() 2017-01-30 15:10:42 -05:00