From nobody Fri Dec 19 21:47:56 2025 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 836642FFF9B for ; Fri, 14 Nov 2025 08:37:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763109430; cv=none; b=fQ16MqcqwTJmmF0cI59AncCKBO7/VokqqaFvfAFGo4rdCoYKM0SCNyJGSipZG+aRIjywGWnuiEEUkaYDW2oubosGIcISdUP1m27NO0oPG0usgmI3w9KZqWVw9tXq4xov+Htls3sSj+/aQcS97vAmqmqFxXR4YfpWCjEatRjgxqo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763109430; c=relaxed/simple; bh=WDo4TwHFuj3APKAWzS/6lAjFmaMs6k2odG1LKzll5U8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=D+3E9+KyVXEk/H95yEjelyeUgcFbIaXx+VblARfFm/jLzm7shxe/LPmU8Sx/978rs29f+Yr5JZvzP3V/blZC37QyvuBrgQq38V5vkAP9py43HuC5myIOdoiHnQudIWoA79ec4E/l0dYD7bojPs8sWyZ94tbw6KsEtbRPfDmTmcw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vJpIe-0007Pm-NX; Fri, 14 Nov 2025 09:36:56 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vJpIe-000OMX-07; Fri, 14 Nov 2025 09:36:56 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id AB99349F2FD; Fri, 14 Nov 2025 08:36:55 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 14 Nov 2025 09:36:43 +0100 Subject: [PATCH can 1/3] can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251114-gs_usb-fix-usb-callbacks-v1-1-a29b42eacada@pengutronix.de> References: <20251114-gs_usb-fix-usb-callbacks-v1-0-a29b42eacada@pengutronix.de> In-Reply-To: <20251114-gs_usb-fix-usb-callbacks-v1-0-a29b42eacada@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Maximilian Schneider Cc: Henrik Brix Andersen , kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde X-Mailer: b4 0.15-dev-509f5 X-Developer-Signature: v=1; a=openpgp-sha256; l=1610; i=mkl@pengutronix.de; h=from:subject:message-id; bh=WDo4TwHFuj3APKAWzS/6lAjFmaMs6k2odG1LKzll5U8=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpFuohpoD1RvMAPy6vIV7vxmCGvJDFnjNBNXiqr xq3qQ/NPJmJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaRbqIQAKCRAMdGXf+ZCR nN0CB/wLnzyW0/lZNRH27FBYODZYZiY5cIaVU3f1UfQhnSOAhUdnHDBod59aN930V7QF3YSukMv SAg2lebJrQzHa6OVCj/YAeT8XpZv8rGbDpnk7eaEbNlUwp2EKMP887s1Kv2vI4sUMWm3WDYuCpF tItYWjf3Rce9RciJ7bmpeIbtdtVAMFQak5wpxvyyGaFvSvGyjkElSxK51Dp0ad2A9dWYNH91HiA CJmhuJBv7XlXT7r1lZAUgeF4CypiQ3X0CdRmWNk7XxWErX2OoGcUX6YrWF2cECfxGCcaBXsjAt4 5kUtF4KI9f/BKMUBGUYh4a0xAFBj9qMzjsL3n+nJBJjitNBh X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org The driver lacks the cleanup of failed transfers of URBs. This reduces the number of available URBs per error by 1. This leads to reduced performance and ultimately to a complete stop of the transmission. If the sending of a bulk URB fails do proper cleanup: - increase netdev stats - mark the echo_sbk as free - free the driver's context and do accounting - wake the send queue Closes: https://github.com/candle-usb/candleLight_fw/issues/187 Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices= ") Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/gs_usb.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index 69b8d6da651b..fa9bab8c89ae 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -750,8 +750,21 @@ static void gs_usb_xmit_callback(struct urb *urb) struct gs_can *dev =3D txc->dev; struct net_device *netdev =3D dev->netdev; =20 - if (urb->status) - netdev_info(netdev, "usb xmit fail %u\n", txc->echo_id); + if (!urb->status) + return; + + if (urb->status !=3D -ESHUTDOWN && net_ratelimit()) + netdev_info(netdev, "failed to xmit URB %u: %pe\n", + txc->echo_id, ERR_PTR(urb->status)); + + netdev->stats.tx_dropped++; + netdev->stats.tx_errors++; + + can_free_echo_skb(netdev, txc->echo_id, NULL); + gs_free_tx_context(txc); + atomic_dec(&dev->active_tx_urbs); + + netif_wake_queue(netdev); } =20 static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, --=20 2.51.0 From nobody Fri Dec 19 21:47:56 2025 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 836FF2FFF9C for ; Fri, 14 Nov 2025 08:37:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763109429; cv=none; b=gBzchE2eqMQnXYbIPX2kvkSLnJj3NpvFB3uDA+aYG3iHEOm5jLe4UwEoPe/CNuOLI1dJAmqQOWSjcx1SNn9p/lLsk1JM57JPt9uVmLlGY/XSWKNA8H2lYlHPEq/l7moscw/FOAc8NMrWbvI0hSQ0l/GItvPeixZe1+WPkY/Xd4A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763109429; c=relaxed/simple; bh=7fNx/AX63/lcrl0SzWFf1gLEWkW0J5hkOQiArbLfdHc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ctXxQlfs6BsyZn6ZlDOf3WW/3JuwrZrnTw2PaNEp4a7bL7YkfE6ZTh94zd1ledcyTMCHkO0NqaZXYrOdXcuMgQsTf3D5jButT+KF12kBsQu4d0IswgUj3WGAbY+PcFG9QhCiuKjRQT/PUf4tTg5NxydKIKOpIrvGmAzkL1iN0fk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vJpIe-0007Pn-NX; Fri, 14 Nov 2025 09:36:56 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vJpIe-000OMY-0O; Fri, 14 Nov 2025 09:36:56 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id B9C9B49F2FE; Fri, 14 Nov 2025 08:36:55 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 14 Nov 2025 09:36:44 +0100 Subject: [PATCH can 2/3] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251114-gs_usb-fix-usb-callbacks-v1-2-a29b42eacada@pengutronix.de> References: <20251114-gs_usb-fix-usb-callbacks-v1-0-a29b42eacada@pengutronix.de> In-Reply-To: <20251114-gs_usb-fix-usb-callbacks-v1-0-a29b42eacada@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Maximilian Schneider Cc: Henrik Brix Andersen , kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde X-Mailer: b4 0.15-dev-509f5 X-Developer-Signature: v=1; a=openpgp-sha256; l=2432; i=mkl@pengutronix.de; h=from:subject:message-id; bh=7fNx/AX63/lcrl0SzWFf1gLEWkW0J5hkOQiArbLfdHc=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpFuojJKCiAgMioiQ/b6FnAZW/5pbIzUl5FEsYz cx0eegR7ISJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaRbqIwAKCRAMdGXf+ZCR nJ9sB/wJ/sULlZPF0h009+0lssX5XbC652e3i12657gwYZB13+FKOQA7WH6rJU149f7yFPHlxPA 4rSiTeYj3b2nyqRWc1YJw6CXTtbVl7HungGeK4MyYSna8hAR44aiF1GPm+ylC0ajqQUx7JVpxhI xnak7b01E+GicyV2ud/g7bHFjwtCBKGbLFP2ahQ2M7TMMeMuRksaL2EOFZtIvu+CJPbR3sXLYN4 JHv8EqCZPYAw11x6bxS36FzaJsbAUZOmxmsWrEhqDeKzk/4f38WfSPTP9eQRL+wwtNTy9eR5ING 0trIAjsmwDS6QY/gV7WGxQj42AsuozV8QZ8Tlp0kI8cM+YX1 X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since "urb->context" contains "parent", it is always defined, while "dev" is not defined if the URB it too short. Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices= ") Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/gs_usb.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index fa9bab8c89ae..51f8d694104d 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -262,13 +262,15 @@ struct canfd_quirk { } __packed; =20 struct gs_host_frame { - u32 echo_id; - __le32 can_id; + struct_group(header, + u32 echo_id; + __le32 can_id; =20 - u8 can_dlc; - u8 channel; - u8 flags; - u8 reserved; + u8 can_dlc; + u8 channel; + u8 flags; + u8 reserved; + ); =20 union { DECLARE_FLEX_ARRAY(struct classic_can, classic_can); @@ -576,6 +578,7 @@ static void gs_usb_receive_bulk_callback(struct urb *ur= b) int rc; struct net_device_stats *stats; struct gs_host_frame *hf =3D urb->transfer_buffer; + unsigned int minimum_length; struct gs_tx_context *txc; struct can_frame *cf; struct canfd_frame *cfd; @@ -594,6 +597,15 @@ static void gs_usb_receive_bulk_callback(struct urb *u= rb) return; } =20 + minimum_length =3D sizeof(hf->header); + if (urb->actual_length < minimum_length) { + dev_err_ratelimited(&parent->udev->dev, + "short read (actual_length=3D%u, minimum_length=3D%u)\n", + urb->actual_length, minimum_length); + + goto resubmit_urb; + } + /* device reports out of range channel id */ if (hf->channel >=3D parent->channel_cnt) goto device_detach; @@ -687,7 +699,7 @@ static void gs_usb_receive_bulk_callback(struct urb *ur= b) resubmit_urb: usb_fill_bulk_urb(urb, parent->udev, parent->pipe_in, - hf, dev->parent->hf_size_rx, + hf, parent->hf_size_rx, gs_usb_receive_bulk_callback, parent); =20 rc =3D usb_submit_urb(urb, GFP_ATOMIC); --=20 2.51.0 From nobody Fri Dec 19 21:47:56 2025 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 837732FFFA6 for ; Fri, 14 Nov 2025 08:37:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763109429; cv=none; b=XCWz6qghE8tFrLe+anHb9MD/nzButiUyPXvs9ww0K9Vq65fu8oy5DCmtGYdHAapxQHKilJ6c16Vl9H8W8RV7NsXEaqrB1RFGfepizc8yjDHG0VXA70At1/aJdT9u1mcCloAXrA7OiN9Fizl/cSxmr/AWjSsl7bo253JJ0ZQ18rY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763109429; c=relaxed/simple; bh=NYE6AEyRqGQz4uSbT5PFqkL5x4h1YeOY7nv4uHYtXxc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=t7CL9+qRYiG59VYSFY4XJdjE7/UM3Zja0ixvyHpq/mlBqvF3ubZCzG1jdF7JslGfVbqynu/yaiziHsegJNdFA+vW4S+0zxFiEUDb+eDB+OqfuAHFtMGyox+djfsLUemsQ10ArRXU1VigUDNS/SDg6Zz3N9CElcCTFARKDlRIfCE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1vJpIe-0007Po-NX; Fri, 14 Nov 2025 09:36:56 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vJpIe-000OMb-0h; Fri, 14 Nov 2025 09:36:56 +0100 Received: from hardanger.blackshift.org (p54b152ce.dip0.t-ipconnect.de [84.177.82.206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id C696249F2FF; Fri, 14 Nov 2025 08:36:55 +0000 (UTC) From: Marc Kleine-Budde Date: Fri, 14 Nov 2025 09:36:45 +0100 Subject: [PATCH can 3/3] can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251114-gs_usb-fix-usb-callbacks-v1-3-a29b42eacada@pengutronix.de> References: <20251114-gs_usb-fix-usb-callbacks-v1-0-a29b42eacada@pengutronix.de> In-Reply-To: <20251114-gs_usb-fix-usb-callbacks-v1-0-a29b42eacada@pengutronix.de> To: Vincent Mailhol , Wolfgang Grandegger , Maximilian Schneider Cc: Henrik Brix Andersen , kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde X-Mailer: b4 0.15-dev-509f5 X-Developer-Signature: v=1; a=openpgp-sha256; l=4348; i=mkl@pengutronix.de; h=from:subject:message-id; bh=NYE6AEyRqGQz4uSbT5PFqkL5x4h1YeOY7nv4uHYtXxc=; b=owEBbQGS/pANAwAKAQx0Zd/5kJGcAcsmYgBpFuolc/eTrFze5YpBHnh+1XFSWUfLdKC2dK3nn EXbPvR2VsyJATMEAAEKAB0WIQSf+wzYr2eoX/wVbPMMdGXf+ZCRnAUCaRbqJQAKCRAMdGXf+ZCR nAaWCACAJMKDmvN3PazKIpMs5vmNGCY5n73o8CbZBaUmfBQ7pBCImpxi6dCnghge8oJTj0qkEvY abs/lU6aHmo2aYOly1kdo07OOPXd8g9BQJVb1yRx9An/qpT5ckb1JzN5/X3tEmqBu6ATQAl8VVG 5qGI9GCqzTRaSNgdkLdN0Cn5k8+PxSVEUPU4KFV47TCyBP/gZOYnWMbRfk5vV+HtMB6M9/jWIOt SQEGvzFJPxuNnU8wXIJO+0yKJZ2Ev+E8+T7+Wp15xET85xmQ35S1o6eHoeRV2wV+2kx0V+/212y diiyZeyn9ezJD+ZxF8TnCOKgq7uXuLCtwrsc30rG7D39VF9C X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it. Only copy the data to that skb that has actually been received. Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices= ") Signed-off-by: Marc Kleine-Budde --- drivers/net/can/usb/gs_usb.c | 59 ++++++++++++++++++++++++++++++++++++++++= ---- 1 file changed, 54 insertions(+), 5 deletions(-) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index 51f8d694104d..ac84857b89e6 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -261,6 +261,11 @@ struct canfd_quirk { u8 quirk; } __packed; =20 +/* struct gs_host_frame::echo_id =3D=3D GS_HOST_FRAME_ECHO_ID_RX indicates + * a regular RX'ed CAN frame + */ +#define GS_HOST_FRAME_ECHO_ID_RX 0xffffffff + struct gs_host_frame { struct_group(header, u32 echo_id; @@ -570,6 +575,37 @@ gs_usb_get_echo_skb(struct gs_can *dev, struct sk_buff= *skb, return len; } =20 +static unsigned int +gs_usb_get_minimum_length(const struct gs_can *dev, const struct gs_host_f= rame *hf, + unsigned int *data_length_p) +{ + unsigned int minimum_length, data_length =3D 0; + + if (hf->flags & GS_CAN_FLAG_FD) { + if (hf->echo_id =3D=3D GS_HOST_FRAME_ECHO_ID_RX) + data_length =3D can_fd_dlc2len(hf->can_dlc); + + if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) + /* timestamp follows data field of max size */ + minimum_length =3D struct_size(hf, canfd_ts, 1); + else + minimum_length =3D sizeof(hf->header) + data_length; + } else { + if (hf->echo_id =3D=3D GS_HOST_FRAME_ECHO_ID_RX && + !(hf->can_id & cpu_to_le32(CAN_RTR_FLAG))) + data_length =3D can_cc_dlc2len(hf->can_dlc); + + if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) + /* timestamp follows data field of max size */ + minimum_length =3D struct_size(hf, classic_can_ts, 1); + else + minimum_length =3D sizeof(hf->header) + data_length; + } + + *data_length_p =3D data_length; + return minimum_length; +} + static void gs_usb_receive_bulk_callback(struct urb *urb) { struct gs_usb *parent =3D urb->context; @@ -578,7 +614,7 @@ static void gs_usb_receive_bulk_callback(struct urb *ur= b) int rc; struct net_device_stats *stats; struct gs_host_frame *hf =3D urb->transfer_buffer; - unsigned int minimum_length; + unsigned int minimum_length, data_length; struct gs_tx_context *txc; struct can_frame *cf; struct canfd_frame *cfd; @@ -621,20 +657,33 @@ static void gs_usb_receive_bulk_callback(struct urb *= urb) if (!netif_running(netdev)) goto resubmit_urb; =20 - if (hf->echo_id =3D=3D -1) { /* normal rx */ + minimum_length =3D gs_usb_get_minimum_length(dev, hf, &data_length); + if (urb->actual_length < minimum_length) { + stats->rx_errors++; + stats->rx_length_errors++; + + if (net_ratelimit()) + netdev_err(netdev, + "short read (actual_length=3D%u, minimum_length=3D%u)\n", + urb->actual_length, minimum_length); + + goto resubmit_urb; + } + + if (hf->echo_id =3D=3D GS_HOST_FRAME_ECHO_ID_RX) { /* normal rx */ if (hf->flags & GS_CAN_FLAG_FD) { skb =3D alloc_canfd_skb(netdev, &cfd); if (!skb) return; =20 cfd->can_id =3D le32_to_cpu(hf->can_id); - cfd->len =3D can_fd_dlc2len(hf->can_dlc); + cfd->len =3D data_length; if (hf->flags & GS_CAN_FLAG_BRS) cfd->flags |=3D CANFD_BRS; if (hf->flags & GS_CAN_FLAG_ESI) cfd->flags |=3D CANFD_ESI; =20 - memcpy(cfd->data, hf->canfd->data, cfd->len); + memcpy(cfd->data, hf->canfd->data, data_length); } else { skb =3D alloc_can_skb(netdev, &cf); if (!skb) @@ -643,7 +692,7 @@ static void gs_usb_receive_bulk_callback(struct urb *ur= b) cf->can_id =3D le32_to_cpu(hf->can_id); can_frame_set_cc_len(cf, hf->can_dlc, dev->can.ctrlmode); =20 - memcpy(cf->data, hf->classic_can->data, 8); + memcpy(cf->data, hf->classic_can->data, data_length); =20 /* ERROR frames tell us information about the controller */ if (le32_to_cpu(hf->can_id) & CAN_ERR_FLAG) --=20 2.51.0