From: Vincent Mailhol <mailhol.vincent@xxxxxxxxxx> The actual payload length of the CAN Remote Transmission Request (RTR) frames is always 0, i.e. no payload is transmitted on the wire. However, those RTR frames still use the DLC to indicate the length of the requested frame. For this reason, it is incorrect to copy the payload of RTR frames (the payload buffer would only contain garbage data). This patch encapsulates the payload copy in a check toward the RTR flag. Link: https://lore.kernel.org/all/20211207121531.42941-4-mailhol.vincent@xxxxxxxxxx Cc: Yasushi SHOJI <yashi@xxxxxxxxxxxxxxx> Tested-by: Yasushi SHOJI <yashi@xxxxxxxxxxxxxxx> Signed-off-by: Vincent Mailhol <mailhol.vincent@xxxxxxxxxx> Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> --- drivers/net/can/pch_can.c | 15 ++++++++------- drivers/net/can/spi/mcp251x.c | 3 ++- drivers/net/can/usb/mcba_usb.c | 8 ++++---- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c index 6b45840db1f9..4bf9bfc4de72 100644 --- a/drivers/net/can/pch_can.c +++ b/drivers/net/can/pch_can.c @@ -677,16 +677,17 @@ static int pch_can_rx_normal(struct net_device *ndev, u32 obj_num, int quota) cf->can_id = id; } - if (id2 & PCH_ID2_DIR) - cf->can_id |= CAN_RTR_FLAG; - cf->len = can_cc_dlc2len((ioread32(&priv->regs-> ifregs[0].mcont)) & 0xF); - for (i = 0; i < cf->len; i += 2) { - data_reg = ioread16(&priv->regs->ifregs[0].data[i / 2]); - cf->data[i] = data_reg; - cf->data[i + 1] = data_reg >> 8; + if (id2 & PCH_ID2_DIR) { + cf->can_id |= CAN_RTR_FLAG; + } else { + for (i = 0; i < cf->len; i += 2) { + data_reg = ioread16(&priv->regs->ifregs[0].data[i / 2]); + cf->data[i] = data_reg; + cf->data[i + 1] = data_reg >> 8; + } } rcv_pkts++; diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c index 0cec808e8727..2fa1e85fa529 100644 --- a/drivers/net/can/spi/mcp251x.c +++ b/drivers/net/can/spi/mcp251x.c @@ -730,7 +730,8 @@ static void mcp251x_hw_rx(struct spi_device *spi, int buf_idx) } /* Data length */ frame->len = can_cc_dlc2len(buf[RXBDLC_OFF] & RXBDLC_LEN_MASK); - memcpy(frame->data, buf + RXBDAT_OFF, frame->len); + if (!(frame->can_id & CAN_RTR_FLAG)) + memcpy(frame->data, buf + RXBDAT_OFF, frame->len); priv->net->stats.rx_packets++; priv->net->stats.rx_bytes += frame->len; diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c index a1a154c08b7f..162d2e11cadd 100644 --- a/drivers/net/can/usb/mcba_usb.c +++ b/drivers/net/can/usb/mcba_usb.c @@ -450,12 +450,12 @@ static void mcba_usb_process_can(struct mcba_priv *priv, cf->can_id = (sid & 0xffe0) >> 5; } - if (msg->dlc & MCBA_DLC_RTR_MASK) - cf->can_id |= CAN_RTR_FLAG; - cf->len = can_cc_dlc2len(msg->dlc & MCBA_DLC_MASK); - memcpy(cf->data, msg->data, cf->len); + if (msg->dlc & MCBA_DLC_RTR_MASK) + cf->can_id |= CAN_RTR_FLAG; + else + memcpy(cf->data, msg->data, cf->len); stats->rx_packets++; stats->rx_bytes += cf->len; -- 2.34.1
