From: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> commit 30447a1bc0e066e492552b3e5ffeb63c1605dfe2 upstream. Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") introduced mcp251xfd_get_tef_len() to get the number of unhandled transmit events from the Transmit Event FIFO (TEF). As the TEF has no head index, the driver uses the TX-FIFO's tail index instead, assuming that send frames are completed. When calculating the number of unhandled TEF events, that commit didn't take mcp2518fd erratum DS80000789E 6. into account. According to that erratum, the FIFOCI bits of a FIFOSTA register, here the TX-FIFO tail index might be corrupted. However here it seems the bit indicating that the TX-FIFO is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct while the TX-FIFO tail index is. Assume that the TX-FIFO is indeed empty if: - Chip's head and tail index are equal (len == 0). - The TX-FIFO is less than half full. (The TX-FIFO empty case has already been checked at the beginning of this function.) - No free buffers in the TX ring. If the TX-FIFO is assumed to be empty, assume that the TEF is full and return the number of elements in the TX-FIFO (which equals the number of TEF elements). If these assumptions are false, the driver might read to many objects from the TEF. mcp251xfd_handle_tefif_one() checks the sequence numbers and will refuse to process old events. Reported-by: Renjaya Raga Zenta <renjaya.zenta@xxxxxxxxxxxxxxx> Closes: https://patch.msgid.link/CAJ7t6HgaeQ3a_OtfszezU=zB-FqiZXqrnATJ3UujNoQJJf7GgA@xxxxxxxxxxxxxx Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") Tested-by: Renjaya Raga Zenta <renjaya.zenta@xxxxxxxxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx Link: https://patch.msgid.link/20241126-mcp251xfd-fix-length-calculation-v2-1-c2ed516ed6ba@xxxxxxxxxxxxxx Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c index d3ac865933fd..e94321849fd7 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c @@ -21,6 +21,11 @@ static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta) return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF; } +static inline bool mcp251xfd_tx_fifo_sta_less_than_half_full(u32 fifo_sta) +{ + return fifo_sta & MCP251XFD_REG_FIFOSTA_TFHRFHIF; +} + static inline int mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv, u8 *tef_tail) @@ -147,7 +152,29 @@ mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p) BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len)); len = (chip_tx_tail << shift) - (tail << shift); - *len_p = len >> shift; + len >>= shift; + + /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI + * bits of a FIFOSTA register, here the TX-FIFO tail index + * might be corrupted. + * + * However here it seems the bit indicating that the TX-FIFO + * is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct + * while the TX-FIFO tail index is. + * + * We assume the TX-FIFO is empty, i.e. all pending CAN frames + * haven been send, if: + * - Chip's head and tail index are equal (len == 0). + * - The TX-FIFO is less than half full. + * (The TX-FIFO empty case has already been checked at the + * beginning of this function.) + * - No free buffers in the TX ring. + */ + if (len == 0 && mcp251xfd_tx_fifo_sta_less_than_half_full(fifo_sta) && + mcp251xfd_get_tx_free(tx_ring) == 0) + len = tx_ring->obj_num; + + *len_p = len; return 0; } -- 2.47.1 Patches currently in stable-queue which might be from mkl@xxxxxxxxxxxxxx are queue-6.1/can-gs_usb-add-vid-pid-for-xylanta-saint3-product-fa.patch queue-6.1/can-mcp251xfd-mcp251xfd_get_tef_len-work-around-erratum-ds80000789e-6.patch queue-6.1/can-gs_usb-add-usb-endpoint-address-detection-at-dri.patch queue-6.1/can-gs_usb-gs_usb_probe-align-block-comment.patch queue-6.1/can-hi311x-hi3110_can_ist-fix-potential-use-after-fr.patch queue-6.1/can-hi311x-hi3110_can_ist-fix-rx-tx-_errors-statisti.patch queue-6.1/can-j1939-j1939_session_new-fix-skb-reference-counti.patch queue-6.1/can-dev-can_set_termination-allow-sleeping-gpios.patch queue-6.1/can-j1939-fix-error-in-j1939-documentation.patch queue-6.1/can-gs_usb-uniformly-use-parent-as-variable-name-for.patch queue-6.1/can-m_can-m_can_handle_lec_err-fix-rx-tx-_errors-sta.patch queue-6.1/can-c_can-c_can_handle_bus_err-update-statistics-if-.patch queue-6.1/can-ems_usb-ems_usb_rx_err-fix-rx-tx-_errors-statist.patch queue-6.1/can-sun4i_can-sun4i_can_err-fix-rx-tx-_errors-statis.patch queue-6.1/can-sun4i_can-sun4i_can_err-call-can_change_state-ev.patch queue-6.1/can-gs_usb-remove-leading-space-from-goto-labels.patch queue-6.1/can-ifi_canfd-ifi_canfd_handle_lec_err-fix-rx-tx-_er.patch queue-6.1/can-sja1000-sja1000_err-fix-rx-tx-_errors-statistics.patch