tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'linux-can-fixes-for-6.17-20250910' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2025-09-10

The 1st patch is by Alex Tran and fixes the Documentation of the
struct bcm_msg_head.

Davide Caratti's patch enabled the VCAN driver as a module for the
Linux self tests.

Tetsuo Handa contributes 3 patches that fix various problems in the
CAN j1939 protocol.

Anssi Hannula's patch fixes a potential use-after-free in the
xilinx_can driver.

Geert Uytterhoeven's patch fixes the rcan_can's suspend to RAM on
R-Car Gen3 using PSCI.

* tag 'linux-can-fixes-for-6.17-20250910' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can:
can: rcar_can: rcar_can_resume(): fix s2ram with PSCI
can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails
can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed
can: j1939: implement NETDEV_UNREGISTER notification handler
selftests: can: enable CONFIG_CAN_VCAN as a module
docs: networking: can: change bcm_msg_head frames member to support flexible array
====================

Link: https://patch.msgid.link/20250910162907.948454-1-mkl@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski ccf78f7f a2ddf8a5

+73 -17
+1 -1
Documentation/networking/can.rst
··· 742 742 struct timeval ival1, ival2; /* count and subsequent interval */ 743 743 canid_t can_id; /* unique can_id for task */ 744 744 __u32 nframes; /* number of can_frames following */ 745 - struct can_frame frames[0]; 745 + struct can_frame frames[]; 746 746 }; 747 747 748 748 The aligned payload 'frames' uses the same basic CAN frame structure defined
+1 -7
drivers/net/can/rcar/rcar_can.c
··· 861 861 { 862 862 struct net_device *ndev = dev_get_drvdata(dev); 863 863 struct rcar_can_priv *priv = netdev_priv(ndev); 864 - u16 ctlr; 865 864 int err; 866 865 867 866 if (!netif_running(ndev)) ··· 872 873 return err; 873 874 } 874 875 875 - ctlr = readw(&priv->regs->ctlr); 876 - ctlr &= ~RCAR_CAN_CTLR_SLPM; 877 - writew(ctlr, &priv->regs->ctlr); 878 - ctlr &= ~RCAR_CAN_CTLR_CANM; 879 - writew(ctlr, &priv->regs->ctlr); 880 - priv->can.state = CAN_STATE_ERROR_ACTIVE; 876 + rcar_can_start(ndev); 881 877 882 878 netif_device_attach(ndev); 883 879 netif_start_queue(ndev);
+8 -8
drivers/net/can/xilinx_can.c
··· 690 690 dlc |= XCAN_DLCR_EDL_MASK; 691 691 } 692 692 693 - if (!(priv->devtype.flags & XCAN_FLAG_TX_MAILBOXES) && 694 - (priv->devtype.flags & XCAN_FLAG_TXFEMP)) 695 - can_put_echo_skb(skb, ndev, priv->tx_head % priv->tx_max, 0); 696 - else 697 - can_put_echo_skb(skb, ndev, 0, 0); 698 - 699 - priv->tx_head++; 700 - 701 693 priv->write_reg(priv, XCAN_FRAME_ID_OFFSET(frame_offset), id); 702 694 /* If the CAN frame is RTR frame this write triggers transmission 703 695 * (not on CAN FD) ··· 722 730 data[1]); 723 731 } 724 732 } 733 + 734 + if (!(priv->devtype.flags & XCAN_FLAG_TX_MAILBOXES) && 735 + (priv->devtype.flags & XCAN_FLAG_TXFEMP)) 736 + can_put_echo_skb(skb, ndev, priv->tx_head % priv->tx_max, 0); 737 + else 738 + can_put_echo_skb(skb, ndev, 0, 0); 739 + 740 + priv->tx_head++; 725 741 } 726 742 727 743 /**
+4 -1
net/can/j1939/bus.c
··· 290 290 if (!ecu) 291 291 ecu = j1939_ecu_create_locked(priv, name); 292 292 err = PTR_ERR_OR_ZERO(ecu); 293 - if (err) 293 + if (err) { 294 + if (j1939_address_is_unicast(sa)) 295 + priv->ents[sa].nusers--; 294 296 goto done; 297 + } 295 298 296 299 ecu->nusers++; 297 300 /* TODO: do we care if ecu->addr != sa? */
+1
net/can/j1939/j1939-priv.h
··· 212 212 213 213 /* notify/alert all j1939 sockets bound to ifindex */ 214 214 void j1939_sk_netdev_event_netdown(struct j1939_priv *priv); 215 + void j1939_sk_netdev_event_unregister(struct j1939_priv *priv); 215 216 int j1939_cancel_active_session(struct j1939_priv *priv, struct sock *sk); 216 217 void j1939_tp_init(struct j1939_priv *priv); 217 218
+3
net/can/j1939/main.c
··· 377 377 j1939_sk_netdev_event_netdown(priv); 378 378 j1939_ecu_unmap_all(priv); 379 379 break; 380 + case NETDEV_UNREGISTER: 381 + j1939_sk_netdev_event_unregister(priv); 382 + break; 380 383 } 381 384 382 385 j1939_priv_put(priv);
+52
net/can/j1939/socket.c
··· 521 521 ret = j1939_local_ecu_get(priv, jsk->addr.src_name, jsk->addr.sa); 522 522 if (ret) { 523 523 j1939_netdev_stop(priv); 524 + jsk->priv = NULL; 525 + synchronize_rcu(); 526 + j1939_priv_put(priv); 524 527 goto out_release_sock; 525 528 } 526 529 ··· 1301 1298 j1939_sk_queue_drop_all(priv, jsk, error_code); 1302 1299 } 1303 1300 read_unlock_bh(&priv->j1939_socks_lock); 1301 + } 1302 + 1303 + void j1939_sk_netdev_event_unregister(struct j1939_priv *priv) 1304 + { 1305 + struct sock *sk; 1306 + struct j1939_sock *jsk; 1307 + bool wait_rcu = false; 1308 + 1309 + rescan: /* The caller is holding a ref on this "priv" via j1939_priv_get_by_ndev(). */ 1310 + read_lock_bh(&priv->j1939_socks_lock); 1311 + list_for_each_entry(jsk, &priv->j1939_socks, list) { 1312 + /* Skip if j1939_jsk_add() is not called on this socket. */ 1313 + if (!(jsk->state & J1939_SOCK_BOUND)) 1314 + continue; 1315 + sk = &jsk->sk; 1316 + sock_hold(sk); 1317 + read_unlock_bh(&priv->j1939_socks_lock); 1318 + /* Check if j1939_jsk_del() is not yet called on this socket after holding 1319 + * socket's lock, for both j1939_sk_bind() and j1939_sk_release() call 1320 + * j1939_jsk_del() with socket's lock held. 1321 + */ 1322 + lock_sock(sk); 1323 + if (jsk->state & J1939_SOCK_BOUND) { 1324 + /* Neither j1939_sk_bind() nor j1939_sk_release() called j1939_jsk_del(). 1325 + * Make this socket no longer bound, by pretending as if j1939_sk_bind() 1326 + * dropped old references but did not get new references. 1327 + */ 1328 + j1939_jsk_del(priv, jsk); 1329 + j1939_local_ecu_put(priv, jsk->addr.src_name, jsk->addr.sa); 1330 + j1939_netdev_stop(priv); 1331 + /* Call j1939_priv_put() now and prevent j1939_sk_sock_destruct() from 1332 + * calling the corresponding j1939_priv_put(). 1333 + * 1334 + * j1939_sk_sock_destruct() is supposed to call j1939_priv_put() after 1335 + * an RCU grace period. But since the caller is holding a ref on this 1336 + * "priv", we can defer synchronize_rcu() until immediately before 1337 + * the caller calls j1939_priv_put(). 1338 + */ 1339 + j1939_priv_put(priv); 1340 + jsk->priv = NULL; 1341 + wait_rcu = true; 1342 + } 1343 + release_sock(sk); 1344 + sock_put(sk); 1345 + goto rescan; 1346 + } 1347 + read_unlock_bh(&priv->j1939_socks_lock); 1348 + if (wait_rcu) 1349 + synchronize_rcu(); 1304 1350 } 1305 1351 1306 1352 static int j1939_sk_no_ioctlcmd(struct socket *sock, unsigned int cmd,
+3
tools/testing/selftests/net/can/config
··· 1 + CONFIG_CAN=m 2 + CONFIG_CAN_DEV=m 3 + CONFIG_CAN_VCAN=m