drivers/can: Fix close drain, write-only reader lifecycle, and STM32 RX header

shizacat · shizacat · commit e1149b7cd68b · 2026-04-18T21:43:14.000+03:00
Always allocate per-file can_reader on open so write-only descriptors get msgalign / ioctl state; free that context on close when it was never linked into cd_readers (fixes leak).

Release the critical section before waiting for SW/HW TX drain on last close, and cap each drain loop (20×500 ms) so close() cannot block forever when bxCAN retries without ACK or dev_txempty never clears.

In stm32 CAN RX interrupt, zero the full can_hdr before filling it so padding and optional fields are not stack garbage (avoids false memcmp failures vs TX path, e.g. loopback examples). Fix stm32can_vputreg debug log to print the written value (correct parameter name).

Signed-off-by: Alexey Matveev &lt;tippet@yandex.ru&gt;
diff --git a/arch/arm/src/stm32/stm32_can.c b/arch/arm/src/stm32/stm32_can.c
@@ -365,7 +365,7 @@ static void stm32can_vputreg(uint32_t addr, uint32_t value)
 {
   /* Show the register value being written */
 
-  caninfo("%08" PRIx32 "->%08" PRIx32 "\n", addr, val);
+  caninfo("%08" PRIx32 "->%08" PRIx32 "\n", addr, value);
 
   /* Write the value */
 
@@ -1533,6 +1533,14 @@ static int stm32can_rxinterrupt(struct can_dev_s *dev, int rxmb)
   DEBUGASSERT(dev != NULL && dev->cd_priv != NULL);
   priv = dev->cd_priv;
 
+  /* Clear full header:
+   * padding and optional fields (timestamp, etc.) must
+   * not contain stack garbage or memcmp() in apps (e.g. examples/can with
+   * CONFIG_CAN_LOOPBACK) will falsely fail vs. zero-initialized TX header.
+   */
+
+  memset(&hdr, 0, sizeof(hdr));
+
   /* Verify that a message is pending in the FIFO */
 
   regval   = stm32can_getreg(priv, STM32_CAN_RFR_OFFSET(rxmb));
diff --git a/drivers/can/can.c b/drivers/can/can.c
@@ -89,6 +89,13 @@
 #define HALF_SECOND_MSEC 500
 #define HALF_SECOND_USEC 500000L
 
+/* can_close waits for SW queue and H/W TX to drain.  Without a second bus
+ * node (no ACK) bxCAN may retry indefinitely; dev_txempty() then never
+ * becomes true.  Bound the wait so close() does not hang forever.
+ */
+
+#define CAN_CLOSE_DRAIN_LOOPS 20u  /* 20 * 500 ms = 10 s per stage */
+
 /****************************************************************************
  * Private Function Prototypes
  ****************************************************************************/
@@ -257,14 +264,22 @@ static int can_open(FAR struct file *filep)
 
       if (ret == OK)
         {
+          FAR struct can_reader_s *reader;
+
           dev->cd_crefs++;
 
-          /* Update the reader list only if driver was open for reading */
+          /* Per-file context (msgalign, optional ioctl FIFO).  Always
+           * allocated: write-only needs msgalign / CANIOC_* without O_RDOK.
+           * Receive path and poll() only use readers that are also queued
+           * on cd_readers (see below).
+           */
+
+          reader = init_can_reader(filep);
 
           if ((filep->f_oflags & O_RDOK) != 0)
             {
               list_add_head(&dev->cd_readers,
-                            (FAR struct list_node *)init_can_reader(filep));
+                            (FAR struct list_node *)reader);
             }
         }
 
@@ -305,29 +320,43 @@ static int can_close(FAR struct file *filep)
 
   flags = enter_critical_section(); /* Disable interrupts */
 
-  list_for_every(&dev->cd_readers, node)
     {
-      if (((FAR struct can_reader_s *)node) ==
-          ((FAR struct can_reader_s *)filep->f_priv))
+      FAR struct can_reader_s *priv =
+        (FAR struct can_reader_s *)filep->f_priv;
+      bool                     onlist = false;
+
+      list_for_every(&dev->cd_readers, node)
         {
-          FAR struct can_reader_s *reader = (FAR struct can_reader_s *)node;
-          FAR struct can_rxfifo_s *fifo   = &reader->fifo;
+          if (((FAR struct can_reader_s *)node) == priv)
+            {
+              FAR struct can_reader_s *reader =
+                (FAR struct can_reader_s *)node;
+              FAR struct can_rxfifo_s *fifo   = &reader->fifo;
 
-          /* Unlock the binary semaphore, waking up can_read if it
-           * is blocked.
-           */
+              /* Unlock the binary semaphore, waking up can_read if it
+               * is blocked.
+               */
 
-          nxsem_post(&fifo->rx_sem);
+              nxsem_post(&fifo->rx_sem);
 
-          /* Notify specific poll/select waiter that they can read from the
-           * cd_recv buffer
-           */
+              /* Notify specific poll/select waiter that they can read from
+               * the cd_recv buffer
+               */
 
-          poll_notify(&reader->cd_fds, 1, POLLHUP);
-          reader->cd_fds = NULL;
-          list_delete(node);
-          kmm_free(node);
-          break;
+              poll_notify(&reader->cd_fds, 1, POLLHUP);
+              reader->cd_fds = NULL;
+              list_delete(node);
+              kmm_free(node);
+              onlist = true;
+              break;
+            }
+        }
+
+      /* Write-only opens use init_can_reader() but are not on cd_readers */
+
+      if (!onlist && priv != NULL)
+        {
+          kmm_free(priv);
         }
     }
 
@@ -341,26 +370,56 @@ static int can_close(FAR struct file *filep)
       goto errout;
     }
 
+  /* Last client: release the critical section before draining TX.
+   * Long sleeps with IRQs masked can prevent the TX-complete ISR
+   * from running and stall the SW queue; the same applies when
+   * the controller retries on NACK.
+   */
+
+  leave_critical_section(flags);
+
   /* Stop accepting input */
 
   dev_rxint(dev, false);
 
   /* Now we wait for the sender to clear */
 
-  while (!TX_EMPTY(&dev->cd_sender))
     {
-      nxsched_usleep(HALF_SECOND_USEC);
+      unsigned int n = 0;
+
+      while (!TX_EMPTY(&dev->cd_sender) && n < CAN_CLOSE_DRAIN_LOOPS)
+        {
+          nxsched_usleep(HALF_SECOND_USEC);
+          n++;
+        }
+
+      if (!TX_EMPTY(&dev->cd_sender))
+        {
+          canerr("CAN close: SW TX queue still not empty after timeout\n");
+        }
     }
 
   /* And wait for the hardware sender to drain */
 
-  while (!dev_txempty(dev))
     {
-      nxsched_usleep(HALF_SECOND_USEC);
+      unsigned int n = 0;
+
+      while (!dev_txempty(dev) && n < CAN_CLOSE_DRAIN_LOOPS)
+        {
+          nxsched_usleep(HALF_SECOND_USEC);
+          n++;
+        }
+
+      if (!dev_txempty(dev))
+        {
+          canerr("CAN close: H/W TX still busy after timeout "
+                 "(no ACK / bus-off / stuck mailbox)\n");
+        }
     }
 
   /* Free the IRQ and disable the CAN device */
 
+  flags = enter_critical_section();
   dev_shutdown(dev); /* Disable the CAN */
 
 errout:
