summaryrefslogtreecommitdiffstats
path: root/arch/sparc/kernel/ldc.c
diff options
context:
space:
mode:
authorJag Raman <jag.raman@oracle.com>2017-06-09 18:29:31 +0200
committerDavid S. Miller <davem@davemloft.net>2017-06-10 23:10:55 +0200
commit6c95483b768c62f8ee933ae08a1bdbcb78b5410f (patch)
tree9747d8a1b18cfe1bc2caa1268282602034c11d89 /arch/sparc/kernel/ldc.c
parentsparc64: ensure LDC channel is ready before communication (diff)
downloadlinux-6c95483b768c62f8ee933ae08a1bdbcb78b5410f.tar.xz
linux-6c95483b768c62f8ee933ae08a1bdbcb78b5410f.zip
sparc64: ldc abort during vds iso boot
Orabug: 20902628 When an ldc control-only packet is received during data exchange in read_nonraw(), a new rx head is calculated but the rx queue head is not actually advanced (rx_set_head() is not called) and a branch is taken to 'no_data' at which point two things can happen depending on the value of the newly calculated rx head and the current rx tail: - If the rx queue is determined to be not empty, then the wrong packet is picked up. - If the rx queue is determined to be empty, then a read error (EAGAIN) is eventually returned since it is falsely assumed that more data was expected. The fix is to update the rx head and return in case of a control only packet during data exchange. Signed-off-by: Jagannathan Raman <jag.raman@oracle.com> Reviewed-by: Aaron Young <aaron.young@oracle.com> Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com> Reviewed-by: Bijan Mottahedeh <bijan.mottahedeh@oracle.com> Reviewed-by: Liam Merwick <liam.merwick@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r--arch/sparc/kernel/ldc.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c
index 639da7b53e83..47817b78ebfc 100644
--- a/arch/sparc/kernel/ldc.c
+++ b/arch/sparc/kernel/ldc.c
@@ -1778,9 +1778,14 @@ static int read_nonraw(struct ldc_channel *lp, void *buf, unsigned int size)
lp->rcv_nxt = p->seqid;
+ /*
+ * If this is a control-only packet, there is nothing
+ * else to do but advance the rx queue since the packet
+ * was already processed above.
+ */
if (!(p->type & LDC_DATA)) {
new = rx_advance(lp, new);
- goto no_data;
+ break;
}
if (p->stype & (LDC_ACK | LDC_NACK)) {
err = data_ack_nack(lp, p);