qed: Fix potential memory corruption
authorSagiv Ozeri <sagiv.ozeri@cavium.com>
Thu, 8 Nov 2018 14:46:11 +0000 (16:46 +0200)
committerDavid S. Miller <davem@davemloft.net>
Fri, 9 Nov 2018 03:38:19 +0000 (19:38 -0800)
A stuck ramrod should be deleted from the completion_pending list,
otherwise it will be added again in the future and corrupt the list.

Return error value to inform that ramrod is stuck and should be deleted.

Signed-off-by: Sagiv Ozeri <sagiv.ozeri@cavium.com>
Signed-off-by: Denis Bolotin <denis.bolotin@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/qlogic/qed/qed_spq.c

index c1a81ec0524b8df8ffee6247dbf147d3500bc59c..0a9c5bb0fa486658a23132680a1aeddb9a72b518 100644 (file)
@@ -142,6 +142,7 @@ static int qed_spq_block(struct qed_hwfn *p_hwfn,
 
        DP_INFO(p_hwfn, "Ramrod is stuck, requesting MCP drain\n");
        rc = qed_mcp_drain(p_hwfn, p_ptt);
+       qed_ptt_release(p_hwfn, p_ptt);
        if (rc) {
                DP_NOTICE(p_hwfn, "MCP drain failed\n");
                goto err;
@@ -150,18 +151,15 @@ static int qed_spq_block(struct qed_hwfn *p_hwfn,
        /* Retry after drain */
        rc = __qed_spq_block(p_hwfn, p_ent, p_fw_ret, true);
        if (!rc)
-               goto out;
+               return 0;
 
        comp_done = (struct qed_spq_comp_done *)p_ent->comp_cb.cookie;
-       if (comp_done->done == 1)
+       if (comp_done->done == 1) {
                if (p_fw_ret)
                        *p_fw_ret = comp_done->fw_return_code;
-out:
-       qed_ptt_release(p_hwfn, p_ptt);
-       return 0;
-
+               return 0;
+       }
 err:
-       qed_ptt_release(p_hwfn, p_ptt);
        DP_NOTICE(p_hwfn,
                  "Ramrod is stuck [CID %08x cmd %02x protocol %02x echo %04x]\n",
                  le32_to_cpu(p_ent->elem.hdr.cid),