sparc64: ldc abort during vds iso boot

Orabug: 20902628

When an ldc control-only packet is received during data exchange in
read_nonraw(), a new rx head is calculated but the rx queue head is not
actually advanced (rx_set_head() is not called) and a branch is taken to
'no_data' at which point two things can happen depending on the value
of the newly calculated rx head and the current rx tail:

- If the rx queue is determined to be not empty, then the wrong packet
  is picked up.

- If the rx queue is determined to be empty, then a read error (EAGAIN)
  is eventually returned since it is falsely assumed that more data was
  expected.

The fix is to update the rx head and return in case of a control only
packet during data exchange.

Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
Reviewed-by: Aaron Young <aaron.young@oracle.com>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Reviewed-by: Bijan Mottahedeh <bijan.mottahedeh@oracle.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c
index 639da7b53e836a07aff0e818ad5722d4cd919052..47817b78ebfc0ca2bea5475aa973559101dd2ca6 100644 (file)
--- a/arch/sparc/kernel/ldc.c
+++ b/arch/sparc/kernel/ldc.c
@@ -1778,9 +1778,14 @@ static int read_nonraw(struct ldc_channel *lp, void *buf, unsigned int size)
 
                lp->rcv_nxt = p->seqid;
 
+               /*
+                * If this is a control-only packet, there is nothing
+                * else to do but advance the rx queue since the packet
+                * was already processed above.
+                */
                if (!(p->type & LDC_DATA)) {
                        new = rx_advance(lp, new);
-                       goto no_data;
+                       break;
                }
                if (p->stype & (LDC_ACK | LDC_NACK)) {
                        err = data_ack_nack(lp, p);