The return value of tfc_em_delete_raw() in tfc_em_delete() was
silently discarded: rc was unconditionally overwritten by the
subsequent tfc_cpm_get_cmm_inst() call without any error check.
If tfc_em_delete_raw() fails, the HW EM entry is not removed but
the function continues to free the corresponding SW pool entry,
creating a HW/SW state inconsistency that can lead to stale flow
matches or incorrect pool slot reuse.
Add an error check after the call and return -EINVAL on failure.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 80317ff6adfd ("net/bnxt/tf_core: support Thor2")
Cc: [email protected]
Signed-off-by: Denis Sergeev <[email protected]>
---
drivers/net/bnxt/tf_core/v3/tfc_em.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/bnxt/tf_core/v3/tfc_em.c
b/drivers/net/bnxt/tf_core/v3/tfc_em.c
index 3fe4dbe3fe..4c126dc2f4 100644
--- a/drivers/net/bnxt/tf_core/v3/tfc_em.c
+++ b/drivers/net/bnxt/tf_core/v3/tfc_em.c
@@ -661,6 +661,11 @@ int tfc_em_delete(struct tfc *tfcp, struct
tfc_em_delete_parms *parms)
&db_offset
#endif
);
+ if (rc != 0) {
+ PMD_DRV_LOG_LINE(ERR, "tfc_em_delete_raw() failed: %s",
+ strerror(-rc));
+ return -EINVAL;
+ }
record_offset = REMOVE_POOL_FROM_OFFSET(pi.lkup_pool_sz_exp,
record_offset);
--
2.50.1
