3.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings <bhutchings@xxxxxxxxxxxxxx> [ Upstream commit 450783747f42dfa3883920acfad4acdd93ce69af ] MCDI supports requests up to 252 bytes long, which is only enough to pass 63 RX queue IDs to MC_CMD_FLUSH_RX_QUEUES. However a VF may have up to 64 RX queues, and if we try to flush them all we will generate an over-length request and BUG() in efx_mcdi_copyin(). Currently all VF drivers limit themselves to 32 RX queues, so reducing the limit to 63 does no harm. Also add a BUILD_BUG_ON in efx_mcdi_flush_rxqs() so we remember to deal with the same problem there if EFX_MAX_CHANNELS is increased. Signed-off-by: Ben Hutchings <bhutchings@xxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/net/ethernet/sfc/mcdi.c | 3 +++ drivers/net/ethernet/sfc/siena_sriov.c | 7 +++++++ 2 files changed, 10 insertions(+) --- a/drivers/net/ethernet/sfc/mcdi.c +++ b/drivers/net/ethernet/sfc/mcdi.c @@ -1168,6 +1168,9 @@ int efx_mcdi_flush_rxqs(struct efx_nic * __le32 *qid; int rc, count; + BUILD_BUG_ON(EFX_MAX_CHANNELS > + MC_CMD_FLUSH_RX_QUEUES_IN_QID_OFST_MAXNUM); + qid = kmalloc(EFX_MAX_CHANNELS * sizeof(*qid), GFP_KERNEL); if (qid == NULL) return -ENOMEM; --- a/drivers/net/ethernet/sfc/siena_sriov.c +++ b/drivers/net/ethernet/sfc/siena_sriov.c @@ -21,6 +21,9 @@ /* Number of longs required to track all the VIs in a VF */ #define VI_MASK_LENGTH BITS_TO_LONGS(1 << EFX_VI_SCALE_MAX) +/* Maximum number of RX queues supported */ +#define VF_MAX_RX_QUEUES 63 + /** * enum efx_vf_tx_filter_mode - TX MAC filtering behaviour * @VF_TX_FILTER_OFF: Disabled @@ -578,6 +581,7 @@ static int efx_vfdi_init_rxq(struct efx_ efx_oword_t reg; if (bad_vf_index(efx, vf_evq) || bad_vf_index(efx, vf_rxq) || + vf_rxq >= VF_MAX_RX_QUEUES || bad_buf_count(buf_count, EFX_MAX_DMAQ_SIZE)) { if (net_ratelimit()) netif_err(efx, hw, efx->net_dev, @@ -683,6 +687,9 @@ static int efx_vfdi_fini_all_queues(stru __le32 *rxqs; int rc; + BUILD_BUG_ON(VF_MAX_RX_QUEUES > + MC_CMD_FLUSH_RX_QUEUES_IN_QID_OFST_MAXNUM); + rxqs = kmalloc(count * sizeof(*rxqs), GFP_KERNEL); if (rxqs == NULL) return VFDI_RC_ENOMEM; -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html