net/enic: fix crash on MTU update or Rx queue reconfigure

The incorrect completion queue corresponding to an RQ would be
freed if multiple Rx queues are in use and the MTU is changed,
or an Rx queue is released. This could lead to a segmentation fault
when the device is disabled or even in the Rx or Tx paths.

The index of the completion queue corresponding to a RQ needed
to be adjusted after Rx scatter was introduced.

Fixes: 856d7ba7ed22 ("net/enic: support scattered Rx")

Signed-off-by: John Daley <johndale@cisco.com>
Reviewed-by: Nelson Escobar <neescoba@cisco.com>

diff --git a/drivers/net/enic/enic.h b/drivers/net/enic/enic.h
index 4ea4e4a..13a4b31 100644 (file)
--- a/drivers/net/enic/enic.h
+++ b/drivers/net/enic/enic.h
@@ -170,6 +170,11 @@ struct enic {
 
 };
 
+/* Get the CQ index from a Start of Packet(SOP) RQ index */
+static inline unsigned int enic_sop_rq_idx_to_cq_idx(unsigned int sop_idx)
+{
+       return sop_idx / 2;
+}
 static inline unsigned int enic_rq_sop(unsigned int sop_rq)
 {
        return sop_rq / 2;

diff --git a/drivers/net/enic/enic_main.c b/drivers/net/enic/enic_main.c
index 85cd8d3..106cb67 100644 (file)
--- a/drivers/net/enic/enic_main.c
+++ b/drivers/net/enic/enic_main.c
@@ -540,7 +540,7 @@ void enic_free_rq(void *rxq)
        if (rq_data->in_use)
                vnic_rq_free(rq_data);
 
-       vnic_cq_free(&enic->cq[rq_sop->index]);
+       vnic_cq_free(&enic->cq[enic_sop_rq_idx_to_cq_idx(rq_sop->index)]);
 
        rq_sop->in_use = 0;
        rq_data->in_use = 0;