| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/07/03 18:29 | flow | patch-triage |
1mArgs:null Results: {
"EnableConfigs": [
"ENIC",
"PCI_IOV"
],
"FocusSymbols": [
"enic_admin_rq_cq_service",
"enic_admin_wq_cq_service",
"enic_admin_msg_work_handler",
"enic_mbox_recv_handler",
"enic_mbox_pf_process_msg",
"enic_mbox_vf_process_msg",
"enic_mbox_send_msg"
],
"Reasoning": "The patch introduces a new admin channel and mailbox protocol for SR-IOV V2 support in the Cisco VIC Ethernet NIC driver (`enic`). The changes include new files `enic_admin.c` and `enic_mbox.c` which handle the setup, sending, and receiving of mailbox messages over the admin channel. This is reachable via PCI fuzzing, as syzkaller can emulate the PCI device and trigger the driver's probe and interrupt handlers. Fuzzing should focus on the message processing and queue service routines.",
"WorthFuzzing": true
} |
| 1/1 | 2026/07/03 18:29 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 0fe177867f3acbf99afb290db9113014f576f311\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Fri Jul 3 18:29:14 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/ethernet/cisco/enic/Makefile b/drivers/net/ethernet/cisco/enic/Makefile\nindex a96b8332e6e2a8..e38aaf34c14839 100644\n--- a/drivers/net/ethernet/cisco/enic/Makefile\n+++ b/drivers/net/ethernet/cisco/enic/Makefile\n@@ -3,5 +3,6 @@ obj-$(CONFIG_ENIC) := enic.o\n \n enic-y := enic_main.o vnic_cq.o vnic_intr.o vnic_wq.o \\\n \tenic_res.o enic_dev.o enic_pp.o vnic_dev.o vnic_rq.o vnic_vic.o \\\n-\tenic_ethtool.o enic_api.o enic_clsf.o enic_rq.o enic_wq.o\n+\tenic_ethtool.o enic_api.o enic_clsf.o enic_rq.o enic_wq.o \\\n+\tenic_admin.o enic_mbox.o\n \ndiff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h\nindex 08472420f3a1fd..62b8941489d773 100644\n--- a/drivers/net/ethernet/cisco/enic/enic.h\n+++ b/drivers/net/ethernet/cisco/enic/enic.h\n@@ -256,10 +256,10 @@ struct enic {\n \tstruct enic_rx_coal rx_coalesce_setting;\n \tu32 rx_coalesce_usecs;\n \tu32 tx_coalesce_usecs;\n-#ifdef CONFIG_PCI_IOV\n \tu16 num_vfs;\n-#endif\n \tenum enic_vf_type vf_type;\n+\tbool vf_registered;\n+\tu32 pf_cap_version;\n \tunsigned int enable_count;\n \tspinlock_t enic_api_lock;\n \tbool enic_api_busy;\n@@ -292,10 +292,45 @@ struct enic {\n \n \t/* Admin channel resources for SR-IOV MBOX */\n \tbool has_admin_channel;\n+\t/* true only while the admin WQ/RQ/CQ are allocated and enabled; gates\n+\t * enic_admin_channel_close() so it is a no-op after a failed (re)open\n+\t * left the resources freed.\n+\t */\n+\tbool admin_chan_up;\n+\t/* set on send timeout; cleared on channel re-open */\n+\tbool mbox_send_disabled;\n \tstruct vnic_wq admin_wq;\n \tstruct vnic_rq admin_rq;\n \tstruct vnic_cq admin_cq[2];\n \tstruct vnic_intr admin_intr;\n+\tstruct work_struct admin_poll_work;\n+\tunsigned int admin_intr_index;\n+\tstruct work_struct link_notify_work;\n+\tstruct work_struct admin_msg_work;\n+\tspinlock_t admin_msg_lock;\t/* protects admin_msg_list */\n+\tstruct list_head admin_msg_list;\n+\tunsigned int admin_msg_count;\t/* current depth of admin_msg_list */\n+\tvoid (*admin_rq_handler)(struct enic *enic, void *buf,\n+\t\t\t\t unsigned int len);\n+\n+\t/* MBOX protocol state — mbox_lock serializes admin WQ sends */\n+\tstruct mutex mbox_lock;\n+\tu64 mbox_msg_num;\n+\t/* MBOX request-reply state. Written by the process-context request\n+\t * helpers (capability/register/unregister) and read/cleared by the\n+\t * admin_msg_work receive handlers. No explicit lock is needed because\n+\t * only one request is in flight at a time: requesters run under RTNL or\n+\t * single-threaded probe/remove, so each request is serialized and its\n+\t * reply completes mbox_comp before the next request is issued.\n+\t */\n+\tstruct completion mbox_comp;\n+\tu8 mbox_expected_reply;\n+\tbool mbox_initialized;\n+\n+\t/* PF: per-VF MBOX state, allocated when SRIOV V2 is enabled */\n+\tstruct enic_vf_state {\n+\t\tbool registered;\n+\t} *vf_state;\n };\n \n static inline struct net_device *vnic_get_netdev(struct vnic_dev *vdev)\n@@ -417,6 +452,7 @@ void enic_reset_addr_lists(struct enic *enic);\n int enic_sriov_enabled(struct enic *enic);\n int enic_is_valid_vf(struct enic *enic, int vf);\n int enic_is_dynamic(struct enic *enic);\n+int enic_is_sriov_vf_v2(struct enic *enic);\n void enic_set_ethtool_ops(struct net_device *netdev);\n int __enic_set_rsskey(struct enic *enic);\n void enic_ext_cq(struct enic *enic);\ndiff --git a/drivers/net/ethernet/cisco/enic/enic_admin.c b/drivers/net/ethernet/cisco/enic/enic_admin.c\nnew file mode 100644\nindex 00000000000000..69aa49ffd6c8d7\n--- /dev/null\n+++ b/drivers/net/ethernet/cisco/enic/enic_admin.c\n@@ -0,0 +1,644 @@\n+// SPDX-License-Identifier: GPL-2.0-only\n+// Copyright 2025 Cisco Systems, Inc. All rights reserved.\n+\n+#include \u003clinux/kernel.h\u003e\n+#include \u003clinux/netdevice.h\u003e\n+#include \u003clinux/dma-mapping.h\u003e\n+#include \u003clinux/interrupt.h\u003e\n+\n+#include \"vnic_dev.h\"\n+#include \"vnic_wq.h\"\n+#include \"vnic_rq.h\"\n+#include \"vnic_cq.h\"\n+#include \"vnic_intr.h\"\n+#include \"vnic_resource.h\"\n+#include \"vnic_devcmd.h\"\n+#include \"enic.h\"\n+#include \"enic_admin.h\"\n+#include \"cq_desc.h\"\n+#include \"cq_enet_desc.h\"\n+#include \"wq_enet_desc.h\"\n+#include \"rq_enet_desc.h\"\n+#include \"enic_mbox.h\"\n+\n+/* Clean up any admin WQ buffers still held by hardware at close time.\n+ * Normally buffers are freed inline after send completion, but a timed-out\n+ * send intentionally leaves the buffer live until the queue is stopped.\n+ */\n+static void enic_admin_wq_buf_clean(struct vnic_wq *wq,\n+\t\t\t\t struct vnic_wq_buf *buf)\n+{\n+\tstruct enic *enic = vnic_dev_priv(wq-\u003evdev);\n+\n+\tif (buf-\u003eos_buf) {\n+\t\tdma_unmap_single(\u0026enic-\u003epdev-\u003edev, buf-\u003edma_addr,\n+\t\t\t\t buf-\u003elen, DMA_TO_DEVICE);\n+\t\tkfree(buf-\u003eos_buf);\n+\t\tbuf-\u003eos_buf = NULL;\n+\t}\n+}\n+\n+static void enic_admin_rq_buf_clean(struct vnic_rq *rq,\n+\t\t\t\t struct vnic_rq_buf *buf)\n+{\n+\tstruct enic *enic = vnic_dev_priv(rq-\u003evdev);\n+\n+\tif (!buf-\u003eos_buf)\n+\t\treturn;\n+\n+\tdma_unmap_single(\u0026enic-\u003epdev-\u003edev, buf-\u003edma_addr, buf-\u003elen,\n+\t\t\t DMA_FROM_DEVICE);\n+\tkfree(buf-\u003eos_buf);\n+\tbuf-\u003eos_buf = NULL;\n+}\n+\n+static int enic_admin_rq_post_one(struct enic *enic, gfp_t gfp)\n+{\n+\tstruct vnic_rq *rq = \u0026enic-\u003eadmin_rq;\n+\tstruct rq_enet_desc *desc;\n+\tdma_addr_t dma_addr;\n+\tvoid *buf;\n+\n+\tbuf = kmalloc(ENIC_ADMIN_BUF_SIZE, gfp);\n+\tif (!buf)\n+\t\treturn -ENOMEM;\n+\n+\tdma_addr = dma_map_single(\u0026enic-\u003epdev-\u003edev, buf, ENIC_ADMIN_BUF_SIZE,\n+\t\t\t\t DMA_FROM_DEVICE);\n+\tif (dma_mapping_error(\u0026enic-\u003epdev-\u003edev, dma_addr)) {\n+\t\tkfree(buf);\n+\t\treturn -ENOMEM;\n+\t}\n+\n+\tdesc = vnic_rq_next_desc(rq);\n+\trq_enet_desc_enc(desc, (u64)dma_addr | VNIC_PADDR_TARGET,\n+\t\t\t RQ_ENET_TYPE_ONLY_SOP, ENIC_ADMIN_BUF_SIZE);\n+\tvnic_rq_post(rq, buf, 0, dma_addr, ENIC_ADMIN_BUF_SIZE, 0);\n+\n+\treturn 0;\n+}\n+\n+static int enic_admin_rq_fill(struct enic *enic, gfp_t gfp)\n+{\n+\tstruct vnic_rq *rq = \u0026enic-\u003eadmin_rq;\n+\tint err;\n+\n+\twhile (vnic_rq_desc_avail(rq) \u003e 0) {\n+\t\terr = enic_admin_rq_post_one(enic, gfp);\n+\t\tif (err)\n+\t\t\treturn err;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+static void enic_admin_rq_drain(struct enic *enic)\n+{\n+\tvnic_rq_clean(\u0026enic-\u003eadmin_rq, enic_admin_rq_buf_clean);\n+}\n+\n+static unsigned int enic_admin_cq_color(void *cq_desc, unsigned int desc_size)\n+{\n+\tu8 type_color = *((u8 *)cq_desc + desc_size - 1);\n+\n+\treturn (type_color \u003e\u003e CQ_DESC_COLOR_SHIFT) \u0026 CQ_DESC_COLOR_MASK;\n+}\n+\n+unsigned int enic_admin_wq_cq_service(struct enic *enic)\n+{\n+\tstruct vnic_cq *cq = \u0026enic-\u003eadmin_cq[0];\n+\tunsigned int work = 0;\n+\tvoid *desc;\n+\n+\tdesc = vnic_cq_to_clean(cq);\n+\twhile (enic_admin_cq_color(desc, cq-\u003ering.desc_size) !=\n+\t cq-\u003elast_color) {\n+\t\tvnic_cq_inc_to_clean(cq);\n+\t\twork++;\n+\t\tdesc = vnic_cq_to_clean(cq);\n+\t}\n+\n+\treturn work;\n+}\n+\n+/* Upper bound on pending admin messages. A buggy or hostile VF could flood\n+ * the PF admin channel faster than admin_msg_work drains it; cap the backlog\n+ * so a guest cannot drive the host out of memory.\n+ */\n+#define ENIC_ADMIN_MSG_MAX\t256\n+\n+static void enic_admin_msg_enqueue(struct enic *enic, void *buf,\n+\t\t\t\t unsigned int len)\n+{\n+\tstruct enic_admin_msg *msg;\n+\n+\tmsg = kmalloc(struct_size(msg, data, len), GFP_KERNEL);\n+\tif (!msg)\n+\t\treturn;\n+\n+\tmsg-\u003elen = len;\n+\tmemcpy(msg-\u003edata, buf, len);\n+\n+\tspin_lock(\u0026enic-\u003eadmin_msg_lock);\n+\tif (enic-\u003eadmin_msg_count \u003e= ENIC_ADMIN_MSG_MAX) {\n+\t\tspin_unlock(\u0026enic-\u003eadmin_msg_lock);\n+\t\tkfree(msg);\n+\t\tif (net_ratelimit())\n+\t\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t\t \"admin msg backlog full (%u); dropping\\n\",\n+\t\t\t\t ENIC_ADMIN_MSG_MAX);\n+\t\treturn;\n+\t}\n+\tlist_add_tail(\u0026msg-\u003elist, \u0026enic-\u003eadmin_msg_list);\n+\tenic-\u003eadmin_msg_count++;\n+\tspin_unlock(\u0026enic-\u003eadmin_msg_lock);\n+}\n+\n+unsigned int enic_admin_rq_cq_service(struct enic *enic)\n+{\n+\tstruct vnic_cq *cq = \u0026enic-\u003eadmin_cq[1];\n+\tstruct vnic_rq *rq = \u0026enic-\u003eadmin_rq;\n+\tstruct cq_enet_rq_desc *rq_desc;\n+\tstruct vnic_rq_buf *buf;\n+\tu16 bwf, bytes_written;\n+\tunsigned int work = 0;\n+\tvoid *desc;\n+\n+\t/* The admin RQ and its CQ form a single in-order channel: firmware\n+\t * posts exactly one CQE per consumed RQ descriptor, in submission\n+\t * order. Each CQE therefore pairs with rq-\u003eto_clean below without a\n+\t * completed_index cross-check, mirroring the in-order assumption of\n+\t * the main enic RX path.\n+\t */\n+\tdesc = vnic_cq_to_clean(cq);\n+\twhile (enic_admin_cq_color(desc, cq-\u003ering.desc_size) !=\n+\t cq-\u003elast_color) {\n+\t\t/* Ensure DMA descriptor fields are read after\n+\t\t * the color/valid check. dma_rmb() is the\n+\t\t * correct barrier for DMA-written descriptors.\n+\t\t */\n+\t\tdma_rmb();\n+\t\tbuf = rq-\u003eto_clean;\n+\n+\t\t/* Decode the actual number of bytes hardware wrote into\n+\t\t * the RX buffer. buf-\u003elen is the static allocation size\n+\t\t * (ENIC_ADMIN_BUF_SIZE) and would expose uninitialised\n+\t\t * heap memory beyond the real payload. bytes_written_flags\n+\t\t * is at the same offset in every cq_enet_rq_desc[_32|_64]\n+\t\t * variant.\n+\t\t */\n+\t\trq_desc = desc;\n+\t\tbwf = le16_to_cpu(rq_desc-\u003ebytes_written_flags);\n+\t\tbytes_written = bwf \u0026 CQ_ENET_RQ_DESC_BYTES_WRITTEN_MASK;\n+\t\tif (bytes_written \u003e buf-\u003elen)\n+\t\t\tgoto next_desc;\n+\n+\t\tdma_sync_single_for_cpu(\u0026enic-\u003epdev-\u003edev,\n+\t\t\t\t\tbuf-\u003edma_addr, buf-\u003elen,\n+\t\t\t\t\tDMA_FROM_DEVICE);\n+\n+\t\t/* Drop on hardware error indications. Admin messages\n+\t\t * are internal to the VIC, not received over the wire.\n+\t\t * Firmware sets TRUNCATED when the message does not fit\n+\t\t * in the posted buffer, and FCS_OK is always set on\n+\t\t * healthy admin completions.\n+\t\t */\n+\t\tif (bwf \u0026 CQ_ENET_RQ_DESC_FLAGS_TRUNCATED) {\n+\t\t\tnetdev_warn_once(enic-\u003enetdev,\n+\t\t\t\t\t \"admin RQ: truncated message dropped\\n\");\n+\t\t\tgoto next_desc;\n+\t\t}\n+\t\tif (!(rq_desc-\u003eflags \u0026 CQ_ENET_RQ_DESC_FLAGS_FCS_OK)) {\n+\t\t\tnetdev_warn_once(enic-\u003enetdev,\n+\t\t\t\t\t \"admin RQ: bad FCS, dropping message\\n\");\n+\t\t\tgoto next_desc;\n+\t\t}\n+\n+\t\tif (enic-\u003eadmin_rq_handler) {\n+\t\t\tu16 sender_vlan;\n+\n+\t\t\t/* Firmware sets the CQ VLAN field to identify the\n+\t\t\t * sender: 0 = PF, 1-based = VF index. Overwrite\n+\t\t\t * the untrusted src_vnic_id in the MBOX header with\n+\t\t\t * the hardware-verified value.\n+\t\t\t */\n+\t\t\tsender_vlan = le16_to_cpu(rq_desc-\u003evlan);\n+\t\t\tif (bytes_written \u003e= sizeof(struct enic_mbox_hdr)) {\n+\t\t\t\tstruct enic_mbox_hdr *hdr = buf-\u003eos_buf;\n+\n+\t\t\t\thdr-\u003esrc_vnic_id = (sender_vlan == 0) ?\n+\t\t\t\t\tcpu_to_le16(ENIC_MBOX_DST_PF) :\n+\t\t\t\t\tcpu_to_le16(sender_vlan - 1);\n+\t\t\t}\n+\n+\t\t\tenic_admin_msg_enqueue(enic, buf-\u003eos_buf,\n+\t\t\t\t\t bytes_written);\n+\t\t}\n+\n+next_desc:\n+\t\tenic_admin_rq_buf_clean(rq, rq-\u003eto_clean);\n+\t\trq-\u003eto_clean = rq-\u003eto_clean-\u003enext;\n+\t\trq-\u003ering.desc_avail++;\n+\n+\t\tvnic_cq_inc_to_clean(cq);\n+\t\twork++;\n+\t\tdesc = vnic_cq_to_clean(cq);\n+\t}\n+\n+\tif (enic_admin_rq_fill(enic, GFP_KERNEL) \u0026\u0026 net_ratelimit())\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"admin RQ refill failed\\n\");\n+\n+\treturn work;\n+}\n+\n+static irqreturn_t enic_admin_isr_msix(int irq, void *data)\n+{\n+\tstruct enic *enic = data;\n+\n+\tschedule_work(\u0026enic-\u003eadmin_poll_work);\n+\n+\treturn IRQ_HANDLED;\n+}\n+\n+static void enic_admin_msg_work_handler(struct work_struct *work)\n+{\n+\tstruct enic *enic = container_of(work, struct enic, admin_msg_work);\n+\tstruct enic_admin_msg *msg, *tmp;\n+\tLIST_HEAD(local_list);\n+\n+\tspin_lock_bh(\u0026enic-\u003eadmin_msg_lock);\n+\tlist_splice_init(\u0026enic-\u003eadmin_msg_list, \u0026local_list);\n+\tenic-\u003eadmin_msg_count = 0;\n+\tspin_unlock_bh(\u0026enic-\u003eadmin_msg_lock);\n+\n+\tlist_for_each_entry_safe(msg, tmp, \u0026local_list, list) {\n+\t\tif (enic-\u003eadmin_rq_handler)\n+\t\t\tenic-\u003eadmin_rq_handler(enic, msg-\u003edata, msg-\u003elen);\n+\t\tlist_del(\u0026msg-\u003elist);\n+\t\tkfree(msg);\n+\t}\n+}\n+\n+static void enic_admin_poll_work_handler(struct work_struct *work)\n+{\n+\tstruct enic *enic = container_of(work, struct enic, admin_poll_work);\n+\tunsigned int credits;\n+\tunsigned int rq_work;\n+\n+\t/* Snapshot the pending credit count before draining so we acknowledge\n+\t * exactly what the hardware reported for this interrupt. Credits that\n+\t * accrue while enic_admin_rq_cq_service() runs are left for the next\n+\t * interrupt, which is harmless on this low-rate control path.\n+\t */\n+\tcredits = vnic_intr_credits(\u0026enic-\u003eadmin_intr);\n+\n+\trq_work = enic_admin_rq_cq_service(enic);\n+\n+\tif (rq_work \u003e 0)\n+\t\tschedule_work(\u0026enic-\u003eadmin_msg_work);\n+\n+\t/* Acknowledge the snapshotted credits and unmask the vector. Unlike\n+\t * the NAPI data path, the admin channel is not re-polled, so the vector\n+\t * must be re-armed here to receive the next completion. Return at least\n+\t * one credit so the write always carries a non-zero acknowledgment and\n+\t * re-arms the vector even on a spurious wakeup that found no credits.\n+\t */\n+\tvnic_intr_return_credits(\u0026enic-\u003eadmin_intr,\n+\t\t\t\t credits ?: 1,\n+\t\t\t\t 1 /* unmask */, 0);\n+}\n+\n+static int enic_admin_setup_intr(struct enic *enic)\n+{\n+\tunsigned int intr_index = enic-\u003eintr_count;\n+\tint err;\n+\n+\tif (vnic_dev_get_intr_mode(enic-\u003evdev) != VNIC_DEV_INTR_MODE_MSIX ||\n+\t intr_index \u003e= enic-\u003eintr_avail)\n+\t\treturn -ENODEV;\n+\n+\t/* The admin INTR uses a slot in the same RES_TYPE_INTR_CTRL\n+\t * strided array of per-vector control blocks (mask, coalescing\n+\t * timer, credit return) that the data-path IRQs occupy in BAR0.\n+\t * vnic_intr_alloc() defaults to RES_TYPE_INTR_CTRL, which is what\n+\t * we want here.\n+\t */\n+\terr = vnic_intr_alloc(enic-\u003evdev, \u0026enic-\u003eadmin_intr, intr_index);\n+\tif (err) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"Failed to alloc admin intr at index %u: %d\\n\",\n+\t\t\t intr_index, err);\n+\t\treturn err;\n+\t}\n+\n+\tenic-\u003eadmin_intr_index = intr_index;\n+\n+\t/* A V2 VF opens the admin channel during probe, before\n+\t * register_netdev() resolves the \"eth%d\" name template, so using\n+\t * netdev-\u003ename here would register the literal \"eth%d-admin\" in\n+\t * /proc/interrupts. Use the already-stable PCI device name instead.\n+\t */\n+\tsnprintf(enic-\u003emsix[intr_index].devname,\n+\t\t sizeof(enic-\u003emsix[intr_index].devname),\n+\t\t \"%s-admin\", pci_name(enic-\u003epdev));\n+\tenic-\u003emsix[intr_index].isr = enic_admin_isr_msix;\n+\tenic-\u003emsix[intr_index].devid = enic;\n+\n+\terr = request_irq(enic-\u003emsix_entry[intr_index].vector,\n+\t\t\t enic-\u003emsix[intr_index].isr, 0,\n+\t\t\t enic-\u003emsix[intr_index].devname,\n+\t\t\t enic-\u003emsix[intr_index].devid);\n+\tif (err) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"Failed to request admin MSI-X irq: %d\\n\", err);\n+\t\tvnic_intr_free(\u0026enic-\u003eadmin_intr);\n+\t\treturn err;\n+\t}\n+\n+\tenic-\u003emsix[intr_index].requested = 1;\n+\n+\tnetdev_dbg(enic-\u003enetdev,\n+\t\t \"admin channel using MSI-X interrupt (index %u)\\n\",\n+\t\t intr_index);\n+\n+\treturn 0;\n+}\n+\n+static void enic_admin_teardown_intr(struct enic *enic)\n+{\n+\tunsigned int intr_index = enic-\u003eadmin_intr_index;\n+\n+\tfree_irq(enic-\u003emsix_entry[intr_index].vector,\n+\t\t enic-\u003emsix[intr_index].devid);\n+\tcancel_work_sync(\u0026enic-\u003eadmin_poll_work);\n+\tenic-\u003emsix[intr_index].requested = 0;\n+}\n+\n+static int enic_admin_qp_type_set(struct enic *enic, u32 enable)\n+{\n+\tu64 a0 = QP_TYPE_ADMIN, a1 = enable;\n+\tint wait = 1000;\n+\tint err;\n+\n+\tspin_lock_bh(\u0026enic-\u003edevcmd_lock);\n+\terr = vnic_dev_cmd(enic-\u003evdev, CMD_QP_TYPE_SET, \u0026a0, \u0026a1, wait);\n+\tspin_unlock_bh(\u0026enic-\u003edevcmd_lock);\n+\n+\treturn err;\n+}\n+\n+static int enic_admin_alloc_resources(struct enic *enic)\n+{\n+\tint err;\n+\n+\terr = vnic_wq_alloc_with_type(enic-\u003evdev, \u0026enic-\u003eadmin_wq, 0,\n+\t\t\t\t ENIC_ADMIN_DESC_COUNT,\n+\t\t\t\t sizeof(struct wq_enet_desc),\n+\t\t\t\t RES_TYPE_ADMIN_WQ);\n+\tif (err)\n+\t\treturn err;\n+\n+\terr = vnic_rq_alloc_with_type(enic-\u003evdev, \u0026enic-\u003eadmin_rq, 0,\n+\t\t\t\t ENIC_ADMIN_DESC_COUNT,\n+\t\t\t\t sizeof(struct rq_enet_desc),\n+\t\t\t\t RES_TYPE_ADMIN_RQ);\n+\tif (err)\n+\t\tgoto free_wq;\n+\n+\t/* admin_cq[0] is the WQ completion queue. WQ CQEs are always\n+\t * 16 bytes wide; firmware always writes 16-byte CQEs for WQ\n+\t * completions on every WQ, including the admin channel WQ.\n+\t * Use sizeof(struct cq_desc) accordingly.\n+\t */\n+\terr = vnic_cq_alloc_with_type(enic-\u003evdev, \u0026enic-\u003eadmin_cq[0], 0,\n+\t\t\t\t ENIC_ADMIN_DESC_COUNT,\n+\t\t\t\t sizeof(struct cq_desc),\n+\t\t\t\t RES_TYPE_ADMIN_CQ);\n+\tif (err)\n+\t\tgoto free_rq;\n+\n+\t/* admin_cq[1] is the RQ completion queue. Its descriptor size\n+\t * must match what firmware writes. enic_ext_cq() called earlier\n+\t * in probe issues CMD_CQ_ENTRY_SIZE_SET for VNIC_RQ_ALL,\n+\t * programming firmware to write CQ entries of (16 \u003c\u003c enic-\u003eext_cq)\n+\t * bytes for every RQ CQ on the vNIC, including the admin RQ CQ.\n+\t * Allocating with the same size keeps the host poller and\n+\t * firmware in lockstep:\n+\t *\n+\t * - The color/valid bit lives at byte (desc_size - 1) of every\n+\t * cq_enet_rq_desc[_32|_64] variant, so enic_admin_cq_color()\n+\t * reads it from the correct offset.\n+\t * - Only the first 15 bytes of the descriptor (vlan,\n+\t * bytes_written_flags, ...) are accessed by the admin path;\n+\t * these fields are identical across all three variants (see\n+\t * comment in enic_rq.c above cq_enet_rq_desc_dec()).\n+\t */\n+\terr = vnic_cq_alloc_with_type(enic-\u003evdev, \u0026enic-\u003eadmin_cq[1], 1,\n+\t\t\t\t ENIC_ADMIN_DESC_COUNT,\n+\t\t\t\t 16 \u003c\u003c enic-\u003eext_cq,\n+\t\t\t\t RES_TYPE_ADMIN_CQ);\n+\tif (err)\n+\t\tgoto free_cq0;\n+\n+\treturn 0;\n+\n+free_cq0:\n+\tvnic_cq_free(\u0026enic-\u003eadmin_cq[0]);\n+free_rq:\n+\tvnic_rq_free(\u0026enic-\u003eadmin_rq);\n+free_wq:\n+\tvnic_wq_free(\u0026enic-\u003eadmin_wq);\n+\treturn err;\n+}\n+\n+static void enic_admin_free_resources(struct enic *enic)\n+{\n+\tvnic_intr_free(\u0026enic-\u003eadmin_intr);\n+\tvnic_cq_free(\u0026enic-\u003eadmin_cq[1]);\n+\tvnic_cq_free(\u0026enic-\u003eadmin_cq[0]);\n+\tvnic_rq_free(\u0026enic-\u003eadmin_rq);\n+\tvnic_wq_free(\u0026enic-\u003eadmin_wq);\n+}\n+\n+static void enic_admin_init_resources(struct enic *enic)\n+{\n+\tunsigned int intr_offset = enic-\u003eadmin_intr_index;\n+\n+\tvnic_wq_init(\u0026enic-\u003eadmin_wq,\n+\t\t 0, 0, 0); /* cq_index, err_intr_enable, err_intr_offset */\n+\tvnic_rq_init(\u0026enic-\u003eadmin_rq,\n+\t\t 1, 0, 0); /* cq_index, err_intr_enable, err_intr_offset */\n+\tvnic_cq_init(\u0026enic-\u003eadmin_cq[0],\n+\t\t VNIC_CQ_FC_DISABLE,\n+\t\t VNIC_CQ_COLOR_ENABLE,\n+\t\t 0, 0, 1, /* cq_head, cq_tail, cq_tail_color */\n+\t\t VNIC_CQ_INTR_DISABLE, /* polled synchronously by mbox send */\n+\t\t VNIC_CQ_ENTRY_ENABLE,\n+\t\t VNIC_CQ_MSG_DISABLE,\n+\t\t intr_offset,\n+\t\t 0 /* cq_message_addr */);\n+\tvnic_cq_init(\u0026enic-\u003eadmin_cq[1],\n+\t\t VNIC_CQ_FC_DISABLE,\n+\t\t VNIC_CQ_COLOR_ENABLE,\n+\t\t 0, 0, 1, /* cq_head, cq_tail, cq_tail_color */\n+\t\t VNIC_CQ_INTR_ENABLE,\n+\t\t VNIC_CQ_ENTRY_ENABLE,\n+\t\t VNIC_CQ_MSG_DISABLE,\n+\t\t intr_offset,\n+\t\t 0 /* cq_message_addr */);\n+\t/* coalescing_timer, coalescing_type, mask_on_assertion */\n+\tvnic_intr_init(\u0026enic-\u003eadmin_intr,\n+\t\t 0, 0, 1);\n+}\n+\n+static void enic_admin_msg_drain(struct enic *enic)\n+{\n+\tstruct enic_admin_msg *msg, *tmp;\n+\n+\tspin_lock_bh(\u0026enic-\u003eadmin_msg_lock);\n+\tlist_for_each_entry_safe(msg, tmp, \u0026enic-\u003eadmin_msg_list, list) {\n+\t\tlist_del(\u0026msg-\u003elist);\n+\t\tkfree(msg);\n+\t}\n+\tenic-\u003eadmin_msg_count = 0;\n+\tspin_unlock_bh(\u0026enic-\u003eadmin_msg_lock);\n+}\n+\n+int enic_admin_channel_open(struct enic *enic)\n+{\n+\tint err;\n+\n+\tif (!enic-\u003ehas_admin_channel)\n+\t\treturn -ENODEV;\n+\n+\t/* Keep MBOX sends disabled for the entire open sequence. It is\n+\t * cleared only after every resource is allocated and enabled below,\n+\t * so any early error return here leaves sends disabled and a\n+\t * concurrent sender cannot touch a half-open or freed admin_wq.\n+\t */\n+\tWRITE_ONCE(enic-\u003embox_send_disabled, true);\n+\n+\terr = enic_admin_alloc_resources(enic);\n+\tif (err) {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"Failed to alloc admin channel resources: %d\\n\",\n+\t\t\t err);\n+\t\treturn err;\n+\t}\n+\n+\tspin_lock_init(\u0026enic-\u003eadmin_msg_lock);\n+\tINIT_LIST_HEAD(\u0026enic-\u003eadmin_msg_list);\n+\tINIT_WORK(\u0026enic-\u003eadmin_msg_work, enic_admin_msg_work_handler);\n+\tINIT_WORK(\u0026enic-\u003eadmin_poll_work, enic_admin_poll_work_handler);\n+\n+\terr = enic_admin_setup_intr(enic);\n+\tif (err) {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"Admin channel requires MSI-X, SR-IOV unavailable: %d\\n\",\n+\t\t\t err);\n+\t\tgoto free_resources;\n+\t}\n+\n+\tenic_admin_init_resources(enic);\n+\n+\tvnic_wq_enable(\u0026enic-\u003eadmin_wq);\n+\tvnic_rq_enable(\u0026enic-\u003eadmin_rq);\n+\n+\terr = enic_admin_rq_fill(enic, GFP_KERNEL);\n+\tif (err) {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"Failed to fill admin RQ buffers: %d\\n\", err);\n+\t\tgoto disable_queues;\n+\t}\n+\n+\terr = enic_admin_qp_type_set(enic, QP_ENABLE);\n+\tif (err) {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"Failed to set admin QP type: %d\\n\", err);\n+\t\tgoto disable_queues;\n+\t}\n+\n+\tvnic_intr_unmask(\u0026enic-\u003eadmin_intr);\n+\n+\t/* Only now that the admin WQ/RQ/CQ and interrupt are fully allocated,\n+\t * programmed and enabled is it safe to allow MBOX sends. Clearing this\n+\t * earlier opened a window where a concurrent sender (e.g. link-notify\n+\t * work scheduled by a post-reset link-up) could call enic_mbox_send_msg()\n+\t * against a not-yet-allocated admin_wq and crash.\n+\t */\n+\tWRITE_ONCE(enic-\u003embox_send_disabled, false);\n+\n+\tnetdev_dbg(enic-\u003enetdev,\n+\t\t \"admin channel open: intr=%u wq_avail=%u rq_avail=%u cq0_color=%u cq1_color=%u\\n\",\n+\t\t enic-\u003eadmin_intr_index,\n+\t\t vnic_wq_desc_avail(\u0026enic-\u003eadmin_wq),\n+\t\t vnic_rq_desc_avail(\u0026enic-\u003eadmin_rq),\n+\t\t enic-\u003eadmin_cq[0].last_color,\n+\t\t enic-\u003eadmin_cq[1].last_color);\n+\n+\tenic-\u003eadmin_chan_up = true;\n+\n+\treturn 0;\n+\n+disable_queues:\n+\tenic_admin_teardown_intr(enic);\n+\tenic_admin_qp_type_set(enic, QP_DISABLE);\n+\tif (vnic_wq_disable(\u0026enic-\u003eadmin_wq))\n+\t\tnetdev_warn(enic-\u003enetdev, \"Failed to disable admin WQ\\n\");\n+\tif (vnic_rq_disable(\u0026enic-\u003eadmin_rq))\n+\t\tnetdev_warn(enic-\u003enetdev, \"Failed to disable admin RQ\\n\");\n+\tcancel_work_sync(\u0026enic-\u003eadmin_msg_work);\n+\tenic_admin_msg_drain(enic);\n+\tenic_admin_rq_drain(enic);\n+free_resources:\n+\tenic_admin_free_resources(enic);\n+\treturn err;\n+}\n+\n+void enic_admin_channel_close(struct enic *enic)\n+{\n+\tint err;\n+\n+\tif (!enic-\u003ehas_admin_channel)\n+\t\treturn;\n+\n+\t/* Nothing to tear down if the channel was never (re)opened, e.g. a\n+\t * failed enic_admin_channel_open() in probe or in the reset path;\n+\t * otherwise the disable/clean calls below dereference freed resources.\n+\t */\n+\tif (!enic-\u003eadmin_chan_up)\n+\t\treturn;\n+\n+\tWRITE_ONCE(enic-\u003embox_send_disabled, true);\n+\n+\tnetdev_dbg(enic-\u003enetdev, \"admin channel close\\n\");\n+\n+\tvnic_intr_mask(\u0026enic-\u003eadmin_intr);\n+\tenic_admin_teardown_intr(enic);\n+\tcancel_work_sync(\u0026enic-\u003elink_notify_work);\n+\tcancel_work_sync(\u0026enic-\u003eadmin_msg_work);\n+\tenic_admin_msg_drain(enic);\n+\n+\tenic_admin_qp_type_set(enic, QP_DISABLE);\n+\n+\terr = vnic_wq_disable(\u0026enic-\u003eadmin_wq);\n+\tif (err)\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"Failed to disable admin WQ: %d\\n\", err);\n+\terr = vnic_rq_disable(\u0026enic-\u003eadmin_rq);\n+\tif (err)\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"Failed to disable admin RQ: %d\\n\", err);\n+\n+\tvnic_wq_clean(\u0026enic-\u003eadmin_wq, enic_admin_wq_buf_clean);\n+\tenic_admin_rq_drain(enic);\n+\tvnic_cq_clean(\u0026enic-\u003eadmin_cq[0]);\n+\tvnic_cq_clean(\u0026enic-\u003eadmin_cq[1]);\n+\tvnic_intr_clean(\u0026enic-\u003eadmin_intr);\n+\n+\tenic-\u003eadmin_rq_handler = NULL;\n+\tenic_admin_free_resources(enic);\n+\n+\tenic-\u003eadmin_chan_up = false;\n+}\ndiff --git a/drivers/net/ethernet/cisco/enic/enic_admin.h b/drivers/net/ethernet/cisco/enic/enic_admin.h\nnew file mode 100644\nindex 00000000000000..62c80220b0cacc\n--- /dev/null\n+++ b/drivers/net/ethernet/cisco/enic/enic_admin.h\n@@ -0,0 +1,27 @@\n+/* SPDX-License-Identifier: GPL-2.0-only */\n+/* Copyright 2025 Cisco Systems, Inc. All rights reserved. */\n+\n+#ifndef _ENIC_ADMIN_H_\n+#define _ENIC_ADMIN_H_\n+\n+#define ENIC_ADMIN_DESC_COUNT\t64\n+#define ENIC_ADMIN_BUF_SIZE\t2048\n+\n+struct enic;\n+\n+/* Wrapper for received admin messages queued for deferred processing.\n+ * The admin CQ poll work handler enqueues these; a separate work handler\n+ * processes them where sleeping (mutex, GFP_KERNEL) is safe.\n+ */\n+struct enic_admin_msg {\n+\tstruct list_head list;\n+\tunsigned int len;\n+\tu8 data[] __aligned(8);\n+};\n+\n+int enic_admin_channel_open(struct enic *enic);\n+void enic_admin_channel_close(struct enic *enic);\n+unsigned int enic_admin_wq_cq_service(struct enic *enic);\n+unsigned int enic_admin_rq_cq_service(struct enic *enic);\n+\n+#endif /* _ENIC_ADMIN_H_ */\ndiff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c\nindex e7125b81808799..be3ae0a57af33e 100644\n--- a/drivers/net/ethernet/cisco/enic/enic_main.c\n+++ b/drivers/net/ethernet/cisco/enic/enic_main.c\n@@ -60,6 +60,8 @@\n #include \"enic_clsf.h\"\n #include \"enic_rq.h\"\n #include \"enic_wq.h\"\n+#include \"enic_admin.h\"\n+#include \"enic_mbox.h\"\n \n #define ENIC_NOTIFY_TIMER_PERIOD\t(2 * HZ)\n \n@@ -314,6 +316,11 @@ static int enic_is_sriov_vf(struct enic *enic)\n \t enic-\u003epdev-\u003edevice == PCI_DEVICE_ID_CISCO_VIC_ENET_VF_V2;\n }\n \n+int enic_is_sriov_vf_v2(struct enic *enic)\n+{\n+\treturn enic-\u003epdev-\u003edevice == PCI_DEVICE_ID_CISCO_VIC_ENET_VF_V2;\n+}\n+\n int enic_is_valid_vf(struct enic *enic, int vf)\n {\n #ifdef CONFIG_PCI_IOV\n@@ -411,6 +418,24 @@ static void enic_set_rx_coal_setting(struct enic *enic)\n \trx_coal-\u003euse_adaptive_rx_coalesce = 1;\n }\n \n+static void enic_link_notify_work_handler(struct work_struct *work)\n+{\n+\tstruct enic *enic = container_of(work, struct enic,\n+\t\t\t\t\t link_notify_work);\n+\tu32 state;\n+\tu16 i;\n+\n+\tif (!enic_sriov_enabled(enic) || !enic-\u003evf_state)\n+\t\treturn;\n+\n+\tstate = netif_carrier_ok(enic-\u003enetdev) ?\n+\t\tENIC_MBOX_LINK_STATE_ENABLE :\n+\t\tENIC_MBOX_LINK_STATE_DISABLE;\n+\n+\tfor (i = 0; i \u003c enic-\u003enum_vfs; i++)\n+\t\tenic_mbox_send_link_state(enic, i, state);\n+}\n+\n static void enic_link_check(struct enic *enic)\n {\n \tint link_status = vnic_dev_link_status(enic-\u003evdev);\n@@ -420,9 +445,13 @@ static void enic_link_check(struct enic *enic)\n \t\tnetdev_info(enic-\u003enetdev, \"Link UP\\n\");\n \t\tnetif_carrier_on(enic-\u003enetdev);\n \t\tenic_set_rx_coal_setting(enic);\n+\t\tif (enic_sriov_enabled(enic) \u0026\u0026 enic-\u003evf_state)\n+\t\t\tschedule_work(\u0026enic-\u003elink_notify_work);\n \t} else if (!link_status \u0026\u0026 carrier_ok) {\n \t\tnetdev_info(enic-\u003enetdev, \"Link DOWN\\n\");\n \t\tnetif_carrier_off(enic-\u003enetdev);\n+\t\tif (enic_sriov_enabled(enic) \u0026\u0026 enic-\u003evf_state)\n+\t\t\tschedule_work(\u0026enic-\u003elink_notify_work);\n \t}\n }\n \n@@ -2142,6 +2171,57 @@ static void enic_set_api_busy(struct enic *enic, bool busy)\n \tspin_unlock(\u0026enic-\u003eenic_api_lock);\n }\n \n+/* The admin/MBOX channel exists on a V2 PF while SR-IOV is enabled and on\n+ * every V2 VF. A reset wipes the admin WQ/RQ/CQ, so such devices must tear\n+ * the channel down before the reset and re-establish it afterwards.\n+ */\n+static bool enic_has_admin_chan(struct enic *enic)\n+{\n+\treturn enic_is_sriov_vf_v2(enic) ||\n+\t (enic_sriov_enabled(enic) \u0026\u0026 enic-\u003evf_type == ENIC_VF_TYPE_V2);\n+}\n+\n+/* Re-establish the admin/MBOX channel after a reset has re-created the data\n+ * path. Mirrors the relevant part of the probe / SR-IOV-enable sequence:\n+ * reopen the channel and reinitialise MBOX, then for a VF re-run the PF\n+ * handshake (its admin QP and PF-side registration were torn down by the\n+ * reset), or for a PF re-push the current link state to registered VFs.\n+ */\n+static void enic_admin_chan_reopen(struct enic *enic)\n+{\n+\tint err;\n+\n+\terr = enic_admin_channel_open(enic);\n+\tif (err) {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"admin channel reopen after reset failed: %d\\n\", err);\n+\t\treturn;\n+\t}\n+\n+\tenic_mbox_init(enic);\n+\n+\tif (enic_is_sriov_vf_v2(enic)) {\n+\t\terr = enic_mbox_vf_capability_check(enic);\n+\t\tif (err) {\n+\t\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t\t \"MBOX capability check after reset failed: %d\\n\",\n+\t\t\t\t err);\n+\t\t\treturn;\n+\t\t}\n+\t\terr = enic_mbox_vf_register(enic);\n+\t\tif (err)\n+\t\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t\t \"MBOX VF re-registration after reset failed: %d\\n\",\n+\t\t\t\t err);\n+\t} else {\n+\t\t/* The link came back up during enic_open() above while MBOX\n+\t\t * sends were still disabled (channel not yet reopened), so that\n+\t\t * link-notify was dropped. Re-push current link state now.\n+\t\t */\n+\t\tschedule_work(\u0026enic-\u003elink_notify_work);\n+\t}\n+}\n+\n static void enic_reset(struct work_struct *work)\n {\n \tstruct enic *enic = container_of(work, struct enic, reset);\n@@ -2154,15 +2234,34 @@ static void enic_reset(struct work_struct *work)\n \t/* Stop any activity from infiniband */\n \tenic_set_api_busy(enic, true);\n \n+\t/* Fully tear down the V2 admin/MBOX channel before the soft reset.\n+\t * The reset wipes all hardware queues including the admin WQ/RQ;\n+\t * closing first tells firmware to stop the admin QP (so it no longer\n+\t * DMAs from the about-to-be-reset rings) and frees the admin resources\n+\t * so they are cleanly re-allocated afterwards.\n+\t */\n+\tif (enic_has_admin_chan(enic))\n+\t\tenic_admin_channel_close(enic);\n+\n \tenic_stop(enic-\u003enetdev);\n+\n \tenic_dev_soft_reset(enic);\n \tenic_reset_addr_lists(enic);\n \tenic_init_vnic_resources(enic);\n \tenic_set_rss_nic_cfg(enic);\n \tenic_dev_set_ig_vlan_rewrite_mode(enic);\n \tenic_ext_cq(enic);\n+\n \tenic_open(enic-\u003enetdev);\n \n+\t/* Re-establish the admin/MBOX channel after the data path is back up.\n+\t * It was fully torn down by enic_admin_channel_close() above;\n+\t * enic_admin_chan_reopen() reopens it and, for a PF re-pushes link\n+\t * state, or for a VF re-runs the probe-time PF handshake.\n+\t */\n+\tif (enic_has_admin_chan(enic))\n+\t\tenic_admin_chan_reopen(enic);\n+\n \t/* Allow infiniband to fiddle with the device again */\n \tenic_set_api_busy(enic, false);\n \n@@ -2180,16 +2279,33 @@ static void enic_tx_hang_reset(struct work_struct *work)\n \t/* Stop any activity from infiniband */\n \tenic_set_api_busy(enic, true);\n \n+\t/* Fully tear down the V2 admin/MBOX channel before the hang reset, for\n+\t * the same reason as the soft reset path: stop the admin QP and free\n+\t * the admin resources before the hardware queues are wiped.\n+\t */\n+\tif (enic_has_admin_chan(enic))\n+\t\tenic_admin_channel_close(enic);\n+\n \tenic_dev_hang_notify(enic);\n \tenic_stop(enic-\u003enetdev);\n+\n \tenic_dev_hang_reset(enic);\n \tenic_reset_addr_lists(enic);\n \tenic_init_vnic_resources(enic);\n \tenic_set_rss_nic_cfg(enic);\n \tenic_dev_set_ig_vlan_rewrite_mode(enic);\n \tenic_ext_cq(enic);\n+\n \tenic_open(enic-\u003enetdev);\n \n+\t/* Re-establish the admin/MBOX channel after the data path is back up.\n+\t * It was fully torn down by enic_admin_channel_close() above;\n+\t * enic_admin_chan_reopen() reopens it and, for a PF re-pushes link\n+\t * state, or for a VF re-runs the probe-time PF handshake.\n+\t */\n+\tif (enic_has_admin_chan(enic))\n+\t\tenic_admin_chan_reopen(enic);\n+\n \t/* Allow infiniband to fiddle with the device again */\n \tenic_set_api_busy(enic, false);\n \n@@ -2200,6 +2316,8 @@ static void enic_tx_hang_reset(struct work_struct *work)\n \n static int enic_set_intr_mode(struct enic *enic)\n {\n+\tunsigned int admin_reserve = enic-\u003ehas_admin_channel ? 1 : 0;\n+\tunsigned int min_intr = ENIC_MSIX_MIN_INTR + admin_reserve;\n \tunsigned int i;\n \tint num_intr;\n \n@@ -2210,12 +2328,12 @@ static int enic_set_intr_mode(struct enic *enic)\n \t */\n \n \tif (enic-\u003econfig.intr_mode \u003c 1 \u0026\u0026\n-\t enic-\u003eintr_avail \u003e= ENIC_MSIX_MIN_INTR) {\n+\t enic-\u003eintr_avail \u003e= min_intr) {\n \t\tfor (i = 0; i \u003c enic-\u003eintr_avail; i++)\n \t\t\tenic-\u003emsix_entry[i].entry = i;\n \n \t\tnum_intr = pci_enable_msix_range(enic-\u003epdev, enic-\u003emsix_entry,\n-\t\t\t\t\t\t ENIC_MSIX_MIN_INTR,\n+\t\t\t\t\t\t min_intr,\n \t\t\t\t\t\t enic-\u003eintr_avail);\n \t\tif (num_intr \u003e 0) {\n \t\t\tvnic_dev_set_intr_mode(enic-\u003evdev,\n@@ -2310,16 +2428,27 @@ static int enic_adjust_resources(struct enic *enic)\n \t\tenic-\u003ecq_count = 2;\n \t\tenic-\u003eintr_count = enic-\u003eintr_avail;\n \t\tbreak;\n-\tcase VNIC_DEV_INTR_MODE_MSIX:\n+\tcase VNIC_DEV_INTR_MODE_MSIX: {\n \t\t/* Adjust the number of wqs/rqs/cqs/interrupts that will be\n-\t\t * used based on which resource is the most constrained\n+\t\t * used based on which resource is the most constrained.\n+\t\t * Reserve one extra MSI-X slot for the admin channel INTR\n+\t\t * when has_admin_channel is set so that\n+\t\t * enic_admin_setup_intr() can allocate at intr_count\n+\t\t * within the intr_avail bounds even when the data queue\n+\t\t * count is maxed out. intr_count counts only the data-path\n+\t\t * IRQs (registered by enic_request_intr()); the admin INTR\n+\t\t * lives at msix index intr_count and is set up later by\n+\t\t * enic_admin_setup_intr().\n \t\t */\n+\t\tunsigned int admin_reserve = enic-\u003ehas_admin_channel ? 1 : 0;\n+\n \t\twq_avail = min(enic-\u003ewq_avail, ENIC_WQ_MAX);\n \t\trq_default = max(netif_get_num_default_rss_queues(),\n \t\t\t\t ENIC_RQ_MIN_DEFAULT);\n \t\trq_avail = min3(enic-\u003erq_avail, ENIC_RQ_MAX, rq_default);\n \t\tmax_queues = min(enic-\u003ecq_avail,\n-\t\t\t\t enic-\u003eintr_avail - ENIC_MSIX_RESERVED_INTR);\n+\t\t\t\t enic-\u003eintr_avail - ENIC_MSIX_RESERVED_INTR -\n+\t\t\t\t admin_reserve);\n \t\tif (wq_avail + rq_avail \u003c= max_queues) {\n \t\t\tenic-\u003erq_count = rq_avail;\n \t\t\tenic-\u003ewq_count = wq_avail;\n@@ -2337,6 +2466,7 @@ static int enic_adjust_resources(struct enic *enic)\n \t\tenic-\u003eintr_count = enic-\u003ecq_count + ENIC_MSIX_RESERVED_INTR;\n \n \t\tbreak;\n+\t}\n \tdefault:\n \t\tdev_err(enic_get_dev(enic), \"Unknown interrupt mode\\n\");\n \t\treturn -EINVAL;\n@@ -2641,8 +2771,10 @@ static void enic_iounmap(struct enic *enic)\n static void enic_sriov_detect_vf_type(struct enic *enic)\n {\n \tstruct pci_dev *pdev = enic-\u003epdev;\n-\tint pos;\n+\tu64 supported_versions, a1 = 0;\n \tu16 vf_dev_id;\n+\tint pos;\n+\tint err;\n \n \tif (enic_is_sriov_vf(enic) || enic_is_dynamic(enic))\n \t\treturn;\n@@ -2669,6 +2801,157 @@ static void enic_sriov_detect_vf_type(struct enic *enic)\n \t\tenic-\u003evf_type = ENIC_VF_TYPE_NONE;\n \t\tbreak;\n \t}\n+\n+\tif (enic-\u003evf_type != ENIC_VF_TYPE_V2)\n+\t\treturn;\n+\n+\t/* A successful command means firmware recognizes\n+\t * VIC_FEATURE_SRIOV; supported_versions is available\n+\t * for sub-feature versioning in the future.\n+\t */\n+\terr = vnic_dev_get_supported_feature_ver(enic-\u003evdev,\n+\t\t\t\t\t\t VIC_FEATURE_SRIOV,\n+\t\t\t\t\t\t \u0026supported_versions,\n+\t\t\t\t\t\t \u0026a1);\n+\tif (err) {\n+\t\tdev_warn(\u0026pdev-\u003edev,\n+\t\t\t \"SR-IOV V2 not supported by current firmware. Upgrade to VIC FW 5.3(4.72) or higher.\\n\");\n+\t\tenic-\u003evf_type = ENIC_VF_TYPE_NONE;\n+\t}\n+}\n+\n+static int __maybe_unused\n+enic_sriov_v2_enable(struct enic *enic, int num_vfs)\n+{\n+\tint err;\n+\n+\tif (!enic-\u003ehas_admin_channel) {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"V2 SR-IOV requires admin channel resources\\n\");\n+\t\treturn -EOPNOTSUPP;\n+\t}\n+\n+\tenic-\u003evf_state = kcalloc(num_vfs, sizeof(*enic-\u003evf_state), GFP_KERNEL);\n+\tif (!enic-\u003evf_state)\n+\t\treturn -ENOMEM;\n+\n+\terr = enic_admin_channel_open(enic);\n+\tif (err) {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"Failed to open admin channel: %d\\n\", err);\n+\t\tgoto free_vf_state;\n+\t}\n+\n+\tenic_mbox_init(enic);\n+\n+\tenic-\u003enum_vfs = num_vfs;\n+\n+\terr = pci_enable_sriov(enic-\u003epdev, num_vfs);\n+\tif (err) {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"pci_enable_sriov failed: %d\\n\", err);\n+\t\tgoto close_admin;\n+\t}\n+\n+\tenic-\u003epriv_flags |= ENIC_SRIOV_ENABLED;\n+\treturn num_vfs;\n+\n+close_admin:\n+\tenic-\u003enum_vfs = 0;\n+\tenic_admin_channel_close(enic);\n+free_vf_state:\n+\tkfree(enic-\u003evf_state);\n+\tenic-\u003evf_state = NULL;\n+\treturn err;\n+}\n+\n+static void enic_sriov_v2_disable(struct enic *enic)\n+{\n+\t/* Stop new VF link-state broadcasts before tearing down vf_state.\n+\t * Clearing ENIC_SRIOV_ENABLED makes enic_link_check() (called from\n+\t * the notify timer/ISR) skip the VF notify path, and cancelling\n+\t * link_notify_work ensures any already-queued broadcast has finished\n+\t * before vf_state is freed, closing a use-after-free window.\n+\t */\n+\tenic-\u003epriv_flags \u0026= ~ENIC_SRIOV_ENABLED;\n+\tcancel_work_sync(\u0026enic-\u003elink_notify_work);\n+\n+\tpci_disable_sriov(enic-\u003epdev);\n+\tenic_admin_channel_close(enic);\n+\tkfree(enic-\u003evf_state);\n+\tenic-\u003evf_state = NULL;\n+\tenic-\u003enum_vfs = 0;\n+}\n+\n+/*\n+ * enic_sriov_configure() and its V2 helpers are defined but not yet wired\n+ * into enic_driver via .sriov_configure (see the __maybe_unused annotations);\n+ * V2 enable/disable is activated in a follow-up series. Because the callback\n+ * is not registered, it cannot run concurrently with the rtnl-protected reset\n+ * paths (enic_reset(), enic_tx_hang_reset()) yet. Serialization against those\n+ * paths is added together with the .sriov_configure wiring in that series.\n+ */\n+static int __maybe_unused\n+enic_sriov_configure(struct pci_dev *pdev, int num_vfs)\n+{\n+\tstruct net_device *netdev = pci_get_drvdata(pdev);\n+\tstruct enic *enic = netdev_priv(netdev);\n+\tstruct enic_port_profile *pp;\n+\tint err;\n+\n+\tif (num_vfs \u003e 0) {\n+\t\tif (enic-\u003econfig.mq_subvnic_count) {\n+\t\t\tnetdev_err(netdev,\n+\t\t\t\t \"SR-IOV not supported with multi-queue sub-vnics\\n\");\n+\t\t\treturn -EOPNOTSUPP;\n+\t\t}\n+\n+\t\tif (enic-\u003evf_type == ENIC_VF_TYPE_NONE) {\n+\t\t\tnetdev_err(netdev,\n+\t\t\t\t \"SR-IOV not supported on this firmware version\\n\");\n+\t\t\treturn -EOPNOTSUPP;\n+\t\t}\n+\n+\t\tif (enic-\u003evf_type == ENIC_VF_TYPE_V2)\n+\t\t\treturn enic_sriov_v2_enable(enic, num_vfs);\n+\n+\t\tpp = kcalloc(num_vfs, sizeof(*pp), GFP_KERNEL);\n+\t\tif (!pp)\n+\t\t\treturn -ENOMEM;\n+\n+\t\terr = pci_enable_sriov(pdev, num_vfs);\n+\t\tif (err) {\n+\t\t\tkfree(pp);\n+\t\t\treturn err;\n+\t\t}\n+\n+\t\tkfree(enic-\u003epp);\n+\t\tenic-\u003epp = pp;\n+\t\tenic-\u003enum_vfs = num_vfs;\n+\t\tenic-\u003epriv_flags |= ENIC_SRIOV_ENABLED;\n+\t\treturn num_vfs;\n+\t}\n+\n+\tif (!enic_sriov_enabled(enic))\n+\t\treturn 0;\n+\n+\tif (enic-\u003evf_type == ENIC_VF_TYPE_V2) {\n+\t\tenic_sriov_v2_disable(enic);\n+\t\treturn 0;\n+\t}\n+\n+\tpp = kzalloc_obj(*enic-\u003epp, GFP_KERNEL);\n+\tif (!pp)\n+\t\treturn -ENOMEM;\n+\n+\tpci_disable_sriov(pdev);\n+\tenic-\u003enum_vfs = 0;\n+\tenic-\u003epriv_flags \u0026= ~ENIC_SRIOV_ENABLED;\n+\n+\tkfree(enic-\u003epp);\n+\tenic-\u003epp = pp;\n+\n+\treturn 0;\n }\n #endif\n \n@@ -2768,12 +3051,18 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)\n \t\tgoto err_out_vnic_unregister;\n \n #ifdef CONFIG_PCI_IOV\n-\t/* Get number of subvnics */\n+\tenic_sriov_detect_vf_type(enic);\n+\n+\t/* Auto-enable SR-IOV if VFs were pre-configured (e.g. at boot).\n+\t * V2 VFs require the admin channel, which is not yet set up at probe\n+\t * time; use sysfs (enic_sriov_configure) to enable V2 SR-IOV instead.\n+\t */\n \tpos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_SRIOV);\n \tif (pos) {\n \t\tpci_read_config_word(pdev, pos + PCI_SRIOV_TOTAL_VF,\n \t\t\t\u0026enic-\u003enum_vfs);\n-\t\tif (enic-\u003enum_vfs) {\n+\t\tif (enic-\u003enum_vfs \u0026\u0026\n+\t\t enic-\u003evf_type != ENIC_VF_TYPE_V2) {\n \t\t\terr = pci_enable_sriov(pdev, enic-\u003enum_vfs);\n \t\t\tif (err) {\n \t\t\t\tdev_err(dev, \"SRIOV enable failed, aborting.\"\n@@ -2785,7 +3074,6 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)\n \t\t\tnum_pps = enic-\u003enum_vfs;\n \t\t}\n \t}\n-\tenic_sriov_detect_vf_type(enic);\n #endif\n \n \t/* Allocate structure for port profiles */\n@@ -2850,6 +3138,44 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)\n \t\tgoto err_out_dev_close;\n \t}\n \n+\t/* Initialise link_notify_work before the V2-VF admin-open block below:\n+\t * its error path (err_out_admin_close -\u003e enic_admin_channel_close() -\u003e\n+\t * cancel_work_sync()) would otherwise act on an uninitialised work.\n+\t */\n+\tINIT_WORK(\u0026enic-\u003elink_notify_work, enic_link_notify_work_handler);\n+\n+\t/* V2 VF: open admin channel and register with PF.\n+\t * Must happen before register_netdev so the VF is fully\n+\t * initialized before the interface is visible to userspace.\n+\t *\n+\t * admin_channel_open() runs before enic_mbox_init() installs\n+\t * the receive handler. This is safe because\n+\t * enic_admin_rq_cq_service() checks admin_rq_handler before\n+\t * enqueuing any received buffer, so interrupts that fire\n+\t * between open and mbox_init are harmlessly discarded.\n+\t */\n+\tif (enic_is_sriov_vf_v2(enic)) {\n+\t\terr = enic_admin_channel_open(enic);\n+\t\tif (err) {\n+\t\t\tdev_err(dev,\n+\t\t\t\t\"Failed to open admin channel: %d\\n\", err);\n+\t\t\tgoto err_out_dev_deinit;\n+\t\t}\n+\t\tenic_mbox_init(enic);\n+\t\terr = enic_mbox_vf_capability_check(enic);\n+\t\tif (err) {\n+\t\t\tdev_err(dev,\n+\t\t\t\t\"MBOX capability check failed: %d\\n\", err);\n+\t\t\tgoto err_out_admin_close;\n+\t\t}\n+\t\terr = enic_mbox_vf_register(enic);\n+\t\tif (err) {\n+\t\t\tdev_err(dev,\n+\t\t\t\t\"MBOX VF registration failed: %d\\n\", err);\n+\t\t\tgoto err_out_admin_close;\n+\t\t}\n+\t}\n+\n \tnetif_set_real_num_tx_queues(netdev, enic-\u003ewq_count);\n \tnetif_set_real_num_rx_queues(netdev, enic-\u003erq_count);\n \n@@ -2874,7 +3200,7 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)\n \terr = enic_set_mac_addr(netdev, enic-\u003emac_addr);\n \tif (err) {\n \t\tdev_err(dev, \"Invalid MAC address, aborting\\n\");\n-\t\tgoto err_out_dev_deinit;\n+\t\tgoto err_out_admin_close;\n \t}\n \n \tenic-\u003etx_coalesce_usecs = enic-\u003econfig.intr_timer_usec;\n@@ -2972,11 +3298,23 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)\n \terr = register_netdev(netdev);\n \tif (err) {\n \t\tdev_err(dev, \"Cannot register net device, aborting\\n\");\n-\t\tgoto err_out_dev_deinit;\n+\t\tgoto err_out_admin_close;\n \t}\n \n \treturn 0;\n \n+err_out_admin_close:\n+\tif (enic_is_sriov_vf_v2(enic)) {\n+\t\tif (enic-\u003evf_registered) {\n+\t\t\tint unreg_err = enic_mbox_vf_unregister(enic);\n+\n+\t\t\tif (unreg_err)\n+\t\t\t\tnetdev_warn(netdev,\n+\t\t\t\t\t \"Failed to unregister from PF: %d\\n\",\n+\t\t\t\t\t unreg_err);\n+\t\t}\n+\t\tenic_admin_channel_close(enic);\n+\t}\n err_out_dev_deinit:\n \tenic_dev_deinit(enic);\n err_out_dev_close:\n@@ -3012,16 +3350,42 @@ static void enic_remove(struct pci_dev *pdev)\n \t\tstruct enic *enic = netdev_priv(netdev);\n \n \t\tcancel_work_sync(\u0026enic-\u003ereset);\n+\t\tcancel_work_sync(\u0026enic-\u003etx_hang_reset);\n \t\tcancel_work_sync(\u0026enic-\u003echange_mtu_work);\n+\n+\t\t/* Close the admin channel and unregister from the PF before\n+\t\t * unregister_netdev() to prevent a late PF notification from\n+\t\t * touching a netdev that is being torn down.\n+\t\t */\n+\t\tif (enic_is_sriov_vf_v2(enic)) {\n+\t\t\tif (enic-\u003evf_registered) {\n+\t\t\t\tint unreg_err = enic_mbox_vf_unregister(enic);\n+\n+\t\t\t\tif (unreg_err)\n+\t\t\t\t\tnetdev_warn(netdev,\n+\t\t\t\t\t\t \"Failed to unregister from PF: %d\\n\",\n+\t\t\t\t\t\t unreg_err);\n+\t\t\t}\n+\t\t\tenic_admin_channel_close(enic);\n+\t\t}\n+\n \t\tunregister_netdev(netdev);\n-\t\tenic_dev_deinit(enic);\n-\t\tvnic_dev_close(enic-\u003evdev);\n+\t\t/* unregister_netdev() -\u003e enic_stop() stops the notify timer, so\n+\t\t * no new link_notify_work can be queued past this point. Cancel\n+\t\t * unconditionally to cover the narrow window where\n+\t\t * enic_link_check() scheduled it just as SR-IOV was disabled.\n+\t\t */\n+\t\tcancel_work_sync(\u0026enic-\u003elink_notify_work);\n #ifdef CONFIG_PCI_IOV\n \t\tif (enic_sriov_enabled(enic)) {\n-\t\t\tpci_disable_sriov(pdev);\n-\t\t\tenic-\u003epriv_flags \u0026= ~ENIC_SRIOV_ENABLED;\n+\t\t\tif (enic-\u003evf_type == ENIC_VF_TYPE_V2)\n+\t\t\t\tenic_sriov_v2_disable(enic);\n+\t\t\telse\n+\t\t\t\tpci_disable_sriov(pdev);\n \t\t}\n #endif\n+\t\tenic_dev_deinit(enic);\n+\t\tvnic_dev_close(enic-\u003evdev);\n \t\tkfree(enic-\u003epp);\n \t\tvnic_dev_unregister(enic-\u003evdev);\n \t\tenic_iounmap(enic);\ndiff --git a/drivers/net/ethernet/cisco/enic/enic_mbox.c b/drivers/net/ethernet/cisco/enic/enic_mbox.c\nnew file mode 100644\nindex 00000000000000..6fb6a1027bb661\n--- /dev/null\n+++ b/drivers/net/ethernet/cisco/enic/enic_mbox.c\n@@ -0,0 +1,640 @@\n+// SPDX-License-Identifier: GPL-2.0-only\n+// Copyright 2025 Cisco Systems, Inc. All rights reserved.\n+\n+#include \u003clinux/kernel.h\u003e\n+#include \u003clinux/netdevice.h\u003e\n+#include \u003clinux/dma-mapping.h\u003e\n+#include \u003clinux/delay.h\u003e\n+#include \u003clinux/completion.h\u003e\n+\n+#include \"vnic_dev.h\"\n+#include \"vnic_wq.h\"\n+#include \"vnic_cq.h\"\n+#include \"enic.h\"\n+#include \"enic_admin.h\"\n+#include \"enic_mbox.h\"\n+#include \"wq_enet_desc.h\"\n+\n+#define ENIC_MBOX_POLL_TIMEOUT_US\t5000000\n+#define ENIC_MBOX_POLL_INTERVAL_US\t100\n+\n+static void enic_mbox_fill_hdr(struct enic *enic, struct enic_mbox_hdr *hdr,\n+\t\t\t u8 msg_type, u16 dst_vnic_id, u16 msg_len)\n+{\n+\tmemset(hdr, 0, sizeof(*hdr));\n+\thdr-\u003edst_vnic_id = cpu_to_le16(dst_vnic_id);\n+\thdr-\u003emsg_type = msg_type;\n+\thdr-\u003emsg_len = cpu_to_le16(msg_len);\n+\thdr-\u003emsg_num = cpu_to_le64(++enic-\u003embox_msg_num);\n+}\n+\n+int enic_mbox_send_msg(struct enic *enic, u8 msg_type, u16 dst_vnic_id,\n+\t\t void *payload, u16 payload_len)\n+{\n+\tu16 total_len = sizeof(struct enic_mbox_hdr) + payload_len;\n+\tstruct vnic_wq *wq = \u0026enic-\u003eadmin_wq;\n+\tstruct wq_enet_desc *desc;\n+\tunsigned long timeout;\n+\tdma_addr_t dma_addr;\n+\tu16 vlan_tag;\n+\tvoid *buf;\n+\tint err;\n+\n+\t/* Serialize MBOX sends. The admin channel is a low-frequency\n+\t * control path; holding the mutex across the poll is acceptable.\n+\t */\n+\tmutex_lock(\u0026enic-\u003embox_lock);\n+\n+\tif (!enic-\u003ehas_admin_channel || READ_ONCE(enic-\u003embox_send_disabled)) {\n+\t\terr = -ENODEV;\n+\t\tgoto unlock;\n+\t}\n+\n+\tif (vnic_wq_desc_avail(wq) == 0) {\n+\t\terr = -ENOSPC;\n+\t\tgoto unlock;\n+\t}\n+\n+\tbuf = kmalloc(total_len, GFP_KERNEL);\n+\tif (!buf) {\n+\t\terr = -ENOMEM;\n+\t\tgoto unlock;\n+\t}\n+\n+\tenic_mbox_fill_hdr(enic, buf, msg_type, dst_vnic_id, total_len);\n+\tif (payload_len) {\n+\t\tvoid *dst = buf + sizeof(struct enic_mbox_hdr);\n+\n+\t\tmemcpy(dst, payload, payload_len);\n+\t}\n+\n+\tdma_addr = dma_map_single(\u0026enic-\u003epdev-\u003edev, buf, total_len,\n+\t\t\t\t DMA_TO_DEVICE);\n+\tif (dma_mapping_error(\u0026enic-\u003epdev-\u003edev, dma_addr)) {\n+\t\tkfree(buf);\n+\t\terr = -ENOMEM;\n+\t\tgoto unlock;\n+\t}\n+\n+\t/* Firmware uses vlan field for routing: 0 = PF, 1-based = VF index */\n+\tif (dst_vnic_id == ENIC_MBOX_DST_PF)\n+\t\tvlan_tag = 0;\n+\telse\n+\t\tvlan_tag = dst_vnic_id + 1;\n+\n+\tdesc = vnic_wq_next_desc(wq);\n+\twq_enet_desc_enc(desc, (u64)dma_addr | VNIC_PADDR_TARGET,\n+\t\t\t total_len,\n+\t\t\t 0, 0, 0, /* mss, hdr_len, offload_mode */\n+\t\t\t 1, 1, /* eop, cq_entry */\n+\t\t\t 0, /* fcoe_encap */\n+\t\t\t 1, vlan_tag, /* vlan_tag_insert, vlan_tag */\n+\t\t\t 0); /* loopback */\n+\tvnic_wq_post(wq, buf, dma_addr, total_len,\n+\t\t 1, 1, /* sop, eop */\n+\t\t 1, 1, /* desc_skip_cnt, cq_entry */\n+\t\t 0, 0); /* compressed_send, wrid */\n+\tvnic_wq_doorbell(wq);\n+\n+\ttimeout = jiffies + usecs_to_jiffies(ENIC_MBOX_POLL_TIMEOUT_US);\n+\terr = -ETIMEDOUT;\n+\twhile (time_before(jiffies, timeout)) {\n+\t\tif (enic_admin_wq_cq_service(enic)) {\n+\t\t\terr = 0;\n+\t\t\tbreak;\n+\t\t}\n+\t\tusleep_range(ENIC_MBOX_POLL_INTERVAL_US,\n+\t\t\t ENIC_MBOX_POLL_INTERVAL_US + 50);\n+\t}\n+\t/* Final check in case completion arrived during the last sleep */\n+\tif (err \u0026\u0026 enic_admin_wq_cq_service(enic))\n+\t\terr = 0;\n+\n+\tif (!err) {\n+\t\twq-\u003eto_clean = wq-\u003eto_clean-\u003enext;\n+\t\twq-\u003ering.desc_avail++;\n+\t\tdma_unmap_single(\u0026enic-\u003epdev-\u003edev, dma_addr, total_len,\n+\t\t\t\t DMA_TO_DEVICE);\n+\t\tkfree(buf);\n+\t} else {\n+\t\tnetdev_err(enic-\u003enetdev,\n+\t\t\t \"MBOX send timed out (type %u dst %u), disabling channel\\n\",\n+\t\t\t msg_type, dst_vnic_id);\n+\t\t/*\n+\t\t * The WQ descriptor is still live in hardware. Do not unmap\n+\t\t * or free the buffer: the device may still DMA from dma_addr.\n+\t\t * Mark the channel unusable so no further sends are attempted.\n+\t\t */\n+\t\tWRITE_ONCE(enic-\u003embox_send_disabled, true);\n+\t}\n+\n+\tnetdev_dbg(enic-\u003enetdev,\n+\t\t \"MBOX send msg_type %u dst %u vlan %u err %d\\n\",\n+\t\t msg_type, dst_vnic_id, vlan_tag, err);\n+unlock:\n+\tmutex_unlock(\u0026enic-\u003embox_lock);\n+\treturn err;\n+}\n+\n+static int enic_mbox_wait_reply(struct enic *enic, unsigned long timeout_ms)\n+{\n+\tunsigned long left;\n+\n+\tleft = wait_for_completion_timeout(\u0026enic-\u003embox_comp,\n+\t\t\t\t\t msecs_to_jiffies(timeout_ms));\n+\n+\treturn left ? 0 : -ETIMEDOUT;\n+}\n+\n+int enic_mbox_send_link_state(struct enic *enic, u16 vf_id, u32 link_state)\n+{\n+\tstruct enic_mbox_pf_link_state_notif_msg notif = {};\n+\n+\tif (!enic-\u003evf_state || vf_id \u003e= enic-\u003enum_vfs ||\n+\t !enic-\u003evf_state[vf_id].registered) {\n+\t\tnetdev_dbg(enic-\u003enetdev,\n+\t\t\t \"MBOX: skip link state to unregistered VF %u\\n\",\n+\t\t\t vf_id);\n+\t\treturn 0;\n+\t}\n+\n+\tnotif.link_state = cpu_to_le32(link_state);\n+\treturn enic_mbox_send_msg(enic, ENIC_MBOX_PF_LINK_STATE_NOTIF, vf_id,\n+\t\t\t\t \u0026notif, sizeof(notif));\n+}\n+\n+static int enic_mbox_pf_handle_capability(struct enic *enic, void *msg,\n+\t\t\t\t\t u16 vf_id, u64 msg_num)\n+{\n+\tstruct enic_mbox_vf_capability_reply_msg reply = {};\n+\n+\treply.reply.ret_major = cpu_to_le16(0);\n+\treply.version = cpu_to_le32(ENIC_MBOX_CAP_VERSION_1);\n+\n+\treturn enic_mbox_send_msg(enic, ENIC_MBOX_VF_CAPABILITY_REPLY, vf_id,\n+\t\t\t\t \u0026reply, sizeof(reply));\n+}\n+\n+static int enic_mbox_pf_handle_register(struct enic *enic, void *msg,\n+\t\t\t\t\tu16 vf_id, u64 msg_num)\n+{\n+\tstruct enic_mbox_vf_register_reply_msg reply = {};\n+\tu32 link_state;\n+\tint err;\n+\n+\tif (!enic-\u003evf_state || vf_id \u003e= enic-\u003enum_vfs) {\n+\t\tif (net_ratelimit())\n+\t\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t\t \"MBOX: register from invalid VF %u\\n\",\n+\t\t\t\t vf_id);\n+\t\treturn -EINVAL;\n+\t}\n+\n+\t/* VF re-registering (e.g. guest reboot without clean unregister):\n+\t * mark the previous registration inactive before accepting the new one.\n+\t */\n+\tif (enic-\u003evf_state[vf_id].registered) {\n+\t\tnetdev_dbg(enic-\u003enetdev,\n+\t\t\t \"MBOX: VF %u re-register, cleaning previous state\\n\",\n+\t\t\t vf_id);\n+\t\tenic-\u003evf_state[vf_id].registered = false;\n+\t}\n+\n+\treply.reply.ret_major = cpu_to_le16(0);\n+\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_REGISTER_REPLY, vf_id,\n+\t\t\t\t \u0026reply, sizeof(reply));\n+\tif (err)\n+\t\treturn err;\n+\n+\tenic-\u003evf_state[vf_id].registered = true;\n+\tif (net_ratelimit())\n+\t\tnetdev_info(enic-\u003enetdev, \"VF %u registered via MBOX\\n\", vf_id);\n+\n+\tlink_state = netif_carrier_ok(enic-\u003enetdev) ?\n+\t\tENIC_MBOX_LINK_STATE_ENABLE :\n+\t\tENIC_MBOX_LINK_STATE_DISABLE;\n+\terr = enic_mbox_send_link_state(enic, vf_id, link_state);\n+\tif (err \u0026\u0026 net_ratelimit())\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"VF %u: failed to send initial link state: %d\\n\",\n+\t\t\t vf_id, err);\n+\t/* Registration succeeded; initial link state notification sent\n+\t * above. Subsequent link state changes are sent from the PF\n+\t * when enic_link_check() detects carrier changes.\n+\t */\n+\treturn 0;\n+}\n+\n+static int enic_mbox_pf_handle_unregister(struct enic *enic, void *msg,\n+\t\t\t\t\t u16 vf_id, u64 msg_num)\n+{\n+\tstruct enic_mbox_vf_register_reply_msg reply = {};\n+\tint err;\n+\n+\tif (!enic-\u003evf_state || vf_id \u003e= enic-\u003enum_vfs) {\n+\t\tif (net_ratelimit())\n+\t\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t\t \"MBOX: unregister from invalid VF %u\\n\",\n+\t\t\t\t vf_id);\n+\t\treturn -EINVAL;\n+\t}\n+\n+\t/* VF is unloading; clear local state regardless of whether\n+\t * the reply is successfully delivered to avoid the PF treating\n+\t * a dead VF as still registered.\n+\t */\n+\tenic-\u003evf_state[vf_id].registered = false;\n+\n+\treply.reply.ret_major = cpu_to_le16(0);\n+\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_UNREGISTER_REPLY, vf_id,\n+\t\t\t\t \u0026reply, sizeof(reply));\n+\n+\tif (net_ratelimit())\n+\t\tnetdev_info(enic-\u003enetdev,\n+\t\t\t \"VF %u unregistered via MBOX\\n\", vf_id);\n+\n+\treturn err;\n+}\n+\n+static void enic_mbox_pf_process_msg(struct enic *enic,\n+\t\t\t\t struct enic_mbox_hdr *hdr, void *payload)\n+{\n+\tu16 vf_id = le16_to_cpu(hdr-\u003esrc_vnic_id);\n+\tu16 msg_len = le16_to_cpu(hdr-\u003emsg_len);\n+\tint err = 0;\n+\n+\tif (!enic-\u003evf_state) {\n+\t\tnetdev_dbg(enic-\u003enetdev,\n+\t\t\t \"MBOX: PF received msg but SRIOV not active\\n\");\n+\t\treturn;\n+\t}\n+\n+\tif (vf_id \u003e= enic-\u003enum_vfs) {\n+\t\tif (net_ratelimit())\n+\t\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t\t \"MBOX: PF received msg from invalid VF %u\\n\",\n+\t\t\t\t vf_id);\n+\t\treturn;\n+\t}\n+\n+\tswitch (hdr-\u003emsg_type) {\n+\tcase ENIC_MBOX_VF_CAPABILITY_REQUEST:\n+\t\terr = enic_mbox_pf_handle_capability(enic, payload, vf_id,\n+\t\t\t\t\t\t le64_to_cpu(hdr-\u003emsg_num));\n+\t\tbreak;\n+\tcase ENIC_MBOX_VF_REGISTER_REQUEST:\n+\t\terr = enic_mbox_pf_handle_register(enic, payload, vf_id,\n+\t\t\t\t\t\t le64_to_cpu(hdr-\u003emsg_num));\n+\t\tbreak;\n+\tcase ENIC_MBOX_VF_UNREGISTER_REQUEST:\n+\t\terr = enic_mbox_pf_handle_unregister(enic, payload, vf_id,\n+\t\t\t\t\t\t le64_to_cpu(hdr-\u003emsg_num));\n+\t\tbreak;\n+\tcase ENIC_MBOX_PF_LINK_STATE_ACK: {\n+\t\tstruct enic_mbox_pf_link_state_ack_msg *ack = payload;\n+\n+\t\tif (msg_len \u003c sizeof(*hdr) + sizeof(*ack))\n+\t\t\tbreak;\n+\t\tif (le16_to_cpu(ack-\u003eack.ret_major) \u0026\u0026 net_ratelimit())\n+\t\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t\t \"MBOX: VF %u link state ACK error %u/%u\\n\",\n+\t\t\t\t vf_id,\n+\t\t\t\t le16_to_cpu(ack-\u003eack.ret_major),\n+\t\t\t\t le16_to_cpu(ack-\u003eack.ret_minor));\n+\t\tbreak;\n+\t}\n+\tdefault:\n+\t\tnetdev_dbg(enic-\u003enetdev,\n+\t\t\t \"MBOX: PF unhandled msg type %u from VF %u\\n\",\n+\t\t\t hdr-\u003emsg_type, vf_id);\n+\t\terr = -EOPNOTSUPP;\n+\t\tbreak;\n+\t}\n+\n+\tif (err \u0026\u0026 net_ratelimit())\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: PF handler for msg type %u from VF %u failed: %d\\n\",\n+\t\t\t hdr-\u003emsg_type, vf_id, err);\n+}\n+\n+static void enic_mbox_vf_handle_capability_reply(struct enic *enic,\n+\t\t\t\t\t\t void *payload)\n+{\n+\tstruct enic_mbox_vf_capability_reply_msg *reply = payload;\n+\n+\tif (enic-\u003embox_expected_reply != ENIC_MBOX_VF_CAPABILITY_REPLY) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: stale capability reply (expected %u), drop\\n\",\n+\t\t\t enic-\u003embox_expected_reply);\n+\t\treturn;\n+\t}\n+\n+\tif (le16_to_cpu(reply-\u003ereply.ret_major) == 0)\n+\t\tenic-\u003epf_cap_version = le32_to_cpu(reply-\u003eversion);\n+\telse\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: PF rejected capability request: %u/%u\\n\",\n+\t\t\t le16_to_cpu(reply-\u003ereply.ret_major),\n+\t\t\t le16_to_cpu(reply-\u003ereply.ret_minor));\n+\tcomplete(\u0026enic-\u003embox_comp);\n+}\n+\n+static void enic_mbox_vf_handle_register_reply(struct enic *enic,\n+\t\t\t\t\t void *payload)\n+{\n+\tstruct enic_mbox_vf_register_reply_msg *reply = payload;\n+\n+\tif (enic-\u003embox_expected_reply != ENIC_MBOX_VF_REGISTER_REPLY) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: stale register reply (expected %u), drop\\n\",\n+\t\t\t enic-\u003embox_expected_reply);\n+\t\treturn;\n+\t}\n+\n+\tif (le16_to_cpu(reply-\u003ereply.ret_major)) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: VF register rejected by PF: %u/%u\\n\",\n+\t\t\t le16_to_cpu(reply-\u003ereply.ret_major),\n+\t\t\t le16_to_cpu(reply-\u003ereply.ret_minor));\n+\t} else {\n+\t\tenic-\u003evf_registered = true;\n+\t}\n+\tcomplete(\u0026enic-\u003embox_comp);\n+}\n+\n+static void enic_mbox_vf_handle_unregister_reply(struct enic *enic,\n+\t\t\t\t\t\t void *payload)\n+{\n+\tstruct enic_mbox_vf_register_reply_msg *reply = payload;\n+\n+\tif (enic-\u003embox_expected_reply != ENIC_MBOX_VF_UNREGISTER_REPLY) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: stale unregister reply (expected %u), drop\\n\",\n+\t\t\t enic-\u003embox_expected_reply);\n+\t\treturn;\n+\t}\n+\n+\tif (le16_to_cpu(reply-\u003ereply.ret_major)) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: VF unregister rejected by PF: %u/%u\\n\",\n+\t\t\t le16_to_cpu(reply-\u003ereply.ret_major),\n+\t\t\t le16_to_cpu(reply-\u003ereply.ret_minor));\n+\t} else {\n+\t\tenic-\u003evf_registered = false;\n+\t}\n+\tcomplete(\u0026enic-\u003embox_comp);\n+}\n+\n+static void enic_mbox_vf_handle_link_state(struct enic *enic, void *payload)\n+{\n+\tstruct enic_mbox_pf_link_state_notif_msg *notif = payload;\n+\tstruct enic_mbox_pf_link_state_ack_msg ack = {};\n+\tint err;\n+\n+\tswitch (le32_to_cpu(notif-\u003elink_state)) {\n+\tcase ENIC_MBOX_LINK_STATE_ENABLE:\n+\t\tif (!netif_carrier_ok(enic-\u003enetdev))\n+\t\t\tnetif_carrier_on(enic-\u003enetdev);\n+\t\tnetdev_dbg(enic-\u003enetdev, \"MBOX: link state -\u003e UP\\n\");\n+\t\tbreak;\n+\tcase ENIC_MBOX_LINK_STATE_DISABLE:\n+\t\tif (netif_carrier_ok(enic-\u003enetdev))\n+\t\t\tnetif_carrier_off(enic-\u003enetdev);\n+\t\tnetdev_dbg(enic-\u003enetdev, \"MBOX: link state -\u003e DOWN\\n\");\n+\t\tbreak;\n+\tdefault:\n+\t\tnetdev_warn(enic-\u003enetdev, \"MBOX: unknown link state %u\\n\",\n+\t\t\t le32_to_cpu(notif-\u003elink_state));\n+\t\tack.ack.ret_major = cpu_to_le16(ENIC_MBOX_ERR_GENERIC);\n+\t\tbreak;\n+\t}\n+\n+\terr = enic_mbox_send_msg(enic, ENIC_MBOX_PF_LINK_STATE_ACK,\n+\t\t\t\t ENIC_MBOX_DST_PF, \u0026ack, sizeof(ack));\n+\tif (err \u0026\u0026 net_ratelimit())\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: failed to send link state ACK: %d\\n\", err);\n+}\n+\n+static bool enic_mbox_vf_payload_ok(struct enic *enic, u8 msg_type,\n+\t\t\t\t u16 payload_len, size_t min_len)\n+{\n+\tif (payload_len \u003c min_len) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: short payload for type %u (%u \u003c %zu)\\n\",\n+\t\t\t msg_type, payload_len, min_len);\n+\t\treturn false;\n+\t}\n+\treturn true;\n+}\n+\n+static void enic_mbox_vf_process_msg(struct enic *enic,\n+\t\t\t\t struct enic_mbox_hdr *hdr, void *payload,\n+\t\t\t\t u16 payload_len)\n+{\n+\tswitch (hdr-\u003emsg_type) {\n+\tcase ENIC_MBOX_VF_CAPABILITY_REPLY: {\n+\t\tsize_t exp = sizeof(struct enic_mbox_vf_capability_reply_msg);\n+\n+\t\tif (!enic_mbox_vf_payload_ok(enic, hdr-\u003emsg_type,\n+\t\t\t\t\t payload_len, exp))\n+\t\t\treturn;\n+\t\tenic_mbox_vf_handle_capability_reply(enic, payload);\n+\t\tbreak;\n+\t}\n+\tcase ENIC_MBOX_VF_REGISTER_REPLY: {\n+\t\tsize_t exp = sizeof(struct enic_mbox_vf_register_reply_msg);\n+\n+\t\tif (!enic_mbox_vf_payload_ok(enic, hdr-\u003emsg_type,\n+\t\t\t\t\t payload_len, exp))\n+\t\t\treturn;\n+\t\tenic_mbox_vf_handle_register_reply(enic, payload);\n+\t\tbreak;\n+\t}\n+\tcase ENIC_MBOX_VF_UNREGISTER_REPLY: {\n+\t\tsize_t exp = sizeof(struct enic_mbox_vf_register_reply_msg);\n+\n+\t\tif (!enic_mbox_vf_payload_ok(enic, hdr-\u003emsg_type,\n+\t\t\t\t\t payload_len, exp))\n+\t\t\treturn;\n+\t\tenic_mbox_vf_handle_unregister_reply(enic, payload);\n+\t\tbreak;\n+\t}\n+\tcase ENIC_MBOX_PF_LINK_STATE_NOTIF: {\n+\t\tsize_t exp = sizeof(struct enic_mbox_pf_link_state_notif_msg);\n+\n+\t\tif (!enic_mbox_vf_payload_ok(enic, hdr-\u003emsg_type,\n+\t\t\t\t\t payload_len, exp))\n+\t\t\treturn;\n+\t\tenic_mbox_vf_handle_link_state(enic, payload);\n+\t\tbreak;\n+\t}\n+\tdefault:\n+\t\tnetdev_dbg(enic-\u003enetdev,\n+\t\t\t \"MBOX: VF unhandled msg type %u\\n\",\n+\t\t\t hdr-\u003emsg_type);\n+\t\tbreak;\n+\t}\n+}\n+\n+static void enic_mbox_recv_handler(struct enic *enic, void *buf,\n+\t\t\t\t unsigned int len)\n+{\n+\tstruct enic_mbox_hdr *hdr = buf;\n+\tvoid *payload;\n+\tu16 msg_len;\n+\n+\tif (len \u003c sizeof(*hdr)) {\n+\t\tif (net_ratelimit())\n+\t\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t\t \"MBOX: truncated message (len %u \u003c %zu)\\n\",\n+\t\t\t\t len, sizeof(*hdr));\n+\t\treturn;\n+\t}\n+\n+\tif (hdr-\u003emsg_type \u003e= ENIC_MBOX_MAX) {\n+\t\tif (net_ratelimit())\n+\t\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t\t \"MBOX: unknown msg type %u\\n\",\n+\t\t\t\t hdr-\u003emsg_type);\n+\t\treturn;\n+\t}\n+\n+\tmsg_len = le16_to_cpu(hdr-\u003emsg_len);\n+\tif (msg_len \u003c sizeof(*hdr) || msg_len \u003e len) {\n+\t\tif (net_ratelimit())\n+\t\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t\t \"MBOX: invalid msg_len %u (buf len %u)\\n\",\n+\t\t\t\t msg_len, len);\n+\t\treturn;\n+\t}\n+\n+\tnetdev_dbg(enic-\u003enetdev,\n+\t\t \"MBOX recv: type %u from vnic %u len %u\\n\",\n+\t\t hdr-\u003emsg_type, le16_to_cpu(hdr-\u003esrc_vnic_id), msg_len);\n+\n+\tpayload = buf + sizeof(*hdr);\n+\n+\tif (enic-\u003evf_state) {\n+\t\tenic_mbox_pf_process_msg(enic, hdr, payload);\n+\t} else if (le16_to_cpu(hdr-\u003esrc_vnic_id) == ENIC_MBOX_DST_PF) {\n+\t\t/* src_vnic_id was overwritten from the hardware-verified CQ\n+\t\t * VLAN sender field, so a VF only accepts messages that the\n+\t\t * adapter attributes to the PF. Its sole admin-channel peer is\n+\t\t * the PF; drop anything else as a spoofed notification.\n+\t\t */\n+\t\tenic_mbox_vf_process_msg(enic, hdr, payload,\n+\t\t\t\t\t msg_len - (u16)sizeof(*hdr));\n+\t} else if (net_ratelimit()) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: VF dropping non-PF message from vnic %u\\n\",\n+\t\t\t le16_to_cpu(hdr-\u003esrc_vnic_id));\n+\t}\n+}\n+\n+int enic_mbox_vf_capability_check(struct enic *enic)\n+{\n+\tstruct enic_mbox_vf_capability_msg req = {};\n+\tint err;\n+\n+\tenic-\u003epf_cap_version = 0;\n+\treinit_completion(\u0026enic-\u003embox_comp);\n+\tenic-\u003embox_expected_reply = ENIC_MBOX_VF_CAPABILITY_REPLY;\n+\treq.version = cpu_to_le32(ENIC_MBOX_CAP_VERSION_1);\n+\n+\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_CAPABILITY_REQUEST,\n+\t\t\t\t ENIC_MBOX_DST_PF, \u0026req, sizeof(req));\n+\tif (err) {\n+\t\tenic-\u003embox_expected_reply = 0;\n+\t\treturn err;\n+\t}\n+\n+\terr = enic_mbox_wait_reply(enic, 3000);\n+\tenic-\u003embox_expected_reply = 0;\n+\tif (err) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: no capability reply from PF\\n\");\n+\t\treturn err;\n+\t}\n+\n+\tif (enic-\u003epf_cap_version \u003c ENIC_MBOX_CAP_VERSION_1) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: PF rejected capability request or reported unsupported version %u\\n\",\n+\t\t\t enic-\u003epf_cap_version);\n+\t\treturn -EOPNOTSUPP;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+int enic_mbox_vf_register(struct enic *enic)\n+{\n+\tint err;\n+\n+\tenic-\u003evf_registered = false;\n+\treinit_completion(\u0026enic-\u003embox_comp);\n+\tenic-\u003embox_expected_reply = ENIC_MBOX_VF_REGISTER_REPLY;\n+\n+\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_REGISTER_REQUEST,\n+\t\t\t\t ENIC_MBOX_DST_PF, NULL, 0);\n+\tif (err) {\n+\t\tenic-\u003embox_expected_reply = 0;\n+\t\treturn err;\n+\t}\n+\n+\terr = enic_mbox_wait_reply(enic, 3000);\n+\tenic-\u003embox_expected_reply = 0;\n+\tif (err) {\n+\t\tnetdev_warn(enic-\u003enetdev,\n+\t\t\t \"MBOX: VF registration with PF timed out\\n\");\n+\t\treturn err;\n+\t}\n+\n+\tif (!enic-\u003evf_registered)\n+\t\treturn -ENODEV;\n+\n+\treturn 0;\n+}\n+\n+int enic_mbox_vf_unregister(struct enic *enic)\n+{\n+\tint err;\n+\n+\tif (!enic-\u003evf_registered)\n+\t\treturn 0;\n+\n+\treinit_completion(\u0026enic-\u003embox_comp);\n+\tenic-\u003embox_expected_reply = ENIC_MBOX_VF_UNREGISTER_REPLY;\n+\n+\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_UNREGISTER_REQUEST,\n+\t\t\t\t ENIC_MBOX_DST_PF, NULL, 0);\n+\tif (err) {\n+\t\tenic-\u003embox_expected_reply = 0;\n+\t\treturn err;\n+\t}\n+\n+\terr = enic_mbox_wait_reply(enic, 3000);\n+\tenic-\u003embox_expected_reply = 0;\n+\tif (err)\n+\t\treturn err;\n+\tif (enic-\u003evf_registered)\n+\t\treturn -EACCES;\n+\treturn 0;\n+}\n+\n+void enic_mbox_init(struct enic *enic)\n+{\n+\t/* mbox_lock and mbox_comp must be initialized exactly once per\n+\t * device lifetime; the PF sriov_configure path can re-enter this\n+\t * on each enable cycle where these primitives are already set up.\n+\t */\n+\tif (!enic-\u003embox_initialized) {\n+\t\tmutex_init(\u0026enic-\u003embox_lock);\n+\t\tinit_completion(\u0026enic-\u003embox_comp);\n+\t\tenic-\u003embox_initialized = true;\n+\t} else {\n+\t\treinit_completion(\u0026enic-\u003embox_comp);\n+\t}\n+\tenic-\u003embox_msg_num = 0;\n+\tenic-\u003eadmin_rq_handler = enic_mbox_recv_handler;\n+}\ndiff --git a/drivers/net/ethernet/cisco/enic/enic_mbox.h b/drivers/net/ethernet/cisco/enic/enic_mbox.h\nnew file mode 100644\nindex 00000000000000..15e30ee2b0ed95\n--- /dev/null\n+++ b/drivers/net/ethernet/cisco/enic/enic_mbox.h\n@@ -0,0 +1,95 @@\n+/* SPDX-License-Identifier: GPL-2.0-only */\n+/* Copyright 2025 Cisco Systems, Inc. All rights reserved. */\n+\n+#ifndef _ENIC_MBOX_H_\n+#define _ENIC_MBOX_H_\n+\n+#include \u003clinux/bits.h\u003e\n+#include \u003clinux/types.h\u003e\n+\n+/*\n+ * Mailbox protocol for PF-VF communication over the admin channel.\n+ *\n+ * Even numbers are requests, odd numbers are replies/acks.\n+ * The prefix indicates the initiator: VF_ = VF-initiated, PF_ = PF-initiated.\n+ */\n+enum enic_mbox_msg_type {\n+\tENIC_MBOX_VF_CAPABILITY_REQUEST\t\t= 0,\n+\tENIC_MBOX_VF_CAPABILITY_REPLY\t\t= 1,\n+\tENIC_MBOX_VF_REGISTER_REQUEST\t\t= 2,\n+\tENIC_MBOX_VF_REGISTER_REPLY\t\t= 3,\n+\tENIC_MBOX_VF_UNREGISTER_REQUEST\t\t= 4,\n+\tENIC_MBOX_VF_UNREGISTER_REPLY\t\t= 5,\n+\tENIC_MBOX_PF_LINK_STATE_NOTIF\t\t= 6,\n+\tENIC_MBOX_PF_LINK_STATE_ACK\t\t= 7,\n+\tENIC_MBOX_MAX\n+};\n+\n+struct enic_mbox_hdr {\n+\t__le16 src_vnic_id;\n+\t__le16 dst_vnic_id;\n+\tu8 msg_type;\n+\tu8 flags;\n+\t__le16 msg_len;\n+\t__le64 msg_num;\n+};\n+\n+struct enic_mbox_generic_reply {\n+\t__le16 ret_major;\n+\t__le16 ret_minor;\n+};\n+\n+#define ENIC_MBOX_ERR_GENERIC\t\tBIT(0)\n+#define ENIC_MBOX_ERR_VF_NOT_REGISTERED\tBIT(1)\n+#define ENIC_MBOX_ERR_MSG_NOT_SUPPORTED\tBIT(2)\n+\n+/* ENIC_MBOX_VF_CAPABILITY_REQUEST / _REPLY */\n+#define ENIC_MBOX_CAP_VERSION_0\t\t0\n+#define ENIC_MBOX_CAP_VERSION_1\t\t1\n+\n+struct enic_mbox_vf_capability_msg {\n+\t__le32 version;\n+\t__le32 reserved[32];\n+};\n+\n+/* The embedded enic_mbox_generic_reply has 2-byte alignment, but the\n+ * __le32 members give this struct 4-byte natural alignment. Receive\n+ * buffers come from kmalloc (\u003e= 8-byte aligned), so there is no\n+ * misaligned access risk when casting from the receive buffer.\n+ */\n+struct enic_mbox_vf_capability_reply_msg {\n+\tstruct enic_mbox_generic_reply reply;\n+\t__le32 version;\n+\t__le32 reserved[32];\n+};\n+\n+/* ENIC_MBOX_VF_REGISTER / _UNREGISTER */\n+struct enic_mbox_vf_register_reply_msg {\n+\tstruct enic_mbox_generic_reply reply;\n+};\n+\n+/* ENIC_MBOX_PF_LINK_STATE_NOTIF / _ACK */\n+#define ENIC_MBOX_LINK_STATE_DISABLE\t0\n+#define ENIC_MBOX_LINK_STATE_ENABLE\t1\n+\n+struct enic_mbox_pf_link_state_notif_msg {\n+\t__le32 link_state;\n+};\n+\n+struct enic_mbox_pf_link_state_ack_msg {\n+\tstruct enic_mbox_generic_reply ack;\n+};\n+\n+#define ENIC_MBOX_DST_PF\t0xFFFF\n+\n+struct enic;\n+\n+void enic_mbox_init(struct enic *enic);\n+int enic_mbox_send_msg(struct enic *enic, u8 msg_type, u16 dst_vnic_id,\n+\t\t void *payload, u16 payload_len);\n+int enic_mbox_send_link_state(struct enic *enic, u16 vf_id, u32 link_state);\n+int enic_mbox_vf_capability_check(struct enic *enic);\n+int enic_mbox_vf_register(struct enic *enic);\n+int enic_mbox_vf_unregister(struct enic *enic);\n+\n+#endif /* _ENIC_MBOX_H_ */\ndiff --git a/drivers/net/ethernet/cisco/enic/enic_pp.c b/drivers/net/ethernet/cisco/enic/enic_pp.c\nindex 4720a952725d00..3f611e240c256c 100644\n--- a/drivers/net/ethernet/cisco/enic/enic_pp.c\n+++ b/drivers/net/ethernet/cisco/enic/enic_pp.c\n@@ -25,6 +25,11 @@ int enic_is_valid_pp_vf(struct enic *enic, int vf, int *err)\n \tif (vf != PORT_SELF_VF) {\n #ifdef CONFIG_PCI_IOV\n \t\tif (enic_sriov_enabled(enic)) {\n+\t\t\t/* V2 SR-IOV uses MBOX, not port profiles */\n+\t\t\tif (enic-\u003evf_type == ENIC_VF_TYPE_V2) {\n+\t\t\t\t*err = -EOPNOTSUPP;\n+\t\t\t\tgoto err_out;\n+\t\t\t}\n \t\t\tif (vf \u003c 0 || vf \u003e= enic-\u003enum_vfs) {\n \t\t\t\t*err = -EINVAL;\n \t\t\t\tgoto err_out;\ndiff --git a/drivers/net/ethernet/cisco/enic/enic_res.c b/drivers/net/ethernet/cisco/enic/enic_res.c\nindex 2b7545d6a67fdc..74cd2ee3af5cb7 100644\n--- a/drivers/net/ethernet/cisco/enic/enic_res.c\n+++ b/drivers/net/ethernet/cisco/enic/enic_res.c\n@@ -59,6 +59,7 @@ int enic_get_vnic_config(struct enic *enic)\n \tGET_CONFIG(intr_timer_usec);\n \tGET_CONFIG(loop_tag);\n \tGET_CONFIG(num_arfs);\n+\tGET_CONFIG(mq_subvnic_count);\n \tGET_CONFIG(max_rq_ring);\n \tGET_CONFIG(max_wq_ring);\n \tGET_CONFIG(max_cq_ring);\n@@ -210,7 +211,8 @@ void enic_get_res_counts(struct enic *enic)\n \t\tvnic_dev_get_res_count(enic-\u003evdev, RES_TYPE_ADMIN_RQ) \u003e= 1 \u0026\u0026\n \t\tvnic_dev_get_res_count(enic-\u003evdev, RES_TYPE_ADMIN_CQ) \u003e=\n \t\t\tARRAY_SIZE(enic-\u003eadmin_cq) \u0026\u0026\n-\t\tvnic_dev_get_res_count(enic-\u003evdev, RES_TYPE_SRIOV_INTR) \u003e= 1;\n+\t\t(enic_is_sriov_vf_v2(enic) ||\n+\t\t vnic_dev_get_res_count(enic-\u003evdev, RES_TYPE_SRIOV_INTR) \u003e= 1);\n \n \tdev_info(enic_get_dev(enic),\n \t\t\"vNIC resources avail: wq %d rq %d cq %d intr %d admin %s\\n\",\ndiff --git a/drivers/net/ethernet/cisco/enic/vnic_cq.h b/drivers/net/ethernet/cisco/enic/vnic_cq.h\nindex d46d4d2ef6bbac..35ffa323071305 100644\n--- a/drivers/net/ethernet/cisco/enic/vnic_cq.h\n+++ b/drivers/net/ethernet/cisco/enic/vnic_cq.h\n@@ -76,6 +76,15 @@ int vnic_cq_alloc(struct vnic_dev *vdev, struct vnic_cq *cq, unsigned int index,\n int vnic_cq_alloc_with_type(struct vnic_dev *vdev, struct vnic_cq *cq,\n \t\t\t unsigned int index, unsigned int desc_count,\n \t\t\t unsigned int desc_size, unsigned int res_type);\n+#define VNIC_CQ_FC_ENABLE\t1\n+#define VNIC_CQ_FC_DISABLE\t0\n+#define VNIC_CQ_COLOR_ENABLE\t1\n+#define VNIC_CQ_INTR_ENABLE\t1\n+#define VNIC_CQ_INTR_DISABLE\t0\n+#define VNIC_CQ_ENTRY_ENABLE\t1\n+#define VNIC_CQ_MSG_ENABLE\t1\n+#define VNIC_CQ_MSG_DISABLE\t0\n+\n void vnic_cq_init(struct vnic_cq *cq, unsigned int flow_control_enable,\n \tunsigned int color_enable, unsigned int cq_head, unsigned int cq_tail,\n \tunsigned int cq_tail_color, unsigned int interrupt_enable,\ndiff --git a/drivers/net/ethernet/cisco/enic/vnic_devcmd.h b/drivers/net/ethernet/cisco/enic/vnic_devcmd.h\nindex 605ef17f967e4a..90ca06691ebd63 100644\n--- a/drivers/net/ethernet/cisco/enic/vnic_devcmd.h\n+++ b/drivers/net/ethernet/cisco/enic/vnic_devcmd.h\n@@ -455,8 +455,19 @@ enum vnic_devcmd_cmd {\n \t */\n \tCMD_CQ_ENTRY_SIZE_SET = _CMDC(_CMD_DIR_WRITE, _CMD_VTYPE_ENET, 90),\n \n+\t/*\n+\t * Set queue pair type (admin or data)\n+\t * in: (u32) a0 = queue pair type (0 = admin, 1 = data)\n+\t * in: (u32) a1 = enable (1) / disable (0)\n+\t */\n+\tCMD_QP_TYPE_SET = _CMDC(_CMD_DIR_WRITE, _CMD_VTYPE_ENET, 97),\n };\n \n+#define QP_TYPE_ADMIN\t0\n+#define QP_TYPE_DATA\t1\n+#define QP_ENABLE\t1\n+#define QP_DISABLE\t0\n+\n /* CMD_ENABLE2 flags */\n #define CMD_ENABLE2_STANDBY 0x0\n #define CMD_ENABLE2_ACTIVE 0x1\n@@ -734,6 +745,8 @@ enum vic_feature_t {\n \tVIC_FEATURE_VXLAN,\n \tVIC_FEATURE_RDMA,\n \tVIC_FEATURE_VXLAN_PATCH,\n+\t/* slot 3 reserved for firmware VIC_FEATURE_PTP */\n+\tVIC_FEATURE_SRIOV\t= 4,\n \tVIC_FEATURE_MAX,\n };\n \ndiff --git a/drivers/net/ethernet/cisco/enic/vnic_enet.h b/drivers/net/ethernet/cisco/enic/vnic_enet.h\nindex 9e8e86262a3fea..519d2969990b18 100644\n--- a/drivers/net/ethernet/cisco/enic/vnic_enet.h\n+++ b/drivers/net/ethernet/cisco/enic/vnic_enet.h\n@@ -21,7 +21,9 @@ struct vnic_enet_config {\n \tu16 loop_tag;\n \tu16 vf_rq_count;\n \tu16 num_arfs;\n-\tu8 reserved[66];\n+\tu8 reserved1[32];\n+\tu16 mq_subvnic_count;\n+\tu8 reserved2[32];\n \tu32 max_rq_ring;\t// MAX RQ ring size\n \tu32 max_wq_ring;\t// MAX WQ ring size\n \tu32 max_cq_ring;\t// MAX CQ ring size\n"
} |
| 2/1 | 2026/07/03 18:29 | agent | patch-evaluator |
1mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": [
"ENIC",
"PCI_IOV"
],
"FocusSymbols": [
"enic_admin_rq_cq_service",
"enic_admin_wq_cq_service",
"enic_admin_msg_work_handler",
"enic_mbox_recv_handler",
"enic_mbox_pf_process_msg",
"enic_mbox_vf_process_msg",
"enic_mbox_send_msg"
],
"Reasoning": "The patch introduces a new admin channel and mailbox protocol for SR-IOV V2 support in the Cisco VIC Ethernet NIC driver (`enic`). The changes include new files `enic_admin.c` and `enic_mbox.c` which handle the setup, sending, and receiving of mailbox messages over the admin channel. This is reachable via PCI fuzzing, as syzkaller can emulate the PCI device and trigger the driver's probe and interrupt handlers. Fuzzing should focus on the message processing and queue service routines.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 0fe177867f3acbf99afb290db9113014f576f311
Author: syz-cluster <triage@syzkaller.com>
Date: Fri Jul 3 18:29:14 2026 +0000
syz-cluster: applied patch under review
diff --git a/drivers/net/ethernet/cisco/enic/Makefile b/drivers/net/ethernet/cisco/enic/Makefile
index a96b8332e6e2a8..e38aaf34c14839 100644
--- a/drivers/net/ethernet/cisco/enic/Makefile
+++ b/drivers/net/ethernet/cisco/enic/Makefile
@@ -3,5 +3,6 @@ obj-$(CONFIG_ENIC) := enic.o
enic-y := enic_main.o vnic_cq.o vnic_intr.o vnic_wq.o \
enic_res.o enic_dev.o enic_pp.o vnic_dev.o vnic_rq.o vnic_vic.o \
- enic_ethtool.o enic_api.o enic_clsf.o enic_rq.o enic_wq.o
+ enic_ethtool.o enic_api.o enic_clsf.o enic_rq.o enic_wq.o \
+ enic_admin.o enic_mbox.o
diff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h
index 08472420f3a1fd..62b8941489d773 100644
--- a/drivers/net/ethernet/cisco/enic/enic.h
+++ b/drivers/net/ethernet/cisco/enic/enic.h
@@ -256,10 +256,10 @@ struct enic {
struct enic_rx_coal rx_coalesce_setting;
u32 rx_coalesce_usecs;
u32 tx_coalesce_usecs;
-#ifdef CONFIG_PCI_IOV
u16 num_vfs;
-#endif
enum enic_vf_type vf_type;
+ bool vf_registered;
+ u32 pf_cap_version;
unsigned int enable_count;
spinlock_t enic_api_lock;
bool enic_api_busy;
@@ -292,10 +292,45 @@ struct enic {
/* Admin channel resources for SR-IOV MBOX */
bool has_admin_channel;
+ /* true only while the admin WQ/RQ/CQ are allocated and enabled; gates
+ * enic_admin_channel_close() so it is a no-op after a failed (re)open
+ * left the resources freed.
+ */
+ bool admin_chan_up;
+ /* set on send timeout; cleared on channel re-open */
+ bool mbox_send_disabled;
struct vnic_wq admin_wq;
struct vnic_rq admin_rq;
struct vnic_cq admin_cq[2];
struct vnic_intr admin_intr;
+ struct work_struct admin_poll_work;
+ unsigned int admin_intr_index;
+ struct work_struct link_notify_work;
+ struct work_struct admin_msg_work;
+ spinlock_t admin_msg_lock; /* protects admin_msg_list */
+ struct list_head admin_msg_list;
+ unsigned int admin_msg_count; /* current depth of admin_msg_list */
+ void (*admin_rq_handler)(struct enic *enic, void *buf,
+ unsigned int len);
+
+ /* MBOX protocol state — mbox_lock serializes admin WQ sends */
+ struct mutex mbox_lock;
+ u64 mbox_msg_num;
+ /* MBOX request-reply state. Written by the process-context request
+ * helpers (capability/register/unregister) and read/cleared by the
+ * admin_msg_work receive handlers. No explicit lock is needed because
+ * only one request is in flight at a time: requesters run under RTNL or
+ * single-threaded probe/remove, so each request is serialized and its
+ * reply completes mbox_comp before the next request is issued.
+ */
+ struct completion mbox_comp;
+ u8 mbox_expected_reply;
+ bool mbox_initialized;
+
+ /* PF: per-VF MBOX state, allocated when SRIOV V2 is enabled */
+ struct enic_vf_state {
+ bool registered;
+ } *vf_state;
};
static inline struct net_device *vnic_get_netdev(struct vnic_dev *vdev)
@@ -417,6 +452,7 @@ void enic_reset_addr_lists(struct enic *enic);
int enic_sriov_enabled(struct enic *enic);
int enic_is_valid_vf(struct enic *enic, int vf);
int enic_is_dynamic(struct enic *enic);
+int enic_is_sriov_vf_v2(struct enic *enic);
void enic_set_ethtool_ops(struct net_device *netdev);
int __enic_set_rsskey(struct enic *enic);
void enic_ext_cq(struct enic *enic);
diff --git a/drivers/net/ethernet/cisco/enic/enic_admin.c b/drivers/net/ethernet/cisco/enic/enic_admin.c
new file mode 100644
index 00000000000000..69aa49ffd6c8d7
--- /dev/null
+++ b/drivers/net/ethernet/cisco/enic/enic_admin.c
@@ -0,0 +1,644 @@
+// SPDX-License-Identifier: GPL-2.0-only
+// Copyright 2025 Cisco Systems, Inc. All rights reserved.
+
+#include <linux/kernel.h>
+#include <linux/netdevice.h>
+#include <linux/dma-mapping.h>
+#include <linux/interrupt.h>
+
+#include "vnic_dev.h"
+#include "vnic_wq.h"
+#include "vnic_rq.h"
+#include "vnic_cq.h"
+#include "vnic_intr.h"
+#include "vnic_resource.h"
+#include "vnic_devcmd.h"
+#include "enic.h"
+#include "enic_admin.h"
+#include "cq_desc.h"
+#include "cq_enet_desc.h"
+#include "wq_enet_desc.h"
+#include "rq_enet_desc.h"
+#include "enic_mbox.h"
+
+/* Clean up any admin WQ buffers still held by hardware at close time.
+ * Normally buffers are freed inline after send completion, but a timed-out
+ * send intentionally leaves the buffer live until the queue is stopped.
+ */
+static void enic_admin_wq_buf_clean(struct vnic_wq *wq,
+ struct vnic_wq_buf *buf)
+{
+ struct enic *enic = vnic_dev_priv(wq->vdev);
+
+ if (buf->os_buf) {
+ dma_unmap_single(&enic->pdev->dev, buf->dma_addr,
+ buf->len, DMA_TO_DEVICE);
+ kfree(buf->os_buf);
+ buf->os_buf = NULL;
+ }
+}
+
+static void enic_admin_rq_buf_clean(struct vnic_rq *rq,
+ struct vnic_rq_buf *buf)
+{
+ struct enic *enic = vnic_dev_priv(rq->vdev);
+
+ if (!buf->os_buf)
+ return;
+
+ dma_unmap_single(&enic->pdev->dev, buf->dma_addr, buf->len,
+ DMA_FROM_DEVICE);
+ kfree(buf->os_buf);
+ buf->os_buf = NULL;
+}
+
+static int enic_admin_rq_post_one(struct enic *enic, gfp_t gfp)
+{
+ struct vnic_rq *rq = &enic->admin_rq;
+ struct rq_enet_desc *desc;
+ dma_addr_t dma_addr;
+ void *buf;
+
+ buf = kmalloc(ENIC_ADMIN_BUF_SIZE, gfp);
+ if (!buf)
+ return -ENOMEM;
+
+ dma_addr = dma_map_single(&enic->pdev->dev, buf, ENIC_ADMIN_BUF_SIZE,
+ DMA_FROM_DEVICE);
+ if (dma_mapping_error(&enic->pdev->dev, dma_addr)) {
+ kfree(buf);
+ return -ENOMEM;
+ }
+
+ desc = vnic_rq_next_desc(rq);
+ rq_enet_desc_enc(desc, (u64)dma_addr | VNIC_PADDR_TARGET,
+ RQ_ENET_TYPE_ONLY_SOP, ENIC_ADMIN_BUF_SIZE);
+ vnic_rq_post(rq, buf, 0, dma_addr, ENIC_ADMIN_BUF_SIZE, 0);
+
+ return 0;
+}
+
+static int enic_admin_rq_fill(struct enic *enic, gfp_t gfp)
+{
+ struct vnic_rq *rq = &enic->admin_rq;
+ int err;
+
+ while (vnic_rq_desc_avail(rq) > 0) {
+ err = enic_admin_rq_post_one(enic, gfp);
+ if (err)
+ return err;
+ }
+
+ return 0;
+}
+
+static void enic_admin_rq_drain(struct enic *enic)
+{
+ vnic_rq_clean(&enic->admin_rq, enic_admin_rq_buf_clean);
+}
+
+static unsigned int enic_admin_cq_color(void *cq_desc, unsigned int desc_size)
+{
+ u8 type_color = *((u8 *)cq_desc + desc_size - 1);
+
+ return (type_color >> CQ_DESC_COLOR_SHIFT) & CQ_DESC_COLOR_MASK;
+}
+
+unsigned int enic_admin_wq_cq_service(struct enic *enic)
+{
+ struct vnic_cq *cq = &enic->admin_cq[0];
+ unsigned int work = 0;
+ void *desc;
+
+ desc = vnic_cq_to_clean(cq);
+ while (enic_admin_cq_color(desc, cq->ring.desc_size) !=
+ cq->last_color) {
+ vnic_cq_inc_to_clean(cq);
+ work++;
+ desc = vnic_cq_to_clean(cq);
+ }
+
+ return work;
+}
+
+/* Upper bound on pending admin messages. A buggy or hostile VF could flood
+ * the PF admin channel faster than admin_msg_work drains it; cap the backlog
+ * so a guest cannot drive the host out of memory.
+ */
+#define ENIC_ADMIN_MSG_MAX 256
+
+static void enic_admin_msg_enqueue(struct enic *enic, void *buf,
+ unsigned int len)
+{
+ struct enic_admin_msg *msg;
+
+ msg = kmalloc(struct_size(msg, data, len), GFP_KERNEL);
+ if (!msg)
+ return;
+
+ msg->len = len;
+ memcpy(msg->data, buf, len);
+
+ spin_lock(&enic->admin_msg_lock);
+ if (enic->admin_msg_count >= ENIC_ADMIN_MSG_MAX) {
+ spin_unlock(&enic->admin_msg_lock);
+ kfree(msg);
+ if (net_ratelimit())
+ netdev_warn(enic->netdev,
+ "admin msg backlog full (%u); dropping\n",
+ ENIC_ADMIN_MSG_MAX);
+ return;
+ }
+ list_add_tail(&msg->list, &enic->admin_msg_list);
+ enic->admin_msg_count++;
+ spin_unlock(&enic->admin_msg_lock);
+}
+
+unsigned int enic_admin_rq_cq_service(struct enic *enic)
+{
+ struct vnic_cq *cq = &enic->admin_cq[1];
+ struct vnic_rq *rq = &enic->admin_rq;
+ struct cq_enet_rq_desc *rq_desc;
+ struct vnic_rq_buf *buf;
+ u16 bwf, bytes_written;
+ unsigned int work = 0;
+ void *desc;
+
+ /* The admin RQ and its CQ form a single in-order channel: firmware
+ * posts exactly one CQE per consumed RQ descriptor, in submission
+ * order. Each CQE therefore pairs with rq->to_clean below without a
+ * completed_index cross-check, mirroring the in-order assumption of
+ * the main enic RX path.
+ */
+ desc = vnic_cq_to_clean(cq);
+ while (enic_admin_cq_color(desc, cq->ring.desc_size) !=
+ cq->last_color) {
+ /* Ensure DMA descriptor fields are read after
+ * the color/valid check. dma_rmb() is the
+ * correct barrier for DMA-written descriptors.
+ */
+ dma_rmb();
+ buf = rq->to_clean;
+
+ /* Decode the actual number of bytes hardware wrote into
+ * the RX buffer. buf->len is the static allocation size
+ * (ENIC_ADMIN_BUF_SIZE) and would expose uninitialised
+ * heap memory beyond the real payload. bytes_written_flags
+ * is at the same offset in every cq_enet_rq_desc[_32|_64]
+ * variant.
+ */
+ rq_desc = desc;
+ bwf = le16_to_cpu(rq_desc->bytes_written_flags);
+ bytes_written = bwf & CQ_ENET_RQ_DESC_BYTES_WRITTEN_MASK;
+ if (bytes_written > buf->len)
+ goto next_desc;
+
+ dma_sync_single_for_cpu(&enic->pdev->dev,
+ buf->dma_addr, buf->len,
+ DMA_FROM_DEVICE);
+
+ /* Drop on hardware error indications. Admin messages
+ * are internal to the VIC, not received over the wire.
+ * Firmware sets TRUNCATED when the message does not fit
+ * in the posted buffer, and FCS_OK is always set on
+ * healthy admin completions.
+ */
+ if (bwf & CQ_ENET_RQ_DESC_FLAGS_TRUNCATED) {
+ netdev_warn_once(enic->netdev,
+ "admin RQ: truncated message dropped\n");
+ goto next_desc;
+ }
+ if (!(rq_desc->flags & CQ_ENET_RQ_DESC_FLAGS_FCS_OK)) {
+ netdev_warn_once(enic->netdev,
+ "admin RQ: bad FCS, dropping message\n");
+ goto next_desc;
+ }
+
+ if (enic->admin_rq_handler) {
+ u16 sender_vlan;
+
+ /* Firmware sets the CQ VLAN field to identify the
+ * sender: 0 = PF, 1-based = VF index. Overwrite
+ * the untrusted src_vnic_id in the MBOX header with
+ * the hardware-verified value.
+ */
+ sender_vlan = le16_to_cpu(rq_desc->vlan);
+ if (bytes_written >= sizeof(struct enic_mbox_hdr)) {
+ struct enic_mbox_hdr *hdr = buf->os_buf;
+
+ hdr->src_vnic_id = (sender_vlan == 0) ?
+ cpu_to_le16(ENIC_MBOX_DST_PF) :
+ cpu_to_le16(sender_vlan - 1);
+ }
+
+ enic_admin_msg_enqueue(enic, buf->os_buf,
+ bytes_written);
+ }
+
+next_desc:
+ enic_admin_rq_buf_clean(rq, rq->to_clean);
+ rq->to_clean = rq->to_clean->next;
+ rq->ring.desc_avail++;
+
+ vnic_cq_inc_to_clean(cq);
+ work++;
+ desc = vnic_cq_to_clean(cq);
+ }
+
+ if (enic_admin_rq_fill(enic, GFP_KERNEL) && net_ratelimit())
+ netdev_warn(enic->netdev,
+ "admin RQ refill failed\n");
+
+ return work;
+}
+
+static irqreturn_t enic_admin_isr_msix(int irq, void *data)
+{
+ struct enic *enic = data;
+
+ schedule_work(&enic->admin_poll_work);
+
+ return IRQ_HANDLED;
+}
+
+static void enic_admin_msg_work_handler(struct work_struct *work)
+{
+ struct enic *enic = container_of(work, struct enic, admin_msg_work);
+ struct enic_admin_msg *msg, *tmp;
+ LIST_HEAD(local_list);
+
+ spin_lock_bh(&enic->admin_msg_lock);
+ list_splice_init(&enic->admin_msg_list, &local_list);
+ enic->admin_msg_count = 0;
+ spin_unlock_bh(&enic->admin_msg_lock);
+
+ list_for_each_entry_safe(msg, tmp, &local_list, list) {
+ if (enic->admin_rq_handler)
+ enic->admin_rq_handler(enic, msg->data, msg->len);
+ list_del(&msg->list);
+ kfree(msg);
+ }
+}
+
+static void enic_admin_poll_work_handler(struct work_struct *work)
+{
+ struct enic *enic = container_of(work, struct enic, admin_poll_work);
+ unsigned int credits;
+ unsigned int rq_work;
+
+ /* Snapshot the pending credit count before draining so we acknowledge
+ * exactly what the hardware reported for this interrupt. Credits that
+ * accrue while enic_admin_rq_cq_service() runs are left for the next
+ * interrupt, which is harmless on this low-rate control path.
+ */
+ credits = vnic_intr_credits(&enic->admin_intr);
+
+ rq_work = enic_admin_rq_cq_service(enic);
+
+ if (rq_work > 0)
+ schedule_work(&enic->admin_msg_work);
+
+ /* Acknowledge the snapshotted credits and unmask the vector. Unlike
+ * the NAPI data path, the admin channel is not re-polled, so the vector
+ * must be re-armed here to receive the next completion. Return at least
+ * one credit so the write always carries a non-zero acknowledgment and
+ * re-arms the vector even on a spurious wakeup that found no credits.
+ */
+ vnic_intr_return_credits(&enic->admin_intr,
+ credits ?: 1,
+ 1 /* unmask */, 0);
+}
+
+static int enic_admin_setup_intr(struct enic *enic)
+{
+ unsigned int intr_index = enic->intr_count;
+ int err;
+
+ if (vnic_dev_get_intr_mode(enic->vdev) != VNIC_DEV_INTR_MODE_MSIX ||
+ intr_index >= enic->intr_avail)
+ return -ENODEV;
+
+ /* The admin INTR uses a slot in the same RES_TYPE_INTR_CTRL
+ * strided array of per-vector control blocks (mask, coalescing
+ * timer, credit return) that the data-path IRQs occupy in BAR0.
+ * vnic_intr_alloc() defaults to RES_TYPE_INTR_CTRL, which is what
+ * we want here.
+ */
+ err = vnic_intr_alloc(enic->vdev, &enic->admin_intr, intr_index);
+ if (err) {
+ netdev_warn(enic->netdev,
+ "Failed to alloc admin intr at index %u: %d\n",
+ intr_index, err);
+ return err;
+ }
+
+ enic->admin_intr_index = intr_index;
+
+ /* A V2 VF opens the admin channel during probe, before
+ * register_netdev() resolves the "eth%d" name template, so using
+ * netdev->name here would register the literal "eth%d-admin" in
+ * /proc/interrupts. Use the already-stable PCI device name instead.
+ */
+ snprintf(enic->msix[intr_index].devname,
+ sizeof(enic->msix[intr_index].devname),
+ "%s-admin", pci_name(enic->pdev));
+ enic->msix[intr_index].isr = enic_admin_isr_msix;
+ enic->msix[intr_index].devid = enic;
+
+ err = request_irq(enic->msix_entry[intr_index].vector,
+ enic->msix[intr_index].isr, 0,
+ enic->msix[intr_index].devname,
+ enic->msix[intr_index].devid);
+ if (err) {
+ netdev_warn(enic->netdev,
+ "Failed to request admin MSI-X irq: %d\n", err);
+ vnic_intr_free(&enic->admin_intr);
+ return err;
+ }
+
+ enic->msix[intr_index].requested = 1;
+
+ netdev_dbg(enic->netdev,
+ "admin channel using MSI-X interrupt (index %u)\n",
+ intr_index);
+
+ return 0;
+}
+
+static void enic_admin_teardown_intr(struct enic *enic)
+{
+ unsigned int intr_index = enic->admin_intr_index;
+
+ free_irq(enic->msix_entry[intr_index].vector,
+ enic->msix[intr_index].devid);
+ cancel_work_sync(&enic->admin_poll_work);
+ enic->msix[intr_index].requested = 0;
+}
+
+static int enic_admin_qp_type_set(struct enic *enic, u32 enable)
+{
+ u64 a0 = QP_TYPE_ADMIN, a1 = enable;
+ int wait = 1000;
+ int err;
+
+ spin_lock_bh(&enic->devcmd_lock);
+ err = vnic_dev_cmd(enic->vdev, CMD_QP_TYPE_SET, &a0, &a1, wait);
+ spin_unlock_bh(&enic->devcmd_lock);
+
+ return err;
+}
+
+static int enic_admin_alloc_resources(struct enic *enic)
+{
+ int err;
+
+ err = vnic_wq_alloc_with_type(enic->vdev, &enic->admin_wq, 0,
+ ENIC_ADMIN_DESC_COUNT,
+ sizeof(struct wq_enet_desc),
+ RES_TYPE_ADMIN_WQ);
+ if (err)
+ return err;
+
+ err = vnic_rq_alloc_with_type(enic->vdev, &enic->admin_rq, 0,
+ ENIC_ADMIN_DESC_COUNT,
+ sizeof(struct rq_enet_desc),
+ RES_TYPE_ADMIN_RQ);
+ if (err)
+ goto free_wq;
+
+ /* admin_cq[0] is the WQ completion queue. WQ CQEs are always
+ * 16 bytes wide; firmware always writes 16-byte CQEs for WQ
+ * completions on every WQ, including the admin channel WQ.
+ * Use sizeof(struct cq_desc) accordingly.
+ */
+ err = vnic_cq_alloc_with_type(enic->vdev, &enic->admin_cq[0], 0,
+ ENIC_ADMIN_DESC_COUNT,
+ sizeof(struct cq_desc),
+ RES_TYPE_ADMIN_CQ);
+ if (err)
+ goto free_rq;
+
+ /* admin_cq[1] is the RQ completion queue. Its descriptor size
+ * must match what firmware writes. enic_ext_cq() called earlier
+ * in probe issues CMD_CQ_ENTRY_SIZE_SET for VNIC_RQ_ALL,
+ * programming firmware to write CQ entries of (16 << enic->ext_cq)
+ * bytes for every RQ CQ on the vNIC, including the admin RQ CQ.
+ * Allocating with the same size keeps the host poller and
+ * firmware in lockstep:
+ *
+ * - The color/valid bit lives at byte (desc_size - 1) of every
+ * cq_enet_rq_desc[_32|_64] variant, so enic_admin_cq_color()
+ * reads it from the correct offset.
+ * - Only the first 15 bytes of the descriptor (vlan,
+ * bytes_written_flags, ...) are accessed by the admin path;
+ * these fields are identical across all three variants (see
+ * comment in enic_rq.c above cq_enet_rq_desc_dec()).
+ */
+ err = vnic_cq_alloc_with_type(enic->vdev, &enic->admin_cq[1], 1,
+ ENIC_ADMIN_DESC_COUNT,
+ 16 << enic->ext_cq,
+ RES_TYPE_ADMIN_CQ);
+ if (err)
+ goto free_cq0;
+
+ return 0;
+
+free_cq0:
+ vnic_cq_free(&enic->admin_cq[0]);
+free_rq:
+ vnic_rq_free(&enic->admin_rq);
+free_wq:
+ vnic_wq_free(&enic->admin_wq);
+ return err;
+}
+
+static void enic_admin_free_resources(struct enic *enic)
+{
+ vnic_intr_free(&enic->admin_intr);
+ vnic_cq_free(&enic->admin_cq[1]);
+ vnic_cq_free(&enic->admin_cq[0]);
+ vnic_rq_free(&enic->admin_rq);
+ vnic_wq_free(&enic->admin_wq);
+}
+
+static void enic_admin_init_resources(struct enic *enic)
+{
+ unsigned int intr_offset = enic->admin_intr_index;
+
+ vnic_wq_init(&enic->admin_wq,
+ 0, 0, 0); /* cq_index, err_intr_enable, err_intr_offset */
+ vnic_rq_init(&enic->admin_rq,
+ 1, 0, 0); /* cq_index, err_intr_enable, err_intr_offset */
+ vnic_cq_init(&enic->admin_cq[0],
+ VNIC_CQ_FC_DISABLE,
+ VNIC_CQ_COLOR_ENABLE,
+ 0, 0, 1, /* cq_head, cq_tail, cq_tail_color */
+ VNIC_CQ_INTR_DISABLE, /* polled synchronously by mbox send */
+ VNIC_CQ_ENTRY_ENABLE,
+ VNIC_CQ_MSG_DISABLE,
+ intr_offset,
+ 0 /* cq_message_addr */);
+ vnic_cq_init(&enic->admin_cq[1],
+ VNIC_CQ_FC_DISABLE,
+ VNIC_CQ_COLOR_ENABLE,
+ 0, 0, 1, /* cq_head, cq_tail, cq_tail_color */
+ VNIC_CQ_INTR_ENABLE,
+ VNIC_CQ_ENTRY_ENABLE,
+ VNIC_CQ_MSG_DISABLE,
+ intr_offset,
+ 0 /* cq_message_addr */);
+ /* coalescing_timer, coalescing_type, mask_on_assertion */
+ vnic_intr_init(&enic->admin_intr,
+ 0, 0, 1);
+}
+
+static void enic_admin_msg_drain(struct enic *enic)
+{
+ struct enic_admin_msg *msg, *tmp;
+
+ spin_lock_bh(&enic->admin_msg_lock);
+ list_for_each_entry_safe(msg, tmp, &enic->admin_msg_list, list) {
+ list_del(&msg->list);
+ kfree(msg);
+ }
+ enic->admin_msg_count = 0;
+ spin_unlock_bh(&enic->admin_msg_lock);
+}
+
+int enic_admin_channel_open(struct enic *enic)
+{
+ int err;
+
+ if (!enic->has_admin_channel)
+ return -ENODEV;
+
+ /* Keep MBOX sends disabled for the entire open sequence. It is
+ * cleared only after every resource is allocated and enabled below,
+ * so any early error return here leaves sends disabled and a
+ * concurrent sender cannot touch a half-open or freed admin_wq.
+ */
+ WRITE_ONCE(enic->mbox_send_disabled, true);
+
+ err = enic_admin_alloc_resources(enic);
+ if (err) {
+ netdev_err(enic->netdev,
+ "Failed to alloc admin channel resources: %d\n",
+ err);
+ return err;
+ }
+
+ spin_lock_init(&enic->admin_msg_lock);
+ INIT_LIST_HEAD(&enic->admin_msg_list);
+ INIT_WORK(&enic->admin_msg_work, enic_admin_msg_work_handler);
+ INIT_WORK(&enic->admin_poll_work, enic_admin_poll_work_handler);
+
+ err = enic_admin_setup_intr(enic);
+ if (err) {
+ netdev_err(enic->netdev,
+ "Admin channel requires MSI-X, SR-IOV unavailable: %d\n",
+ err);
+ goto free_resources;
+ }
+
+ enic_admin_init_resources(enic);
+
+ vnic_wq_enable(&enic->admin_wq);
+ vnic_rq_enable(&enic->admin_rq);
+
+ err = enic_admin_rq_fill(enic, GFP_KERNEL);
+ if (err) {
+ netdev_err(enic->netdev,
+ "Failed to fill admin RQ buffers: %d\n", err);
+ goto disable_queues;
+ }
+
+ err = enic_admin_qp_type_set(enic, QP_ENABLE);
+ if (err) {
+ netdev_err(enic->netdev,
+ "Failed to set admin QP type: %d\n", err);
+ goto disable_queues;
+ }
+
+ vnic_intr_unmask(&enic->admin_intr);
+
+ /* Only now that the admin WQ/RQ/CQ and interrupt are fully allocated,
+ * programmed and enabled is it safe to allow MBOX sends. Clearing this
+ * earlier opened a window where a concurrent sender (e.g. link-notify
+ * work scheduled by a post-reset link-up) could call enic_mbox_send_msg()
+ * against a not-yet-allocated admin_wq and crash.
+ */
+ WRITE_ONCE(enic->mbox_send_disabled, false);
+
+ netdev_dbg(enic->netdev,
+ "admin channel open: intr=%u wq_avail=%u rq_avail=%u cq0_color=%u cq1_color=%u\n",
+ enic->admin_intr_index,
+ vnic_wq_desc_avail(&enic->admin_wq),
+ vnic_rq_desc_avail(&enic->admin_rq),
+ enic->admin_cq[0].last_color,
+ enic->admin_cq[1].last_color);
+
+ enic->admin_chan_up = true;
+
+ return 0;
+
+disable_queues:
+ enic_admin_teardown_intr(enic);
+ enic_admin_qp_type_set(enic, QP_DISABLE);
+ if (vnic_wq_disable(&enic->admin_wq))
+ netdev_warn(enic->netdev, "Failed to disable admin WQ\n");
+ if (vnic_rq_disable(&enic->admin_rq))
+ netdev_warn(enic->netdev, "Failed to disable admin RQ\n");
+ cancel_work_sync(&enic->admin_msg_work);
+ enic_admin_msg_drain(enic);
+ enic_admin_rq_drain(enic);
+free_resources:
+ enic_admin_free_resources(enic);
+ return err;
+}
+
+void enic_admin_channel_close(struct enic *enic)
+{
+ int err;
+
+ if (!enic->has_admin_channel)
+ return;
+
+ /* Nothing to tear down if the channel was never (re)opened, e.g. a
+ * failed enic_admin_channel_open() in probe or in the reset path;
+ * otherwise the disable/clean calls below dereference freed resources.
+ */
+ if (!enic->admin_chan_up)
+ return;
+
+ WRITE_ONCE(enic->mbox_send_disabled, true);
+
+ netdev_dbg(enic->netdev, "admin channel close\n");
+
+ vnic_intr_mask(&enic->admin_intr);
+ enic_admin_teardown_intr(enic);
+ cancel_work_sync(&enic->link_notify_work);
+ cancel_work_sync(&enic->admin_msg_work);
+ enic_admin_msg_drain(enic);
+
+ enic_admin_qp_type_set(enic, QP_DISABLE);
+
+ err = vnic_wq_disable(&enic->admin_wq);
+ if (err)
+ netdev_warn(enic->netdev,
+ "Failed to disable admin WQ: %d\n", err);
+ err = vnic_rq_disable(&enic->admin_rq);
+ if (err)
+ netdev_warn(enic->netdev,
+ "Failed to disable admin RQ: %d\n", err);
+
+ vnic_wq_clean(&enic->admin_wq, enic_admin_wq_buf_clean);
+ enic_admin_rq_drain(enic);
+ vnic_cq_clean(&enic->admin_cq[0]);
+ vnic_cq_clean(&enic->admin_cq[1]);
+ vnic_intr_clean(&enic->admin_intr);
+
+ enic->admin_rq_handler = NULL;
+ enic_admin_free_resources(enic);
+
+ enic->admin_chan_up = false;
+}
diff --git a/drivers/net/ethernet/cisco/enic/enic_admin.h b/drivers/net/ethernet/cisco/enic/enic_admin.h
new file mode 100644
index 00000000000000..62c80220b0cacc
--- /dev/null
+++ b/drivers/net/ethernet/cisco/enic/enic_admin.h
@@ -0,0 +1,27 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/* Copyright 2025 Cisco Systems, Inc. All rights reserved. */
+
+#ifndef _ENIC_ADMIN_H_
+#define _ENIC_ADMIN_H_
+
+#define ENIC_ADMIN_DESC_COUNT 64
+#define ENIC_ADMIN_BUF_SIZE 2048
+
+struct enic;
+
+/* Wrapper for received admin messages queued for deferred processing.
+ * The admin CQ poll work handler enqueues these; a separate work handler
+ * processes them where sleeping (mutex, GFP_KERNEL) is safe.
+ */
+struct enic_admin_msg {
+ struct list_head list;
+ unsigned int len;
+ u8 data[] __aligned(8);
+};
+
+int enic_admin_channel_open(struct enic *enic);
+void enic_admin_channel_close(struct enic *enic);
+unsigned int enic_admin_wq_cq_service(struct enic *enic);
+unsigned int enic_admin_rq_cq_service(struct enic *enic);
+
+#endif /* _ENIC_ADMIN_H_ */
diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
index e7125b81808799..be3ae0a57af33e 100644
--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -60,6 +60,8 @@
#include "enic_clsf.h"
#include "enic_rq.h"
#include "enic_wq.h"
+#include "enic_admin.h"
+#include "enic_mbox.h"
#define ENIC_NOTIFY_TIMER_PERIOD (2 * HZ)
@@ -314,6 +316,11 @@ static int enic_is_sriov_vf(struct enic *enic)
enic->pdev->device == PCI_DEVICE_ID_CISCO_VIC_ENET_VF_V2;
}
+int enic_is_sriov_vf_v2(struct enic *enic)
+{
+ return enic->pdev->device == PCI_DEVICE_ID_CISCO_VIC_ENET_VF_V2;
+}
+
int enic_is_valid_vf(struct enic *enic, int vf)
{
#ifdef CONFIG_PCI_IOV
@@ -411,6 +418,24 @@ static void enic_set_rx_coal_setting(struct enic *enic)
rx_coal->use_adaptive_rx_coalesce = 1;
}
+static void enic_link_notify_work_handler(struct work_struct *work)
+{
+ struct enic *enic = container_of(work, struct enic,
+ link_notify_work);
+ u32 state;
+ u16 i;
+
+ if (!enic_sriov_enabled(enic) || !enic->vf_state)
+ return;
+
+ state = netif_carrier_ok(enic->netdev) ?
+ ENIC_MBOX_LINK_STATE_ENABLE :
+ ENIC_MBOX_LINK_STATE_DISABLE;
+
+ for (i = 0; i < enic->num_vfs; i++)
+ enic_mbox_send_link_state(enic, i, state);
+}
+
static void enic_link_check(struct enic *enic)
{
int link_status = vnic_dev_link_status(enic->vdev);
@@ -420,9 +445,13 @@ static void enic_link_check(struct enic *enic)
netdev_info(enic->netdev, "Link UP\n");
netif_carrier_on(enic->netdev);
enic_set_rx_coal_setting(enic);
+ if (enic_sriov_enabled(enic) && enic->vf_state)
+ schedule_work(&enic->link_notify_work);
} else if (!link_status && carrier_ok) {
netdev_info(enic->netdev, "Link DOWN\n");
netif_carrier_off(enic->netdev);
+ if (enic_sriov_enabled(enic) && enic->vf_state)
+ schedule_work(&enic->link_notify_work);
}
}
@@ -2142,6 +2171,57 @@ static void enic_set_api_busy(struct enic *enic, bool busy)
spin_unlock(&enic->enic_api_lock);
}
+/* The admin/MBOX channel exists on a V2 PF while SR-IOV is enabled and on
+ * every V2 VF. A reset wipes the admin WQ/RQ/CQ, so such devices must tear
+ * the channel down before the reset and re-establish it afterwards.
+ */
+static bool enic_has_admin_chan(struct enic *enic)
+{
+ return enic_is_sriov_vf_v2(enic) ||
+ (enic_sriov_enabled(enic) && enic->vf_type == ENIC_VF_TYPE_V2);
+}
+
+/* Re-establish the admin/MBOX channel after a reset has re-created the data
+ * path. Mirrors the relevant part of the probe / SR-IOV-enable sequence:
+ * reopen the channel and reinitialise MBOX, then for a VF re-run the PF
+ * handshake (its admin QP and PF-side registration were torn down by the
+ * reset), or for a PF re-push the current link state to registered VFs.
+ */
+static void enic_admin_chan_reopen(struct enic *enic)
+{
+ int err;
+
+ err = enic_admin_channel_open(enic);
+ if (err) {
+ netdev_err(enic->netdev,
+ "admin channel reopen after reset failed: %d\n", err);
+ return;
+ }
+
+ enic_mbox_init(enic);
+
+ if (enic_is_sriov_vf_v2(enic)) {
+ err = enic_mbox_vf_capability_check(enic);
+ if (err) {
+ netdev_err(enic->netdev,
+ "MBOX capability check after reset failed: %d\n",
+ err);
+ return;
+ }
+ err = enic_mbox_vf_register(enic);
+ if (err)
+ netdev_err(enic->netdev,
+ "MBOX VF re-registration after reset failed: %d\n",
+ err);
+ } else {
+ /* The link came back up during enic_open() above while MBOX
+ * sends were still disabled (channel not yet reopened), so that
+ * link-notify was dropped. Re-push current link state now.
+ */
+ schedule_work(&enic->link_notify_work);
+ }
+}
+
static void enic_reset(struct work_struct *work)
{
struct enic *enic = container_of(work, struct enic, reset);
@@ -2154,15 +2234,34 @@ static void enic_reset(struct work_struct *work)
/* Stop any activity from infiniband */
enic_set_api_busy(enic, true);
+ /* Fully tear down the V2 admin/MBOX channel before the soft reset.
+ * The reset wipes all hardware queues including the admin WQ/RQ;
+ * closing first tells firmware to stop the admin QP (so it no longer
+ * DMAs from the about-to-be-reset rings) and frees the admin resources
+ * so they are cleanly re-allocated afterwards.
+ */
+ if (enic_has_admin_chan(enic))
+ enic_admin_channel_close(enic);
+
enic_stop(enic->netdev);
+
enic_dev_soft_reset(enic);
enic_reset_addr_lists(enic);
enic_init_vnic_resources(enic);
enic_set_rss_nic_cfg(enic);
enic_dev_set_ig_vlan_rewrite_mode(enic);
enic_ext_cq(enic);
+
enic_open(enic->netdev);
+ /* Re-establish the admin/MBOX channel after the data path is back up.
+ * It was fully torn down by enic_admin_channel_close() above;
+ * enic_admin_chan_reopen() reopens it and, for a PF re-pushes link
+ * state, or for a VF re-runs the probe-time PF handshake.
+ */
+ if (enic_has_admin_chan(enic))
+ enic_admin_chan_reopen(enic);
+
/* Allow infiniband to fiddle with the device again */
enic_set_api_busy(enic, false);
@@ -2180,16 +2279,33 @@ static void enic_tx_hang_reset(struct work_struct *work)
/* Stop any activity from infiniband */
enic_set_api_busy(enic, true);
+ /* Fully tear down the V2 admin/MBOX channel before the hang reset, for
+ * the same reason as the soft reset path: stop the admin QP and free
+ * the admin resources before the hardware queues are wiped.
+ */
+ if (enic_has_admin_chan(enic))
+ enic_admin_channel_close(enic);
+
enic_dev_hang_notify(enic);
enic_stop(enic->netdev);
+
enic_dev_hang_reset(enic);
enic_reset_addr_lists(enic);
enic_init_vnic_resources(enic);
enic_set_rss_nic_cfg(enic);
enic_dev_set_ig_vlan_rewrite_mode(enic);
enic_ext_cq(enic);
+
enic_open(enic->netdev);
+ /* Re-establish the admin/MBOX channel after the data path is back up.
+ * It was fully torn down by enic_admin_channel_close() above;
+ * enic_admin_chan_reopen() reopens it and, for a PF re-pushes link
+ * state, or for a VF re-runs the probe-time PF handshake.
+ */
+ if (enic_has_admin_chan(enic))
+ enic_admin_chan_reopen(enic);
+
/* Allow infiniband to fiddle with the device again */
enic_set_api_busy(enic, false);
@@ -2200,6 +2316,8 @@ static void enic_tx_hang_reset(struct work_struct *work)
static int enic_set_intr_mode(struct enic *enic)
{
+ unsigned int admin_reserve = enic->has_admin_channel ? 1 : 0;
+ unsigned int min_intr = ENIC_MSIX_MIN_INTR + admin_reserve;
unsigned int i;
int num_intr;
@@ -2210,12 +2328,12 @@ static int enic_set_intr_mode(struct enic *enic)
*/
if (enic->config.intr_mode < 1 &&
- enic->intr_avail >= ENIC_MSIX_MIN_INTR) {
+ enic->intr_avail >= min_intr) {
for (i = 0; i < enic->intr_avail; i++)
enic->msix_entry[i].entry = i;
num_intr = pci_enable_msix_range(enic->pdev, enic->msix_entry,
- ENIC_MSIX_MIN_INTR,
+ min_intr,
enic->intr_avail);
if (num_intr > 0) {
vnic_dev_set_intr_mode(enic->vdev,
@@ -2310,16 +2428,27 @@ static int enic_adjust_resources(struct enic *enic)
enic->cq_count = 2;
enic->intr_count = enic->intr_avail;
break;
- case VNIC_DEV_INTR_MODE_MSIX:
+ case VNIC_DEV_INTR_MODE_MSIX: {
/* Adjust the number of wqs/rqs/cqs/interrupts that will be
- * used based on which resource is the most constrained
+ * used based on which resource is the most constrained.
+ * Reserve one extra MSI-X slot for the admin channel INTR
+ * when has_admin_channel is set so that
+ * enic_admin_setup_intr() can allocate at intr_count
+ * within the intr_avail bounds even when the data queue
+ * count is maxed out. intr_count counts only the data-path
+ * IRQs (registered by enic_request_intr()); the admin INTR
+ * lives at msix index intr_count and is set up later by
+ * enic_admin_setup_intr().
*/
+ unsigned int admin_reserve = enic->has_admin_channel ? 1 : 0;
+
wq_avail = min(enic->wq_avail, ENIC_WQ_MAX);
rq_default = max(netif_get_num_default_rss_queues(),
ENIC_RQ_MIN_DEFAULT);
rq_avail = min3(enic->rq_avail, ENIC_RQ_MAX, rq_default);
max_queues = min(enic->cq_avail,
- enic->intr_avail - ENIC_MSIX_RESERVED_INTR);
+ enic->intr_avail - ENIC_MSIX_RESERVED_INTR -
+ admin_reserve);
if (wq_avail + rq_avail <= max_queues) {
enic->rq_count = rq_avail;
enic->wq_count = wq_avail;
@@ -2337,6 +2466,7 @@ static int enic_adjust_resources(struct enic *enic)
enic->intr_count = enic->cq_count + ENIC_MSIX_RESERVED_INTR;
break;
+ }
default:
dev_err(enic_get_dev(enic), "Unknown interrupt mode\n");
return -EINVAL;
@@ -2641,8 +2771,10 @@ static void enic_iounmap(struct enic *enic)
static void enic_sriov_detect_vf_type(struct enic *enic)
{
struct pci_dev *pdev = enic->pdev;
- int pos;
+ u64 supported_versions, a1 = 0;
u16 vf_dev_id;
+ int pos;
+ int err;
if (enic_is_sriov_vf(enic) || enic_is_dynamic(enic))
return;
@@ -2669,6 +2801,157 @@ static void enic_sriov_detect_vf_type(struct enic *enic)
enic->vf_type = ENIC_VF_TYPE_NONE;
break;
}
+
+ if (enic->vf_type != ENIC_VF_TYPE_V2)
+ return;
+
+ /* A successful command means firmware recognizes
+ * VIC_FEATURE_SRIOV; supported_versions is available
+ * for sub-feature versioning in the future.
+ */
+ err = vnic_dev_get_supported_feature_ver(enic->vdev,
+ VIC_FEATURE_SRIOV,
+ &supported_versions,
+ &a1);
+ if (err) {
+ dev_warn(&pdev->dev,
+ "SR-IOV V2 not supported by current firmware. Upgrade to VIC FW 5.3(4.72) or higher.\n");
+ enic->vf_type = ENIC_VF_TYPE_NONE;
+ }
+}
+
+static int __maybe_unused
+enic_sriov_v2_enable(struct enic *enic, int num_vfs)
+{
+ int err;
+
+ if (!enic->has_admin_channel) {
+ netdev_err(enic->netdev,
+ "V2 SR-IOV requires admin channel resources\n");
+ return -EOPNOTSUPP;
+ }
+
+ enic->vf_state = kcalloc(num_vfs, sizeof(*enic->vf_state), GFP_KERNEL);
+ if (!enic->vf_state)
+ return -ENOMEM;
+
+ err = enic_admin_channel_open(enic);
+ if (err) {
+ netdev_err(enic->netdev,
+ "Failed to open admin channel: %d\n", err);
+ goto free_vf_state;
+ }
+
+ enic_mbox_init(enic);
+
+ enic->num_vfs = num_vfs;
+
+ err = pci_enable_sriov(enic->pdev, num_vfs);
+ if (err) {
+ netdev_err(enic->netdev,
+ "pci_enable_sriov failed: %d\n", err);
+ goto close_admin;
+ }
+
+ enic->priv_flags |= ENIC_SRIOV_ENABLED;
+ return num_vfs;
+
+close_admin:
+ enic->num_vfs = 0;
+ enic_admin_channel_close(enic);
+free_vf_state:
+ kfree(enic->vf_state);
+ enic->vf_state = NULL;
+ return err;
+}
+
+static void enic_sriov_v2_disable(struct enic *enic)
+{
+ /* Stop new VF link-state broadcasts before tearing down vf_state.
+ * Clearing ENIC_SRIOV_ENABLED makes enic_link_check() (called from
+ * the notify timer/ISR) skip the VF notify path, and cancelling
+ * link_notify_work ensures any already-queued broadcast has finished
+ * before vf_state is freed, closing a use-after-free window.
+ */
+ enic->priv_flags &= ~ENIC_SRIOV_ENABLED;
+ cancel_work_sync(&enic->link_notify_work);
+
+ pci_disable_sriov(enic->pdev);
+ enic_admin_channel_close(enic);
+ kfree(enic->vf_state);
+ enic->vf_state = NULL;
+ enic->num_vfs = 0;
+}
+
+/*
+ * enic_sriov_configure() and its V2 helpers are defined but not yet wired
+ * into enic_driver via .sriov_configure (see the __maybe_unused annotations);
+ * V2 enable/disable is activated in a follow-up series. Because the callback
+ * is not registered, it cannot run concurrently with the rtnl-protected reset
+ * paths (enic_reset(), enic_tx_hang_reset()) yet. Serialization against those
+ * paths is added together with the .sriov_configure wiring in that series.
+ */
+static int __maybe_unused
+enic_sriov_configure(struct pci_dev *pdev, int num_vfs)
+{
+ struct net_device *netdev = pci_get_drvdata(pdev);
+ struct enic *enic = netdev_priv(netdev);
+ struct enic_port_profile *pp;
+ int err;
+
+ if (num_vfs > 0) {
+ if (enic->config.mq_subvnic_count) {
+ netdev_err(netdev,
+ "SR-IOV not supported with multi-queue sub-vnics\n");
+ return -EOPNOTSUPP;
+ }
+
+ if (enic->vf_type == ENIC_VF_TYPE_NONE) {
+ netdev_err(netdev,
+ "SR-IOV not supported on this firmware version\n");
+ return -EOPNOTSUPP;
+ }
+
+ if (enic->vf_type == ENIC_VF_TYPE_V2)
+ return enic_sriov_v2_enable(enic, num_vfs);
+
+ pp = kcalloc(num_vfs, sizeof(*pp), GFP_KERNEL);
+ if (!pp)
+ return -ENOMEM;
+
+ err = pci_enable_sriov(pdev, num_vfs);
+ if (err) {
+ kfree(pp);
+ return err;
+ }
+
+ kfree(enic->pp);
+ enic->pp = pp;
+ enic->num_vfs = num_vfs;
+ enic->priv_flags |= ENIC_SRIOV_ENABLED;
+ return num_vfs;
+ }
+
+ if (!enic_sriov_enabled(enic))
+ return 0;
+
+ if (enic->vf_type == ENIC_VF_TYPE_V2) {
+ enic_sriov_v2_disable(enic);
+ return 0;
+ }
+
+ pp = kzalloc_obj(*enic->pp, GFP_KERNEL);
+ if (!pp)
+ return -ENOMEM;
+
+ pci_disable_sriov(pdev);
+ enic->num_vfs = 0;
+ enic->priv_flags &= ~ENIC_SRIOV_ENABLED;
+
+ kfree(enic->pp);
+ enic->pp = pp;
+
+ return 0;
}
#endif
@@ -2768,12 +3051,18 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
goto err_out_vnic_unregister;
#ifdef CONFIG_PCI_IOV
- /* Get number of subvnics */
+ enic_sriov_detect_vf_type(enic);
+
+ /* Auto-enable SR-IOV if VFs were pre-configured (e.g. at boot).
+ * V2 VFs require the admin channel, which is not yet set up at probe
+ * time; use sysfs (enic_sriov_configure) to enable V2 SR-IOV instead.
+ */
pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_SRIOV);
if (pos) {
pci_read_config_word(pdev, pos + PCI_SRIOV_TOTAL_VF,
&enic->num_vfs);
- if (enic->num_vfs) {
+ if (enic->num_vfs &&
+ enic->vf_type != ENIC_VF_TYPE_V2) {
err = pci_enable_sriov(pdev, enic->num_vfs);
if (err) {
dev_err(dev, "SRIOV enable failed, aborting."
@@ -2785,7 +3074,6 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
num_pps = enic->num_vfs;
}
}
- enic_sriov_detect_vf_type(enic);
#endif
/* Allocate structure for port profiles */
@@ -2850,6 +3138,44 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
goto err_out_dev_close;
}
+ /* Initialise link_notify_work before the V2-VF admin-open block below:
+ * its error path (err_out_admin_close -> enic_admin_channel_close() ->
+ * cancel_work_sync()) would otherwise act on an uninitialised work.
+ */
+ INIT_WORK(&enic->link_notify_work, enic_link_notify_work_handler);
+
+ /* V2 VF: open admin channel and register with PF.
+ * Must happen before register_netdev so the VF is fully
+ * initialized before the interface is visible to userspace.
+ *
+ * admin_channel_open() runs before enic_mbox_init() installs
+ * the receive handler. This is safe because
+ * enic_admin_rq_cq_service() checks admin_rq_handler before
+ * enqueuing any received buffer, so interrupts that fire
+ * between open and mbox_init are harmlessly discarded.
+ */
+ if (enic_is_sriov_vf_v2(enic)) {
+ err = enic_admin_channel_open(enic);
+ if (err) {
+ dev_err(dev,
+ "Failed to open admin channel: %d\n", err);
+ goto err_out_dev_deinit;
+ }
+ enic_mbox_init(enic);
+ err = enic_mbox_vf_capability_check(enic);
+ if (err) {
+ dev_err(dev,
+ "MBOX capability check failed: %d\n", err);
+ goto err_out_admin_close;
+ }
+ err = enic_mbox_vf_register(enic);
+ if (err) {
+ dev_err(dev,
+ "MBOX VF registration failed: %d\n", err);
+ goto err_out_admin_close;
+ }
+ }
+
netif_set_real_num_tx_queues(netdev, enic->wq_count);
netif_set_real_num_rx_queues(netdev, enic->rq_count);
@@ -2874,7 +3200,7 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
err = enic_set_mac_addr(netdev, enic->mac_addr);
if (err) {
dev_err(dev, "Invalid MAC address, aborting\n");
- goto err_out_dev_deinit;
+ goto err_out_admin_close;
}
enic->tx_coalesce_usecs = enic->config.intr_timer_usec;
@@ -2972,11 +3298,23 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
err = register_netdev(netdev);
if (err) {
dev_err(dev, "Cannot register net device, aborting\n");
- goto err_out_dev_deinit;
+ goto err_out_admin_close;
}
return 0;
+err_out_admin_close:
+ if (enic_is_sriov_vf_v2(enic)) {
+ if (enic->vf_registered) {
+ int unreg_err = enic_mbox_vf_unregister(enic);
+
+ if (unreg_err)
+ netdev_warn(netdev,
+ "Failed to unregister from PF: %d\n",
+ unreg_err);
+ }
+ enic_admin_channel_close(enic);
+ }
err_out_dev_deinit:
enic_dev_deinit(enic);
err_out_dev_close:
@@ -3012,16 +3350,42 @@ static void enic_remove(struct pci_dev *pdev)
struct enic *enic = netdev_priv(netdev);
cancel_work_sync(&enic->reset);
+ cancel_work_sync(&enic->tx_hang_reset);
cancel_work_sync(&enic->change_mtu_work);
+
+ /* Close the admin channel and unregister from the PF before
+ * unregister_netdev() to prevent a late PF notification from
+ * touching a netdev that is being torn down.
+ */
+ if (enic_is_sriov_vf_v2(enic)) {
+ if (enic->vf_registered) {
+ int unreg_err = enic_mbox_vf_unregister(enic);
+
+ if (unreg_err)
+ netdev_warn(netdev,
+ "Failed to unregister from PF: %d\n",
+ unreg_err);
+ }
+ enic_admin_channel_close(enic);
+ }
+
unregister_netdev(netdev);
- enic_dev_deinit(enic);
- vnic_dev_close(enic->vdev);
+ /* unregister_netdev() -> enic_stop() stops the notify timer, so
+ * no new link_notify_work can be queued past this point. Cancel
+ * unconditionally to cover the narrow window where
+ * enic_link_check() scheduled it just as SR-IOV was disabled.
+ */
+ cancel_work_sync(&enic->link_notify_work);
#ifdef CONFIG_PCI_IOV
if (enic_sriov_enabled(enic)) {
- pci_disable_sriov(pdev);
- enic->priv_flags &= ~ENIC_SRIOV_ENABLED;
+ if (enic->vf_type == ENIC_VF_TYPE_V2)
+ enic_sriov_v2_disable(enic);
+ else
+ pci_disable_sriov(pdev);
}
#endif
+ enic_dev_deinit(enic);
+ vnic_dev_close(enic->vdev);
kfree(enic->pp);
vnic_dev_unregister(enic->vdev);
enic_iounmap(enic);
diff --git a/drivers/net/ethernet/cisco/enic/enic_mbox.c b/drivers/net/ethernet/cisco/enic/enic_mbox.c
new file mode 100644
index 00000000000000..6fb6a1027bb661
--- /dev/null
+++ b/drivers/net/ethernet/cisco/enic/enic_mbox.c
@@ -0,0 +1,640 @@
+// SPDX-License-Identifier: GPL-2.0-only
+// Copyright 2025 Cisco Systems, Inc. All rights reserved.
+
+#include <linux/kernel.h>
+#include <linux/netdevice.h>
+#include <linux/dma-mapping.h>
+#include <linux/delay.h>
+#include <linux/completion.h>
+
+#include "vnic_dev.h"
+#include "vnic_wq.h"
+#include "vnic_cq.h"
+#include "enic.h"
+#include "enic_admin.h"
+#include "enic_mbox.h"
+#include "wq_enet_desc.h"
+
+#define ENIC_MBOX_POLL_TIMEOUT_US 5000000
+#define ENIC_MBOX_POLL_INTERVAL_US 100
+
+static void enic_mbox_fill_hdr(struct enic *enic, struct enic_mbox_hdr *hdr,
+ u8 msg_type, u16 dst_vnic_id, u16 msg_len)
+{
+ memset(hdr, 0, sizeof(*hdr));
+ hdr->dst_vnic_id = cpu_to_le16(dst_vnic_id);
+ hdr->msg_type = msg_type;
+ hdr->msg_len = cpu_to_le16(msg_len);
+ hdr->msg_num = cpu_to_le64(++enic->mbox_msg_num);
+}
+
+int enic_mbox_send_msg(struct enic *enic, u8 msg_type, u16 dst_vnic_id,
+ void *payload, u16 payload_len)
+{
+ u16 total_len = sizeof(struct enic_mbox_hdr) + payload_len;
+ struct vnic_wq *wq = &enic->admin_wq;
+ struct wq_enet_desc *desc;
+ unsigned long timeout;
+ dma_addr_t dma_addr;
+ u16 vlan_tag;
+ void *buf;
+ int err;
+
+ /* Serialize MBOX sends. The admin channel is a low-frequency
+ * control path; holding the mutex across the poll is acceptable.
+ */
+ mutex_lock(&enic->mbox_lock);
+
+ if (!enic->has_admin_channel || READ_ONCE(enic->mbox_send_disabled)) {
+ err = -ENODEV;
+ goto unlock;
+ }
+
+ if (vnic_wq_desc_avail(wq) == 0) {
+ err = -ENOSPC;
+ goto unlock;
+ }
+
+ buf = kmalloc(total_len, GFP_KERNEL);
+ if (!buf) {
+ err = -ENOMEM;
+ goto unlock;
+ }
+
+ enic_mbox_fill_hdr(enic, buf, msg_type, dst_vnic_id, total_len);
+ if (payload_len) {
+ void *dst = buf + sizeof(struct enic_mbox_hdr);
+
+ memcpy(dst, payload, payload_len);
+ }
+
+ dma_addr = dma_map_single(&enic->pdev->dev, buf, total_len,
+ DMA_TO_DEVICE);
+ if (dma_mapping_error(&enic->pdev->dev, dma_addr)) {
+ kfree(buf);
+ err = -ENOMEM;
+ goto unlock;
+ }
+
+ /* Firmware uses vlan field for routing: 0 = PF, 1-based = VF index */
+ if (dst_vnic_id == ENIC_MBOX_DST_PF)
+ vlan_tag = 0;
+ else
+ vlan_tag = dst_vnic_id + 1;
+
+ desc = vnic_wq_next_desc(wq);
+ wq_enet_desc_enc(desc, (u64)dma_addr | VNIC_PADDR_TARGET,
+ total_len,
+ 0, 0, 0, /* mss, hdr_len, offload_mode */
+ 1, 1, /* eop, cq_entry */
+ 0, /* fcoe_encap */
+ 1, vlan_tag, /* vlan_tag_insert, vlan_tag */
+ 0); /* loopback */
+ vnic_wq_post(wq, buf, dma_addr, total_len,
+ 1, 1, /* sop, eop */
+ 1, 1, /* desc_skip_cnt, cq_entry */
+ 0, 0); /* compressed_send, wrid */
+ vnic_wq_doorbell(wq);
+
+ timeout = jiffies + usecs_to_jiffies(ENIC_MBOX_POLL_TIMEOUT_US);
+ err = -ETIMEDOUT;
+ while (time_before(jiffies, timeout)) {
+ if (enic_admin_wq_cq_service(enic)) {
+ err = 0;
+ break;
+ }
+ usleep_range(ENIC_MBOX_POLL_INTERVAL_US,
+ ENIC_MBOX_POLL_INTERVAL_US + 50);
+ }
+ /* Final check in case completion arrived during the last sleep */
+ if (err && enic_admin_wq_cq_service(enic))
+ err = 0;
+
+ if (!err) {
+ wq->to_clean = wq->to_clean->next;
+ wq->ring.desc_avail++;
+ dma_unmap_single(&enic->pdev->dev, dma_addr, total_len,
+ DMA_TO_DEVICE);
+ kfree(buf);
+ } else {
+ netdev_err(enic->netdev,
+ "MBOX send timed out (type %u dst %u), disabling channel\n",
+ msg_type, dst_vnic_id);
+ /*
+ * The WQ descriptor is still live in hardware. Do not unmap
+ * or free the buffer: the device may still DMA from dma_addr.
+ * Mark the channel unusable so no further sends are attempted.
+ */
+ WRITE_ONCE(enic->mbox_send_disabled, true);
+ }
+
+ netdev_dbg(enic->netdev,
+ "MBOX send msg_type %u dst %u vlan %u err %d\n",
+ msg_type, dst_vnic_id, vlan_tag, err);
+unlock:
+ mutex_unlock(&enic->mbox_lock);
+ return err;
+}
+
+static int enic_mbox_wait_reply(struct enic *enic, unsigned long timeout_ms)
+{
+ unsigned long left;
+
+ left = wait_for_completion_timeout(&enic->mbox_comp,
+ msecs_to_jiffies(timeout_ms));
+
+ return left ? 0 : -ETIMEDOUT;
+}
+
+int enic_mbox_send_link_state(struct enic *enic, u16 vf_id, u32 link_state)
+{
+ struct enic_mbox_pf_link_state_notif_msg notif = {};
+
+ if (!enic->vf_state || vf_id >= enic->num_vfs ||
+ !enic->vf_state[vf_id].registered) {
+ netdev_dbg(enic->netdev,
+ "MBOX: skip link state to unregistered VF %u\n",
+ vf_id);
+ return 0;
+ }
+
+ notif.link_state = cpu_to_le32(link_state);
+ return enic_mbox_send_msg(enic, ENIC_MBOX_PF_LINK_STATE_NOTIF, vf_id,
+ ¬if, sizeof(notif));
+}
+
+static int enic_mbox_pf_handle_capability(struct enic *enic, void *msg,
+ u16 vf_id, u64 msg_num)
+{
+ struct enic_mbox_vf_capability_reply_msg reply = {};
+
+ reply.reply.ret_major = cpu_to_le16(0);
+ reply.version = cpu_to_le32(ENIC_MBOX_CAP_VERSION_1);
+
+ return enic_mbox_send_msg(enic, ENIC_MBOX_VF_CAPABILITY_REPLY, vf_id,
+ &reply, sizeof(reply));
+}
+
+static int enic_mbox_pf_handle_register(struct enic *enic, void *msg,
+ u16 vf_id, u64 msg_num)
+{
+ struct enic_mbox_vf_register_reply_msg reply = {};
+ u32 link_state;
+ int err;
+
+ if (!enic->vf_state || vf_id >= enic->num_vfs) {
+ if (net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: register from invalid VF %u\n",
+ vf_id);
+ return -EINVAL;
+ }
+
+ /* VF re-registering (e.g. guest reboot without clean unregister):
+ * mark the previous registration inactive before accepting the new one.
+ */
+ if (enic->vf_state[vf_id].registered) {
+ netdev_dbg(enic->netdev,
+ "MBOX: VF %u re-register, cleaning previous state\n",
+ vf_id);
+ enic->vf_state[vf_id].registered = false;
+ }
+
+ reply.reply.ret_major = cpu_to_le16(0);
+ err = enic_mbox_send_msg(enic, ENIC_MBOX_VF_REGISTER_REPLY, vf_id,
+ &reply, sizeof(reply));
+ if (err)
+ return err;
+
+ enic->vf_state[vf_id].registered = true;
+ if (net_ratelimit())
+ netdev_info(enic->netdev, "VF %u registered via MBOX\n", vf_id);
+
+ link_state = netif_carrier_ok(enic->netdev) ?
+ ENIC_MBOX_LINK_STATE_ENABLE :
+ ENIC_MBOX_LINK_STATE_DISABLE;
+ err = enic_mbox_send_link_state(enic, vf_id, link_state);
+ if (err && net_ratelimit())
+ netdev_warn(enic->netdev,
+ "VF %u: failed to send initial link state: %d\n",
+ vf_id, err);
+ /* Registration succeeded; initial link state notification sent
+ * above. Subsequent link state changes are sent from the PF
+ * when enic_link_check() detects carrier changes.
+ */
+ return 0;
+}
+
+static int enic_mbox_pf_handle_unregister(struct enic *enic, void *msg,
+ u16 vf_id, u64 msg_num)
+{
+ struct enic_mbox_vf_register_reply_msg reply = {};
+ int err;
+
+ if (!enic->vf_state || vf_id >= enic->num_vfs) {
+ if (net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: unregister from invalid VF %u\n",
+ vf_id);
+ return -EINVAL;
+ }
+
+ /* VF is unloading; clear local state regardless of whether
+ * the reply is successfully delivered to avoid the PF treating
+ * a dead VF as still registered.
+ */
+ enic->vf_state[vf_id].registered = false;
+
+ reply.reply.ret_major = cpu_to_le16(0);
+ err = enic_mbox_send_msg(enic, ENIC_MBOX_VF_UNREGISTER_REPLY, vf_id,
+ &reply, sizeof(reply));
+
+ if (net_ratelimit())
+ netdev_info(enic->netdev,
+ "VF %u unregistered via MBOX\n", vf_id);
+
+ return err;
+}
+
+static void enic_mbox_pf_process_msg(struct enic *enic,
+ struct enic_mbox_hdr *hdr, void *payload)
+{
+ u16 vf_id = le16_to_cpu(hdr->src_vnic_id);
+ u16 msg_len = le16_to_cpu(hdr->msg_len);
+ int err = 0;
+
+ if (!enic->vf_state) {
+ netdev_dbg(enic->netdev,
+ "MBOX: PF received msg but SRIOV not active\n");
+ return;
+ }
+
+ if (vf_id >= enic->num_vfs) {
+ if (net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: PF received msg from invalid VF %u\n",
+ vf_id);
+ return;
+ }
+
+ switch (hdr->msg_type) {
+ case ENIC_MBOX_VF_CAPABILITY_REQUEST:
+ err = enic_mbox_pf_handle_capability(enic, payload, vf_id,
+ le64_to_cpu(hdr->msg_num));
+ break;
+ case ENIC_MBOX_VF_REGISTER_REQUEST:
+ err = enic_mbox_pf_handle_register(enic, payload, vf_id,
+ le64_to_cpu(hdr->msg_num));
+ break;
+ case ENIC_MBOX_VF_UNREGISTER_REQUEST:
+ err = enic_mbox_pf_handle_unregister(enic, payload, vf_id,
+ le64_to_cpu(hdr->msg_num));
+ break;
+ case ENIC_MBOX_PF_LINK_STATE_ACK: {
+ struct enic_mbox_pf_link_state_ack_msg *ack = payload;
+
+ if (msg_len < sizeof(*hdr) + sizeof(*ack))
+ break;
+ if (le16_to_cpu(ack->ack.ret_major) && net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: VF %u link state ACK error %u/%u\n",
+ vf_id,
+ le16_to_cpu(ack->ack.ret_major),
+ le16_to_cpu(ack->ack.ret_minor));
+ break;
+ }
+ default:
+ netdev_dbg(enic->netdev,
+ "MBOX: PF unhandled msg type %u from VF %u\n",
+ hdr->msg_type, vf_id);
+ err = -EOPNOTSUPP;
+ break;
+ }
+
+ if (err && net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: PF handler for msg type %u from VF %u failed: %d\n",
+ hdr->msg_type, vf_id, err);
+}
+
+static void enic_mbox_vf_handle_capability_reply(struct enic *enic,
+ void *payload)
+{
+ struct enic_mbox_vf_capability_reply_msg *reply = payload;
+
+ if (enic->mbox_expected_reply != ENIC_MBOX_VF_CAPABILITY_REPLY) {
+ netdev_warn(enic->netdev,
+ "MBOX: stale capability reply (expected %u), drop\n",
+ enic->mbox_expected_reply);
+ return;
+ }
+
+ if (le16_to_cpu(reply->reply.ret_major) == 0)
+ enic->pf_cap_version = le32_to_cpu(reply->version);
+ else
+ netdev_warn(enic->netdev,
+ "MBOX: PF rejected capability request: %u/%u\n",
+ le16_to_cpu(reply->reply.ret_major),
+ le16_to_cpu(reply->reply.ret_minor));
+ complete(&enic->mbox_comp);
+}
+
+static void enic_mbox_vf_handle_register_reply(struct enic *enic,
+ void *payload)
+{
+ struct enic_mbox_vf_register_reply_msg *reply = payload;
+
+ if (enic->mbox_expected_reply != ENIC_MBOX_VF_REGISTER_REPLY) {
+ netdev_warn(enic->netdev,
+ "MBOX: stale register reply (expected %u), drop\n",
+ enic->mbox_expected_reply);
+ return;
+ }
+
+ if (le16_to_cpu(reply->reply.ret_major)) {
+ netdev_warn(enic->netdev,
+ "MBOX: VF register rejected by PF: %u/%u\n",
+ le16_to_cpu(reply->reply.ret_major),
+ le16_to_cpu(reply->reply.ret_minor));
+ } else {
+ enic->vf_registered = true;
+ }
+ complete(&enic->mbox_comp);
+}
+
+static void enic_mbox_vf_handle_unregister_reply(struct enic *enic,
+ void *payload)
+{
+ struct enic_mbox_vf_register_reply_msg *reply = payload;
+
+ if (enic->mbox_expected_reply != ENIC_MBOX_VF_UNREGISTER_REPLY) {
+ netdev_warn(enic->netdev,
+ "MBOX: stale unregister reply (expected %u), drop\n",
+ enic->mbox_expected_reply);
+ return;
+ }
+
+ if (le16_to_cpu(reply->reply.ret_major)) {
+ netdev_warn(enic->netdev,
+ "MBOX: VF unregister rejected by PF: %u/%u\n",
+ le16_to_cpu(reply->reply.ret_major),
+ le16_to_cpu(reply->reply.ret_minor));
+ } else {
+ enic->vf_registered = false;
+ }
+ complete(&enic->mbox_comp);
+}
+
+static void enic_mbox_vf_handle_link_state(struct enic *enic, void *payload)
+{
+ struct enic_mbox_pf_link_state_notif_msg *notif = payload;
+ struct enic_mbox_pf_link_state_ack_msg ack = {};
+ int err;
+
+ switch (le32_to_cpu(notif->link_state)) {
+ case ENIC_MBOX_LINK_STATE_ENABLE:
+ if (!netif_carrier_ok(enic->netdev))
+ netif_carrier_on(enic->netdev);
+ netdev_dbg(enic->netdev, "MBOX: link state -> UP\n");
+ break;
+ case ENIC_MBOX_LINK_STATE_DISABLE:
+ if (netif_carrier_ok(enic->netdev))
+ netif_carrier_off(enic->netdev);
+ netdev_dbg(enic->netdev, "MBOX: link state -> DOWN\n");
+ break;
+ default:
+ netdev_warn(enic->netdev, "MBOX: unknown link state %u\n",
+ le32_to_cpu(notif->link_state));
+ ack.ack.ret_major = cpu_to_le16(ENIC_MBOX_ERR_GENERIC);
+ break;
+ }
+
+ err = enic_mbox_send_msg(enic, ENIC_MBOX_PF_LINK_STATE_ACK,
+ ENIC_MBOX_DST_PF, &ack, sizeof(ack));
+ if (err && net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: failed to send link state ACK: %d\n", err);
+}
+
+static bool enic_mbox_vf_payload_ok(struct enic *enic, u8 msg_type,
+ u16 payload_len, size_t min_len)
+{
+ if (payload_len < min_len) {
+ netdev_warn(enic->netdev,
+ "MBOX: short payload for type %u (%u < %zu)\n",
+ msg_type, payload_len, min_len);
+ return false;
+ }
+ return true;
+}
+
+static void enic_mbox_vf_process_msg(struct enic *enic,
+ struct enic_mbox_hdr *hdr, void *payload,
+ u16 payload_len)
+{
+ switch (hdr->msg_type) {
+ case ENIC_MBOX_VF_CAPABILITY_REPLY: {
+ size_t exp = sizeof(struct enic_mbox_vf_capability_reply_msg);
+
+ if (!enic_mbox_vf_payload_ok(enic, hdr->msg_type,
+ payload_len, exp))
+ return;
+ enic_mbox_vf_handle_capability_reply(enic, payload);
+ break;
+ }
+ case ENIC_MBOX_VF_REGISTER_REPLY: {
+ size_t exp = sizeof(struct enic_mbox_vf_register_reply_msg);
+
+ if (!enic_mbox_vf_payload_ok(enic, hdr->msg_type,
+ payload_len, exp))
+ return;
+ enic_mbox_vf_handle_register_reply(enic, payload);
+ break;
+ }
+ case ENIC_MBOX_VF_UNREGISTER_REPLY: {
+ size_t exp = sizeof(struct enic_mbox_vf_register_reply_msg);
+
+ if (!enic_mbox_vf_payload_ok(enic, hdr->msg_type,
+ payload_len, exp))
+ return;
+ enic_mbox_vf_handle_unregister_reply(enic, payload);
+ break;
+ }
+ case ENIC_MBOX_PF_LINK_STATE_NOTIF: {
+ size_t exp = sizeof(struct enic_mbox_pf_link_state_notif_msg);
+
+ if (!enic_mbox_vf_payload_ok(enic, hdr->msg_type,
+ payload_len, exp))
+ return;
+ enic_mbox_vf_handle_link_state(enic, payload);
+ break;
+ }
+ default:
+ netdev_dbg(enic->netdev,
+ "MBOX: VF unhandled msg type %u\n",
+ hdr->msg_type);
+ break;
+ }
+}
+
+static void enic_mbox_recv_handler(struct enic *enic, void *buf,
+ unsigned int len)
+{
+ struct enic_mbox_hdr *hdr = buf;
+ void *payload;
+ u16 msg_len;
+
+ if (len < sizeof(*hdr)) {
+ if (net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: truncated message (len %u < %zu)\n",
+ len, sizeof(*hdr));
+ return;
+ }
+
+ if (hdr->msg_type >= ENIC_MBOX_MAX) {
+ if (net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: unknown msg type %u\n",
+ hdr->msg_type);
+ return;
+ }
+
+ msg_len = le16_to_cpu(hdr->msg_len);
+ if (msg_len < sizeof(*hdr) || msg_len > len) {
+ if (net_ratelimit())
+ netdev_warn(enic->netdev,
+ "MBOX: invalid msg_len %u (buf len %u)\n",
+ msg_len, len);
+ return;
+ }
+
+ netdev_dbg(enic->netdev,
+ "MBOX recv: type %u from vnic %u len %u\n",
+ hdr->msg_type, le16_to_cpu(hdr->src_vnic_id), msg_len);
+
+ payload = buf + sizeof(*hdr);
+
+ if (enic->vf_state) {
+ enic_mbox_pf_process_msg(enic, hdr, payload);
+ } else if (le16_to_cpu(hdr->src_vnic_id) == ENIC_MBOX_DST_PF) {
+ /* src_vnic_id was overwritten from the hardware-verified CQ
+ * VLAN sender field, so a VF only accepts messages that the
+ * adapter attributes to the PF. Its sole admin-channel peer is
+ * the PF; drop anything else as a spoofed notification.
+ */
+ enic_mbox_vf_process_msg(enic, hdr, payload,
+ msg_len - (u16)sizeof(*hdr));
+ } else if (net_ratelimit()) {
+ netdev_warn(enic->netdev,
+ "MBOX: VF dropping non-PF message from vnic %u\n",
+ le16_to_cpu(hdr->src_vnic_id));
+ }
+}
+
+int enic_mbox_vf_capability_check(struct enic *enic)
+{
+ struct enic_mbox_vf_capability_msg req = {};
+ int err;
+
+ enic->pf_cap_version = 0;
+ reinit_completion(&enic->mbox_comp);
+ enic->mbox_expected_reply = ENIC_MBOX_VF_CAPABILITY_REPLY;
+ req.version = cpu_to_le32(ENIC_MBOX_CAP_VERSION_1);
+
+ err = enic_mbox_send_msg(enic, ENIC_MBOX_VF_CAPABILITY_REQUEST,
+ ENIC_MBOX_DST_PF, &req, sizeof(req));
+ if (err) {
+ enic->mbox_expected_reply = 0;
+ return err;
+ }
+
+ err = enic_mbox_wait_reply(enic, 3000);
+ enic->mbox_expected_reply = 0;
+ if (err) {
+ netdev_warn(enic->netdev,
+ "MBOX: no capability reply from PF\n");
+ return err;
+ }
+
+ if (enic->pf_cap_version < ENIC_MBOX_CAP_VERSION_1) {
+ netdev_warn(enic->netdev,
+ "MBOX: PF rejected capability request or reported unsupported version %u\n",
+ enic->pf_cap_version);
+ return -EOPNOTSUPP;
+ }
+
+ return 0;
+}
+
+int enic_mbox_vf_register(struct enic *enic)
+{
+ int err;
+
+ enic->vf_registered = false;
+ reinit_completion(&enic->mbox_comp);
+ enic->mbox_expected_reply = ENIC_MBOX_VF_REGISTER_REPLY;
+
+ err = enic_mbox_send_msg(enic, ENIC_MBOX_VF_REGISTER_REQUEST,
+ ENIC_MBOX_DST_PF, NULL, 0);
+ if (err) {
+ enic->mbox_expected_reply = 0;
+ return err;
+ }
+
+ err = enic_mbox_wait_reply(enic, 3000);
+ enic->mbox_expected_reply = 0;
+ if (err) {
+ netdev_warn(enic->netdev,
+ "MBOX: VF registration with PF timed out\n");
+ return err;
+ }
+
+ if (!enic->vf_registered)
+ return -ENODEV;
+
+ return 0;
+}
+
+int enic_mbox_vf_unregister(struct enic *enic)
+{
+ int err;
+
+ if (!enic->vf_registered)
+ return 0;
+
+ reinit_completion(&enic->mbox_comp);
+ enic->mbox_expected_reply = ENIC_MBOX_VF_UNREGISTER_REPLY;
+
+ err = enic_mbox_send_msg(enic, ENIC_MBOX_VF_UNREGISTER_REQUEST,
+ ENIC_MBOX_DST_PF, NULL, 0);
+ if (err) {
+ enic->mbox_expected_reply = 0;
+ return err;
+ }
+
+ err = enic_mbox_wait_reply(enic, 3000);
+ enic->mbox_expected_reply = 0;
+ if (err)
+ return err;
+ if (enic->vf_registered)
+ return -EACCES;
+ return 0;
+}
+
+void enic_mbox_init(struct enic *enic)
+{
+ /* mbox_lock and mbox_comp must be initialized exactly once per
+ * device lifetime; the PF sriov_configure path can re-enter this
+ * on each enable cycle where these primitives are already set up.
+ */
+ if (!enic->mbox_initialized) {
+ mutex_init(&enic->mbox_lock);
+ init_completion(&enic->mbox_comp);
+ enic->mbox_initialized = true;
+ } else {
+ reinit_completion(&enic->mbox_comp);
+ }
+ enic->mbox_msg_num = 0;
+ enic->admin_rq_handler = enic_mbox_recv_handler;
+}
diff --git a/drivers/net/ethernet/cisco/enic/enic_mbox.h b/drivers/net/ethernet/cisco/enic/enic_mbox.h
new file mode 100644
index 00000000000000..15e30ee2b0ed95
--- /dev/null
+++ b/drivers/net/ethernet/cisco/enic/enic_mbox.h
@@ -0,0 +1,95 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/* Copyright 2025 Cisco Systems, Inc. All rights reserved. */
+
+#ifndef _ENIC_MBOX_H_
+#define _ENIC_MBOX_H_
+
+#include <linux/bits.h>
+#include <linux/types.h>
+
+/*
+ * Mailbox protocol for PF-VF communication over the admin channel.
+ *
+ * Even numbers are requests, odd numbers are replies/acks.
+ * The prefix indicates the initiator: VF_ = VF-initiated, PF_ = PF-initiated.
+ */
+enum enic_mbox_msg_type {
+ ENIC_MBOX_VF_CAPABILITY_REQUEST = 0,
+ ENIC_MBOX_VF_CAPABILITY_REPLY = 1,
+ ENIC_MBOX_VF_REGISTER_REQUEST = 2,
+ ENIC_MBOX_VF_REGISTER_REPLY = 3,
+ ENIC_MBOX_VF_UNREGISTER_REQUEST = 4,
+ ENIC_MBOX_VF_UNREGISTER_REPLY = 5,
+ ENIC_MBOX_PF_LINK_STATE_NOTIF = 6,
+ ENIC_MBOX_PF_LINK_STATE_ACK = 7,
+ ENIC_MBOX_MAX
+};
+
+struct enic_mbox_hdr {
+ __le16 src_vnic_id;
+ __le16 dst_vnic_id;
+ u8 msg_type;
+ u8 flags;
+ __le16 msg_len;
+ __le64 msg_num;
+};
+
+struct enic_mbox_generic_reply {
+ __le16 ret_major;
+ __le16 ret_minor;
+};
+
+#define ENIC_MBOX_ERR_GENERIC BIT(0)
+#define ENIC_MBOX_ERR_VF_NOT_REGISTERED BIT(1)
+#define ENIC_MBOX_ERR_MSG_NOT_SUPPORTED BIT(2)
+
+/* ENIC_MBOX_VF_CAPABILITY_REQUEST / _REPLY */
+#define ENIC_MBOX_CAP_VERSION_0 0
+#define ENIC_MBOX_CAP_VERSION_1 1
+
+struct enic_mbox_vf_capability_msg {
+ __le32 version;
+ __le32 reserved[32];
+};
+
+/* The embedded enic_mbox_generic_reply has 2-byte alignment, but the
+ * __le32 members give this struct 4-byte natural alignment. Receive
+ * buffers come from kmalloc (>= 8-byte aligned), so there is no
+ * misaligned access risk when casting from the receive buffer.
+ */
+struct enic_mbox_vf_capability_reply_msg {
+ struct enic_mbox_generic_reply reply;
+ __le32 version;
+ __le32 reserved[32];
+};
+
+/* ENIC_MBOX_VF_REGISTER / _UNREGISTER */
+struct enic_mbox_vf_register_reply_msg {
+ struct enic_mbox_generic_reply reply;
+};
+
+/* ENIC_MBOX_PF_LINK_STATE_NOTIF / _ACK */
+#define ENIC_MBOX_LINK_STATE_DISABLE 0
+#define ENIC_MBOX_LINK_STATE_ENABLE 1
+
+struct enic_mbox_pf_link_state_notif_msg {
+ __le32 link_state;
+};
+
+struct enic_mbox_pf_link_state_ack_msg {
+ struct enic_mbox_generic_reply ack;
+};
+
+#define ENIC_MBOX_DST_PF 0xFFFF
+
+struct enic;
+
+void enic_mbox_init(struct enic *enic);
+int enic_mbox_send_msg(struct enic *enic, u8 msg_type, u16 dst_vnic_id,
+ void *payload, u16 payload_len);
+int enic_mbox_send_link_state(struct enic *enic, u16 vf_id, u32 link_state);
+int enic_mbox_vf_capability_check(struct enic *enic);
+int enic_mbox_vf_register(struct enic *enic);
+int enic_mbox_vf_unregister(struct enic *enic);
+
+#endif /* _ENIC_MBOX_H_ */
diff --git a/drivers/net/ethernet/cisco/enic/enic_pp.c b/drivers/net/ethernet/cisco/enic/enic_pp.c
index 4720a952725d00..3f611e240c256c 100644
--- a/drivers/net/ethernet/cisco/enic/enic_pp.c
+++ b/drivers/net/ethernet/cisco/enic/enic_pp.c
@@ -25,6 +25,11 @@ int enic_is_valid_pp_vf(struct enic *enic, int vf, int *err)
if (vf != PORT_SELF_VF) {
#ifdef CONFIG_PCI_IOV
if (enic_sriov_enabled(enic)) {
+ /* V2 SR-IOV uses MBOX, not port profiles */
+ if (enic->vf_type == ENIC_VF_TYPE_V2) {
+ *err = -EOPNOTSUPP;
+ goto err_out;
+ }
if (vf < 0 || vf >= enic->num_vfs) {
*err = -EINVAL;
goto err_out;
diff --git a/drivers/net/ethernet/cisco/enic/enic_res.c b/drivers/net/ethernet/cisco/enic/enic_res.c
index 2b7545d6a67fdc..74cd2ee3af5cb7 100644
--- a/drivers/net/ethernet/cisco/enic/enic_res.c
+++ b/drivers/net/ethernet/cisco/enic/enic_res.c
@@ -59,6 +59,7 @@ int enic_get_vnic_config(struct enic *enic)
GET_CONFIG(intr_timer_usec);
GET_CONFIG(loop_tag);
GET_CONFIG(num_arfs);
+ GET_CONFIG(mq_subvnic_count);
GET_CONFIG(max_rq_ring);
GET_CONFIG(max_wq_ring);
GET_CONFIG(max_cq_ring);
@@ -210,7 +211,8 @@ void enic_get_res_counts(struct enic *enic)
vnic_dev_get_res_count(enic->vdev, RES_TYPE_ADMIN_RQ) >= 1 &&
vnic_dev_get_res_count(enic->vdev, RES_TYPE_ADMIN_CQ) >=
ARRAY_SIZE(enic->admin_cq) &&
- vnic_dev_get_res_count(enic->vdev, RES_TYPE_SRIOV_INTR) >= 1;
+ (enic_is_sriov_vf_v2(enic) ||
+ vnic_dev_get_res_count(enic->vdev, RES_TYPE_SRIOV_INTR) >= 1);
dev_info(enic_get_dev(enic),
"vNIC resources avail: wq %d rq %d cq %d intr %d admin %s\n",
diff --git a/drivers/net/ethernet/cisco/enic/vnic_cq.h b/drivers/net/ethernet/cisco/enic/vnic_cq.h
index d46d4d2ef6bbac..35ffa323071305 100644
--- a/drivers/net/ethernet/cisco/enic/vnic_cq.h
+++ b/drivers/net/ethernet/cisco/enic/vnic_cq.h
@@ -76,6 +76,15 @@ int vnic_cq_alloc(struct vnic_dev *vdev, struct vnic_cq *cq, unsigned int index,
int vnic_cq_alloc_with_type(struct vnic_dev *vdev, struct vnic_cq *cq,
unsigned int index, unsigned int desc_count,
unsigned int desc_size, unsigned int res_type);
+#define VNIC_CQ_FC_ENABLE 1
+#define VNIC_CQ_FC_DISABLE 0
+#define VNIC_CQ_COLOR_ENABLE 1
+#define VNIC_CQ_INTR_ENABLE 1
+#define VNIC_CQ_INTR_DISABLE 0
+#define VNIC_CQ_ENTRY_ENABLE 1
+#define VNIC_CQ_MSG_ENABLE 1
+#define VNIC_CQ_MSG_DISABLE 0
+
void vnic_cq_init(struct vnic_cq *cq, unsigned int flow_control_enable,
unsigned int color_enable, unsigned int cq_head, unsigned int cq_tail,
unsigned int cq_tail_color, unsigned int interrupt_enable,
diff --git a/drivers/net/ethernet/cisco/enic/vnic_devcmd.h b/drivers/net/ethernet/cisco/enic/vnic_devcmd.h
index 605ef17f967e4a..90ca06691ebd63 100644
--- a/drivers/net/ethernet/cisco/enic/vnic_devcmd.h
+++ b/drivers/net/ethernet/cisco/enic/vnic_devcmd.h
@@ -455,8 +455,19 @@ enum vnic_devcmd_cmd {
*/
CMD_CQ_ENTRY_SIZE_SET = _CMDC(_CMD_DIR_WRITE, _CMD_VTYPE_ENET, 90),
+ /*
+ * Set queue pair type (admin or data)
+ * in: (u32) a0 = queue pair type (0 = admin, 1 = data)
+ * in: (u32) a1 = enable (1) / disable (0)
+ */
+ CMD_QP_TYPE_SET = _CMDC(_CMD_DIR_WRITE, _CMD_VTYPE_ENET, 97),
};
+#define QP_TYPE_ADMIN 0
+#define QP_TYPE_DATA 1
+#define QP_ENABLE 1
+#define QP_DISABLE 0
+
/* CMD_ENABLE2 flags */
#define CMD_ENABLE2_STANDBY 0x0
#define CMD_ENABLE2_ACTIVE 0x1
@@ -734,6 +745,8 @@ enum vic_feature_t {
VIC_FEATURE_VXLAN,
VIC_FEATURE_RDMA,
VIC_FEATURE_VXLAN_PATCH,
+ /* slot 3 reserved for firmware VIC_FEATURE_PTP */
+ VIC_FEATURE_SRIOV = 4,
VIC_FEATURE_MAX,
};
diff --git a/drivers/net/ethernet/cisco/enic/vnic_enet.h b/drivers/net/ethernet/cisco/enic/vnic_enet.h
index 9e8e86262a3fea..519d2969990b18 100644
--- a/drivers/net/ethernet/cisco/enic/vnic_enet.h
+++ b/drivers/net/ethernet/cisco/enic/vnic_enet.h
@@ -21,7 +21,9 @@ struct vnic_enet_config {
u16 loop_tag;
u16 vf_rq_count;
u16 num_arfs;
- u8 reserved[66];
+ u8 reserved1[32];
+ u16 mq_subvnic_count;
+ u8 reserved2[32];
u32 max_rq_ring; // MAX RQ ring size
u32 max_wq_ring; // MAX WQ ring size
u32 max_cq_ring; // MAX CQ ring size
|
| 3/2 | 2026/07/03 18:29 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 29553 output: 22 thoughts: 547 Thoughts: **Analyzing the Fuzzing Reachability of the `enic` Driver** Okay, so we have this patch for the `enic` driver, which supports Cisco VIC Ethernet NICs, specifically adding admin channel and mailbox protocol functionality for SR-IOV V2. It looks like the patch modifies the `enic_main.c` file and introduces a couple of new files, `enic_admin.c` and `enic_mbox.c`, along with some header modifications. Functionally, these changes are definitely reachable if the driver loads and the underlying hardware is present. Now, the question is, *can* this driver be fuzzed? The text mentions code paths being unreachable in virtualized environments like GCE or QEMU. My initial thought was that `enic` is exclusively for Cisco UCS VIC hardware, so software emulation in environments like QEMU wouldn't be relevant. That's true, it *is* dedicated hardware. But the real question is about fuzzing reachability. The instructions specifically call out software-emulated hardware. My assumption that `enic` isn't emulated in QEMU is correct, but the issue is, what *does* "software-emulated hardware" mean here? It seems like this phrase refers to the setup required to run the `enic` driver for fuzzing. If we can't reach the code paths through fuzzing, we'd return `WorthFuzzing=false`. Let's think about fuzzing PCI drivers in general. If we have a PCI fuzzer, like syzkaller's vhci, we're usually good to go. The original text assumed that syzkaller doesn't emulate Cisco VIC, but that isn't the issue. Syzkaller uses PCI config space and MMIO/DMA to fuzz PCI devices. So, PCI drivers *are* considered reachable for fuzzing with syzkaller. The question now becomes, is `enic` a PCI driver? Yes. So, syzkaller *can* reach `enic` via PCI fuzzing! Wait, but the prompt's wording... "software-emulated hardware"? Does syzkaller's PCI fuzzing count as "software-emulated hardware"? Yes, since syzkaller uses a virtual PCI device (vpci) to emulate PCI devices. Okay, so even though it's dedicated hardware, we *can* reach it for fuzzing. I need to make sure that PCI fuzzing is supported. I need to search the kernel source tree for `enic` to double-check that this is a PCI driver. |
| 4/2 | 2026/07/03 18:29 | tool | grepper |
0mError:no matches Args: {
"Expression": "pci_register_driver.*enic"
}Results: {
"error": "no matches"
} |
| 5/2 | 2026/07/03 18:29 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 30679 output: 23 thoughts: 19 Thoughts: Here's my thought process, distilled: **Finding the `pci_driver` in `enic_main.c`** Okay, so I need to track down where the `pci_driver` struct is defined and used within the `enic_main.c` file. This is pretty standard procedure when diving into the driver code; I need to understand how the PCI driver is registered and interacted with by this specific NIC driver. I’ll start with a straightforward search for the literal string `pci_driver` within the `enic_main.c` file. This should immediately highlight any declarations or direct usages. From there, I can start to build a picture of how the `pci_driver` structure links into the overall initialization and operation of the Enic driver. Hopefully, this search will quickly get me where I need to be. |
| 6/2 | 2026/07/03 18:29 | tool | grepper |
0mArgs:{
"Expression": "struct pci_driver enic_driver"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_main.c=3345=static void enic_remove(struct pci_dev *pdev)\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c-3397-\ndrivers/net/ethernet/cisco/enic/enic_main.c:3398:static struct pci_driver enic_driver = {\ndrivers/net/ethernet/cisco/enic/enic_main.c-3399-\t.name = DRV_NAME,\n"
} |
| 7/2 | 2026/07/03 18:29 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 31047 output: 17 thoughts: 293 Thoughts: **Fuzzing the ENIC PCI Driver** Okay, so I'm looking at this code and, yep, it's definitely a PCI driver – that's the starting point. The question is, is this worth my time to fuzz? I see that this patch introduces an admin channel (`enic_admin.c`) and mailbox functionality (`enic_mbox.c`). Intruiging. Digging deeper, the admin channel uses a whole host of structures: `vnic_wq`, `vnic_rq`, `vnic_cq`, and `vnic_intr`. From the code, it looks like this admin channel is enabled under very specific conditions – specifically, when `enic_is_sriov_vf_v2(enic)` returns true. That function itself hinges on the PCI device ID matching `PCI_DEVICE_ID_CISCO_VIC_ENET_VF_V2` for the `enic->pdev->device` structure. Now, that is very promising! If I'm thinking right, syzkaller has the ability to emulate PCI device IDs, so I could absolutely craft a test environment to hit this code. Alright, let's nail down some specific functions to focus on. I'll need to look closely at `enic_admin_channel_open`, `enic_admin_rq_cq_service`, `enic_mbox_pf_process_msg`, `enic_mbox_vf_process_msg`, and `enic_mbox_recv_handler`. Those look like the main entry points for the new functionality. Next step: Configuration. What kernel configs do I need to enable this? Clearly, `CONFIG_ENIC` is required, but a quick scan also flagged `CONFIG_PCI_IOV`! That snippet in the patch really caught my eye. ```c #ifdef CONFIG_PCI_IOV enic_sriov_detect_vf_type(enic); ``` Let me confirm the configs in `drivers/net/ethernet/cisco/enic/Kconfig`. |
| 8/2 | 2026/07/03 18:29 | tool | grepper |
0mArgs:{
"Expression": "config ENIC"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/Kconfig-5-\ndrivers/net/ethernet/cisco/enic/Kconfig:6:config ENIC\ndrivers/net/ethernet/cisco/enic/Kconfig-7-\ttristate \"Cisco VIC Ethernet NIC Support\"\n"
} |
| 9/2 | 2026/07/03 18:29 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 31873 output: 45 thoughts: 331 Thoughts: **Analyzing the Dependency of `CONFIG_PCI_IOV` for ENIC SR-IOV Functionality** Okay, let's break down the dependency of `CONFIG_PCI_IOV` on the ENIC driver's SR-IOV features. My initial thought was that enabling V2 Virtual Function (VF) features inherently requires SR-IOV support, which is reasonable. However, looking at `enic_is_sriov_vf_v2`, it appears this function merely checks the PCI device ID. Nothing complicated, just a device ID check. Now, this `enic_is_sriov_vf_v2` function is called unconditionally within `enic_probe`. But wait, there's a conditional block in `enic_probe` that I need to consider: ```c #ifdef CONFIG_PCI_IOV enic_sriov_detect_vf_type(enic); ... #endif ``` The key is that while `enic_is_sriov_vf_v2` *is* called unconditionally, the PF side's SR-IOV configuration functions (`enic_sriov_configure` and `enic_sriov_v2_enable`) are indeed guarded by `#ifdef CONFIG_PCI_IOV`. So, to clarify, it doesn't strictly require `CONFIG_PCI_IOV` to execute the VF side, as `enic_is_sriov_vf_v2` and the admin channel are always opened (at least that's what the code implies). The PF functions are separate. Therefore, to further analyze the relationship of these functions, I need to check `enic_main.c` for any other instances of `CONFIG_PCI_IOV`. This seems to be where the real story resides. |
| 10/2 | 2026/07/03 18:29 | tool | grepper |
0mArgs:{
"Expression": "#ifdef CONFIG_PCI_IOV",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_main.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_main.c=324=int enic_is_valid_vf(struct enic *enic, int vf)\ndrivers/net/ethernet/cisco/enic/enic_main.c-325-{\ndrivers/net/ethernet/cisco/enic/enic_main.c:326:#ifdef CONFIG_PCI_IOV\ndrivers/net/ethernet/cisco/enic/enic_main.c-327-\treturn vf \u003e= 0 \u0026\u0026 vf \u003c enic-\u003enum_vfs;\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c=2761=static void enic_iounmap(struct enic *enic)\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c-2769-\ndrivers/net/ethernet/cisco/enic/enic_main.c:2770:#ifdef CONFIG_PCI_IOV\ndrivers/net/ethernet/cisco/enic/enic_main.c-2771-static void enic_sriov_detect_vf_type(struct enic *enic)\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c=2958=static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c-2965-\tint err;\ndrivers/net/ethernet/cisco/enic/enic_main.c:2966:#ifdef CONFIG_PCI_IOV\ndrivers/net/ethernet/cisco/enic/enic_main.c-2967-\tint pos = 0;\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c-3052-\ndrivers/net/ethernet/cisco/enic/enic_main.c:3053:#ifdef CONFIG_PCI_IOV\ndrivers/net/ethernet/cisco/enic/enic_main.c-3054-\tenic_sriov_detect_vf_type(enic);\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c-3324-err_out_disable_sriov_pp:\ndrivers/net/ethernet/cisco/enic/enic_main.c:3325:#ifdef CONFIG_PCI_IOV\ndrivers/net/ethernet/cisco/enic/enic_main.c-3326-\tif (enic_sriov_enabled(enic)) {\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c=3345=static void enic_remove(struct pci_dev *pdev)\n--\ndrivers/net/ethernet/cisco/enic/enic_main.c-3378-\t\tcancel_work_sync(\u0026enic-\u003elink_notify_work);\ndrivers/net/ethernet/cisco/enic/enic_main.c:3379:#ifdef CONFIG_PCI_IOV\ndrivers/net/ethernet/cisco/enic/enic_main.c-3380-\t\tif (enic_sriov_enabled(enic)) {\n"
} |
| 11/2 | 2026/07/03 18:29 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 33425 output: 46 thoughts: 161 Thoughts: **SR-IOV Configuration and ENIC Focus** Okay, so to get the Physical Function (PF) side of SR-IOV working, I know I'm going to need `CONFIG_PCI_IOV`. Let's just confirm that that's a valid config, yep, it is, `CONFIG_PCI_IOV`. Alright, the config I need to make sure is enabled is `ENIC`. Now, let's zero in on the key symbols that are probably related to this SR-IOV functionality within ENIC. Let me think, based on prior experience, I'm thinking about things that handle the administrative tasks, message processing, and data flow. Okay, let's see, I need to look at: * `enic_admin_channel_open` * `enic_admin_rq_cq_service` * `enic_mbox_recv_handler` * `enic_mbox_pf_process_msg` * `enic_mbox_vf_process_msg` * `enic_mbox_send_msg` Those seem like a good starting point. Let's start by checking `enic_admin_rq_cq_service` - I'll find it in `enic_admin.c`. |
| 12/2 | 2026/07/03 18:29 | tool | grepper |
0mArgs:{
"Expression": "enic_admin_rq_cq_service",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_admin.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_admin.c=130=static void enic_admin_msg_enqueue(struct enic *enic, void *buf,\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-156-\ndrivers/net/ethernet/cisco/enic/enic_admin.c:157:unsigned int enic_admin_rq_cq_service(struct enic *enic)\ndrivers/net/ethernet/cisco/enic/enic_admin.c-158-{\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c=283=static void enic_admin_poll_work_handler(struct work_struct *work)\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-290-\t * exactly what the hardware reported for this interrupt. Credits that\ndrivers/net/ethernet/cisco/enic/enic_admin.c:291:\t * accrue while enic_admin_rq_cq_service() runs are left for the next\ndrivers/net/ethernet/cisco/enic/enic_admin.c-292-\t * interrupt, which is harmless on this low-rate control path.\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-295-\ndrivers/net/ethernet/cisco/enic/enic_admin.c:296:\trq_work = enic_admin_rq_cq_service(enic);\ndrivers/net/ethernet/cisco/enic/enic_admin.c-297-\n"
} |
| 13/2 | 2026/07/03 18:29 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 34309 output: 44 thoughts: 103 Thoughts: **Analyzing the Admin Channel Receive Path** Okay, so I'm tracing the receive path for the admin channel, and it looks like `enic_admin_rq_cq_service` is the one that's actually handling the receive side. That makes sense, handling the receive requests and completion queues is exactly what I'd expect. Then, the enqueued messages get processed by `enic_admin_msg_work_handler`. Right, moving along, I see `enic_mbox_recv_handler` is the primary handler function parsing those messages. And finally, when it gets down to specific message types, `enic_mbox_pf_process_msg` and `enic_mbox_vf_process_msg` handle the different flavors, meaning physical function and virtual function, respectively. Let's dig into `enic_mbox.c` to see how those are implemented and get a better understanding of the message parsing logic. |
| 14/2 | 2026/07/03 18:30 | tool | grepper |
0mArgs:{
"Expression": "enic_mbox_recv_handler",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_mbox.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_mbox.c=431=static void enic_mbox_vf_process_msg(struct enic *enic,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-479-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:480:static void enic_mbox_recv_handler(struct enic *enic, void *buf,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-481-\t\t\t\t unsigned int len)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=625=void enic_mbox_init(struct enic *enic)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-638-\tenic-\u003embox_msg_num = 0;\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:639:\tenic-\u003eadmin_rq_handler = enic_mbox_recv_handler;\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-640-}\n"
} |
| 15/2 | 2026/07/03 18:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 34942 output: 41 thoughts: 145 Thoughts: **Focusing on ENIC Symbol Analysis** Okay, so I need to hone in on a specific set of symbols related to the ENIC driver. My primary targets for examination are: `enic_admin_rq_cq_service`, `enic_admin_msg_work_handler`, `enic_mbox_recv_handler`, `enic_mbox_pf_process_msg`, `enic_mbox_vf_process_msg`, and `enic_mbox_send_msg`. These clearly represent critical functions within the ENIC's control and message handling pathways, which, from experience, are often the key areas for deep diving in these sorts of analyses. Now, let's just do a quick sanity check to see if there are any other configuration variables I should be paying attention to besides the obvious ones. `CONFIG_ENIC` is, of course, the main one that enables the driver itself. Since this involves the PF, I know that `CONFIG_PCI_IOV` will also be necessary. Just to be thorough and ensure I haven't missed anything crucial, I think it's a good idea to go back and re-examine the `drivers/net/ethernet/cisco/enic/Kconfig` file. It's easy to overlook something in Kconfig sometimes. |
| 16/2 | 2026/07/03 18:30 | tool | read-file |
0mArgs:{
"File": "drivers/net/ethernet/cisco/enic/Kconfig",
"FirstLine": 1,
"LineCount": 100
}Results: {
"Contents": " 1:\t# SPDX-License-Identifier: GPL-2.0-only\n 2:\t#\n 3:\t# Cisco device configuration\n 4:\t#\n 5:\t\n 6:\tconfig ENIC\n 7:\t\ttristate \"Cisco VIC Ethernet NIC Support\"\n 8:\t\tdepends on PCI\n 9:\t\tselect PAGE_POOL\n 10:\t\thelp\n 11:\t\t This enables the support for the Cisco VIC Ethernet card.\n"
} |
| 17/2 | 2026/07/03 18:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 35524 output: 46 thoughts: 380 Thoughts: **Analyzing ENIC Configuration and Message Handling** Okay, so I'm looking at the `ENIC` and `PCI_IOV` configurations here. My initial thought is to zero in on specific symbols to understand the flow. I started by considering `enic_admin_channel_open`, but quickly realized that, being called during probe/reset, it's not on the critical path. The real action happens in message handling. `enic_mbox_send_msg` is the obvious one for sending messages, and `enic_mbox_recv_handler` is responsible for receiving them. Then I see `enic_admin_rq_cq_service` within a poll work handler and `enic_admin_msg_work_handler` being called from the workqueue. These seem like good symbols to focus on. Let's get a list of the key function names: - `enic_admin_rq_cq_service` - `enic_admin_msg_work_handler` - `enic_mbox_recv_handler` - `enic_mbox_pf_process_msg` - `enic_mbox_vf_process_msg` - `enic_mbox_send_msg` - `enic_admin_channel_open` Alright, before diving too deep, it's worth noting where these functions reside. I see that `enic_admin_rq_cq_service`, `enic_admin_msg_work_handler`, and `enic_admin_channel_open` are in `enic_admin.c`. The other message handlers, `enic_mbox_recv_handler`, `enic_mbox_pf_process_msg`, `enic_mbox_vf_process_msg`, and `enic_mbox_send_msg`, are all in `enic_mbox.c`. Now, let me just confirm those names. |
| 18/2 | 2026/07/03 18:30 | tool | grepper |
0mArgs:{
"Expression": "enic_mbox_pf_process_msg",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_mbox.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_mbox.c=228=static int enic_mbox_pf_handle_unregister(struct enic *enic, void *msg,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-258-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:259:static void enic_mbox_pf_process_msg(struct enic *enic,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-260-\t\t\t\t struct enic_mbox_hdr *hdr, void *payload)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=480=static void enic_mbox_recv_handler(struct enic *enic, void *buf,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-518-\tif (enic-\u003evf_state) {\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:519:\t\tenic_mbox_pf_process_msg(enic, hdr, payload);\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-520-\t} else if (le16_to_cpu(hdr-\u003esrc_vnic_id) == ENIC_MBOX_DST_PF) {\n"
} |
| 19/2 | 2026/07/03 18:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 36697 output: 46 thoughts: 15 Thoughts: Okay, here's my attempt at summarizing the thought process, as if it were my own, assuming I'm an expert in this field: **Internal Confirmation and Validation** Alright, let's see... *enic_mbox_pf_process_msg*. Yes, that's definitely a function I'm familiar with. Good, it exists. That's a solid starting point. No need to go chasing phantoms. This confirmation is crucial before I start diving into troubleshooting or further analysis. So far, so good. |
| 20/2 | 2026/07/03 18:30 | tool | grepper |
0mArgs:{
"Expression": "enic_mbox_vf_process_msg",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_mbox.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_mbox.c=419=static bool enic_mbox_vf_payload_ok(struct enic *enic, u8 msg_type,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-430-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:431:static void enic_mbox_vf_process_msg(struct enic *enic,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-432-\t\t\t\t struct enic_mbox_hdr *hdr, void *payload,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=480=static void enic_mbox_recv_handler(struct enic *enic, void *buf,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-525-\t\t */\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:526:\t\tenic_mbox_vf_process_msg(enic, hdr, payload,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-527-\t\t\t\t\t msg_len - (u16)sizeof(*hdr));\n"
} |
| 21/2 | 2026/07/03 18:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 37186 output: 46 thoughts: 15 Thoughts: Okay, here's my interpretation of that thought process, tailored for an expert audience, and written in the first person: **Confirming the Existence of a Critical Function** Alright, that's good. *enic_mbox_vf_process_msg*... yep, that function is definitely in play. My experience with these virtual function (VF) mailboxes tells me that's a key function in handling messages. It's the point where the VF's communication with the physical function (PF) is likely dissected and acted upon. Seeing that confirmed immediately tells me the code path I'm analyzing isn't missing a critical element. Knowing it's there allows me to focus on how it's being used and its surrounding logic, rather than wondering if the fundamental structure is flawed from the get-go. This is a crucial first step in my assessment. |
| 22/2 | 2026/07/03 18:30 | tool | grepper |
0mArgs:{
"Expression": "enic_admin_msg_work_handler",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_admin.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_admin.c=255=static irqreturn_t enic_admin_isr_msix(int irq, void *data)\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-263-\ndrivers/net/ethernet/cisco/enic/enic_admin.c:264:static void enic_admin_msg_work_handler(struct work_struct *work)\ndrivers/net/ethernet/cisco/enic/enic_admin.c-265-{\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c=508=int enic_admin_channel_open(struct enic *enic)\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-531-\tINIT_LIST_HEAD(\u0026enic-\u003eadmin_msg_list);\ndrivers/net/ethernet/cisco/enic/enic_admin.c:532:\tINIT_WORK(\u0026enic-\u003eadmin_msg_work, enic_admin_msg_work_handler);\ndrivers/net/ethernet/cisco/enic/enic_admin.c-533-\tINIT_WORK(\u0026enic-\u003eadmin_poll_work, enic_admin_poll_work_handler);\n"
} |
| 23/2 | 2026/07/03 18:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 37753 output: 46 thoughts: 31 Thoughts: Okay, here's my take on those thoughts, tailored for an expert audience: **Analyzing the ENIC Administrative Message Handling** Right, so `enic_admin_msg_work_handler` is definitely a known entity. Good. The focus now shifts to how those administrative requests are actually processed. My immediate thought is to delve into `enic_admin_rq_cq_service`. This is likely where the actual command queue and completion queue interactions are happening, the core plumbing that links the administrative messages to the underlying hardware queues. That's the logical next step in tracing this flow. I need to understand how the request/completion queue service interacts with this handler, the context switching, locking... all the low-level details that really matter for performance and stability. Let's see what's going on there. |
| 24/2 | 2026/07/03 18:30 | tool | grepper |
0mArgs:{
"Expression": "enic_admin_rq_cq_service",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_admin.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_admin.c=130=static void enic_admin_msg_enqueue(struct enic *enic, void *buf,\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-156-\ndrivers/net/ethernet/cisco/enic/enic_admin.c:157:unsigned int enic_admin_rq_cq_service(struct enic *enic)\ndrivers/net/ethernet/cisco/enic/enic_admin.c-158-{\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c=283=static void enic_admin_poll_work_handler(struct work_struct *work)\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-290-\t * exactly what the hardware reported for this interrupt. Credits that\ndrivers/net/ethernet/cisco/enic/enic_admin.c:291:\t * accrue while enic_admin_rq_cq_service() runs are left for the next\ndrivers/net/ethernet/cisco/enic/enic_admin.c-292-\t * interrupt, which is harmless on this low-rate control path.\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-295-\ndrivers/net/ethernet/cisco/enic/enic_admin.c:296:\trq_work = enic_admin_rq_cq_service(enic);\ndrivers/net/ethernet/cisco/enic/enic_admin.c-297-\n"
} |
| 25/2 | 2026/07/03 18:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 38401 output: 44 thoughts: 29 Thoughts: Okay, here's my take on those thoughts, framed as my own mental process, given my expertise: **Checking on the `enic` Service** Alright, confirmed. The `enic_admin_rq_cq_service` is present. That's good; it's the foundation of the administration and completion queue handling within the `enic` (likely Ethernet Network Interface Controller) subsystem. Now, where do we go from here? Let's quickly pivot and see how these messages are getting sent. My immediate next check would be to scrutinize the `enic_mbox_send_msg` function. Understanding how those mailbox messages are constructed and transmitted will provide the insights into how the NIC is being instructed and how it’s reporting status back. This is where the rubber meets the road, where the management commands are packaged and delivered to the hardware. |
| 26/2 | 2026/07/03 18:30 | tool | grepper |
0mArgs:{
"Expression": "enic_mbox_send_msg",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_mbox.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_mbox.c=21=static void enic_mbox_fill_hdr(struct enic *enic, struct enic_mbox_hdr *hdr,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-30-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:31:int enic_mbox_send_msg(struct enic *enic, u8 msg_type, u16 dst_vnic_id,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-32-\t\t void *payload, u16 payload_len)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=149=int enic_mbox_send_link_state(struct enic *enic, u16 vf_id, u32 link_state)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-161-\tnotif.link_state = cpu_to_le32(link_state);\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:162:\treturn enic_mbox_send_msg(enic, ENIC_MBOX_PF_LINK_STATE_NOTIF, vf_id,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-163-\t\t\t\t \u0026notif, sizeof(notif));\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=166=static int enic_mbox_pf_handle_capability(struct enic *enic, void *msg,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-173-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:174:\treturn enic_mbox_send_msg(enic, ENIC_MBOX_VF_CAPABILITY_REPLY, vf_id,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-175-\t\t\t\t \u0026reply, sizeof(reply));\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=178=static int enic_mbox_pf_handle_register(struct enic *enic, void *msg,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-203-\treply.reply.ret_major = cpu_to_le16(0);\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:204:\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_REGISTER_REPLY, vf_id,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-205-\t\t\t\t \u0026reply, sizeof(reply));\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=228=static int enic_mbox_pf_handle_unregister(struct enic *enic, void *msg,\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-248-\treply.reply.ret_major = cpu_to_le16(0);\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:249:\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_UNREGISTER_REPLY, vf_id,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-250-\t\t\t\t \u0026reply, sizeof(reply));\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=388=static void enic_mbox_vf_handle_link_state(struct enic *enic, void *payload)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-411-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:412:\terr = enic_mbox_send_msg(enic, ENIC_MBOX_PF_LINK_STATE_ACK,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-413-\t\t\t\t ENIC_MBOX_DST_PF, \u0026ack, sizeof(ack));\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=535=int enic_mbox_vf_capability_check(struct enic *enic)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-544-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:545:\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_CAPABILITY_REQUEST,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-546-\t\t\t\t ENIC_MBOX_DST_PF, \u0026req, sizeof(req));\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=570=int enic_mbox_vf_register(struct enic *enic)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-577-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:578:\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_REGISTER_REQUEST,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-579-\t\t\t\t ENIC_MBOX_DST_PF, NULL, 0);\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c=599=int enic_mbox_vf_unregister(struct enic *enic)\n--\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-608-\ndrivers/net/ethernet/cisco/enic/enic_mbox.c:609:\terr = enic_mbox_send_msg(enic, ENIC_MBOX_VF_UNREGISTER_REQUEST,\ndrivers/net/ethernet/cisco/enic/enic_mbox.c-610-\t\t\t\t ENIC_MBOX_DST_PF, NULL, 0);\n"
} |
| 27/2 | 2026/07/03 18:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 40166 output: 46 thoughts: 29 Thoughts: Okay, here's my take on those thoughts, framed as an expert's internal monologue: **Checking the Code Flow** Right, `enic_mbox_send_msg`... yup, that's definitely a function in the enic driver, no surprises there. Now, where does that get used? What's the typical path through the code? Let's trace it back. Okay, the next obvious place to look would be `enic_admin_wq_cq_service`. I'll want to review that function to see how messages are queued and processed. Understanding the work queue and completion queue interaction will give me the context I need to assess its behavior. |
| 28/2 | 2026/07/03 18:30 | tool | grepper |
0mArgs:{
"Expression": "enic_admin_wq_cq_service",
"PathPrefix": "drivers/net/ethernet/cisco/enic/enic_admin.c"
}Results: {
"Output": "drivers/net/ethernet/cisco/enic/enic_admin.c=100=static unsigned int enic_admin_cq_color(void *cq_desc, unsigned int desc_size)\n--\ndrivers/net/ethernet/cisco/enic/enic_admin.c-106-\ndrivers/net/ethernet/cisco/enic/enic_admin.c:107:unsigned int enic_admin_wq_cq_service(struct enic *enic)\ndrivers/net/ethernet/cisco/enic/enic_admin.c-108-{\n"
} |
| 29/2 | 2026/07/03 18:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 40533 output: 228 thoughts: 297 Thoughts: **My Assessment of the `enic` Driver Patch for SR-IOV V2 Support** Okay, so I've confirmed that the `enic_admin_wq_cq_service` function exists. That's a good starting point. Now, to zero in on the key areas introduced by this patch for SR-IOV V2 support, I need to focus my attention on these symbols: `enic_admin_rq_cq_service`, `enic_admin_wq_cq_service`, `enic_admin_msg_work_handler`, `enic_mbox_recv_handler`, `enic_mbox_pf_process_msg`, `enic_mbox_vf_process_msg`, and `enic_mbox_send_msg`. These clearly represent the core message processing and queue services. The patch, as I understand it, introduces a brand new admin channel and mailbox protocol specifically for SR-IOV V2 within the Cisco VIC Ethernet NIC driver, `enic`. This is a significant architectural change. I know that the new `enic_admin.c` and `enic_mbox.c` files are where all the magic happens: setting up, sending, and receiving mailbox messages over the admin channel. This is likely accessible via PCI fuzzing, and it is a key area for fuzzing. Syzkaller can emulate the PCI device, and thus trigger the driver's probe and interrupt handlers. My fuzzing efforts should concentrate on the message processing and the queue service routines. This is where I'm likely to find vulnerabilities or unexpected behaviors. I need to make sure I have the right configurations, though. Let's make sure that I don't need anything else. `ENIC` will be the base driver configuration. That's required. And, as expected, `PCI_IOV` is the key to enabling the SR-IOV features that are at the heart of this patch. Yes, that makes sense. So, `ENIC` and `PCI_IOV` it is. I'm ready to proceed with a more detailed analysis, and I'll now call `set-results`. |
| 30/2 | 2026/07/03 18:30 | tool | set-results |
0mArgs:{
"EnableConfigs": [
"ENIC",
"PCI_IOV"
],
"FocusSymbols": [
"enic_admin_rq_cq_service",
"enic_admin_wq_cq_service",
"enic_admin_msg_work_handler",
"enic_mbox_recv_handler",
"enic_mbox_pf_process_msg",
"enic_mbox_vf_process_msg",
"enic_mbox_send_msg"
],
"Reasoning": "The patch introduces a new admin channel and mailbox protocol for SR-IOV V2 support in the Cisco VIC Ethernet NIC driver (`enic`). The changes include new files `enic_admin.c` and `enic_mbox.c` which handle the setup, sending, and receiving of mailbox messages over the admin channel. This is reachable via PCI fuzzing, as syzkaller can emulate the PCI device and trigger the driver's probe and interrupt handlers. Fuzzing should focus on the message processing and queue service routines.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": [
"ENIC",
"PCI_IOV"
],
"FocusSymbols": [
"enic_admin_rq_cq_service",
"enic_admin_wq_cq_service",
"enic_admin_msg_work_handler",
"enic_mbox_recv_handler",
"enic_mbox_pf_process_msg",
"enic_mbox_vf_process_msg",
"enic_mbox_send_msg"
],
"Reasoning": "The patch introduces a new admin channel and mailbox protocol for SR-IOV V2 support in the Cisco VIC Ethernet NIC driver (`enic`). The changes include new files `enic_admin.c` and `enic_mbox.c` which handle the setup, sending, and receiving of mailbox messages over the admin channel. This is reachable via PCI fuzzing, as syzkaller can emulate the PCI device and trigger the driver's probe and interrupt handlers. Fuzzing should focus on the message processing and queue service routines.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|