net/enic: fix crash caused by changing MTU

Changing MTU after the device start causes a segfault in the Rx
handler. The MTU handler (enic_set_mtu) performs the following steps.
1. Stop NIC Rx
2. Change Rx handler '(struct rte_eth_dev)->rx_pkt_burst' to
   the dummy handler and sleep a while to quiesce
3. Re-allocate/initialize Rx structures
4. Change Rx handler back to the real handler
   (e.g. enic_noscatter_recv_pkts)

enic_set_mtu does not update the recently introduced fast-path pointer
'(struct rte_eth_fp_ops)->rx_pkt_burst'. Since rte_eth_rx_burst only
uses the fast-path pointer, it keeps invoking the real Rx handler, not
the dummy one set by (2). And, (3) causes a segfault in the real Rx
handler (e.g. dereferencing freed structures).

Fix the segfault by updating the fast-path pointer as well.

Fixes: c87d435a4d79 ("ethdev: copy fast-path API into separate structure")

Signed-off-by: Hyong Youb Kim <hyonkim@cisco.com>
Reviewed-by: John Daley <johndale@cisco.com>

diff --git a/drivers/net/enic/enic_main.c b/drivers/net/enic/enic_main.c
index 5cc6d9f..7f84b5f 100644 (file)
--- a/drivers/net/enic/enic_main.c
+++ b/drivers/net/enic/enic_main.c
@@ -1665,6 +1665,7 @@ int enic_set_mtu(struct enic *enic, uint16_t new_mtu)
 
        /* replace Rx function with a no-op to avoid getting stale pkts */
        eth_dev->rx_pkt_burst = enic_dummy_recv_pkts;
+       rte_eth_fp_ops[enic->port_id].rx_pkt_burst = eth_dev->rx_pkt_burst;
        rte_mb();
 
        /* Allow time for threads to exit the real Rx function. */
@@ -1699,6 +1700,7 @@ int enic_set_mtu(struct enic *enic, uint16_t new_mtu)
        /* put back the real receive function */
        rte_mb();
        enic_pick_rx_handler(eth_dev);
+       rte_eth_fp_ops[enic->port_id].rx_pkt_burst = eth_dev->rx_pkt_burst;
        rte_mb();
 
        /* restart Rx traffic */