From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by dpdk.space (Postfix) with ESMTP id B4B5DA0679
	for <public@inbox.dpdk.org>; Sat,  6 Apr 2019 02:35:23 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 9A6022B99;
	Sat,  6 Apr 2019 02:35:20 +0200 (CEST)
Received: from mellanox.co.il (mail-il-dmz.mellanox.com [193.47.165.129])
 by dpdk.org (Postfix) with ESMTP id 9508E11A4
 for <dev@dpdk.org>; Sat,  6 Apr 2019 02:35:18 +0200 (CEST)
Received: from Internal Mail-Server by MTLPINE1 (envelope-from
 yskoh@mellanox.com)
 with ESMTPS (AES256-SHA encrypted); 6 Apr 2019 03:35:17 +0300
Received: from scfae-sc-2.mti.labs.mlnx (scfae-sc-2.mti.labs.mlnx
 [10.101.0.96])
 by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id x360ZEUi031125;
 Sat, 6 Apr 2019 03:35:15 +0300
From: Yongseok Koh <yskoh@mellanox.com>
To: radu.nicolau@intel.com, akhil.goyal@nxp.com
Cc: dev@dpdk.org, sergio.gonzalez.monroy@intel.com, aviadye@mellanox.com,
 stable@dpdk.org
Date: Fri,  5 Apr 2019 17:35:12 -0700
Message-Id: <20190406003512.1291-1-yskoh@mellanox.com>
X-Mailer: git-send-email 2.11.0
Subject: [dpdk-dev] [PATCH] examples/ipsec-secgw: fix coherency of ESP
	sequence number
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID: <20190406003512.28xmXI0yJoeufjCZKYRdvYatBhtDBp0MaejJe_fivJg@z>

Outbound ESP sequence number should be incremented atomically and refeenced
indirectly. Otherwise, concurrent access by multiple threads will break
coherency.

Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6")
Fixes: cef50fc6f1e2 ("examples/ipsec-secgw: change CBC IV generation")
Fixes: 2a41fb7c6525 ("examples/ipsec-secgw: convert IV to big endian")
Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Cc: sergio.gonzalez.monroy@intel.com
Cc: aviadye@mellanox.com
Cc: akhil.goyal@nxp.com
Cc: stable@dpdk.org

Signed-off-by: Yongseok Koh <yskoh@mellanox.com>
---
 examples/ipsec-secgw/esp.c   | 13 +++++++------
 examples/ipsec-secgw/ipsec.h |  2 +-
 examples/ipsec-secgw/sa.c    |  2 +-
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index faa84ddd13..6f616f3f69 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -222,6 +222,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	struct rte_crypto_sym_op *sym_cop;
 	int32_t i;
 	uint16_t pad_payload_len, pad_len, ip_hdr_len;
+	uint64_t sa_seq;
 
 	RTE_ASSERT(m != NULL);
 	RTE_ASSERT(sa != NULL);
@@ -316,14 +317,14 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		}
 	}
 
-	sa->seq++;
 	esp->spi = rte_cpu_to_be_32(sa->spi);
-	esp->seq = rte_cpu_to_be_32((uint32_t)sa->seq);
+	sa_seq = rte_atomic64_add_return(&sa->seq, 1);
+	esp->seq = rte_cpu_to_be_32((uint32_t)sa_seq);
 
 	/* set iv */
 	uint64_t *iv = (uint64_t *)(esp + 1);
 	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
-		*iv = rte_cpu_to_be_64(sa->seq);
+		*iv = rte_cpu_to_be_64(sa_seq);
 	} else {
 		switch (sa->cipher_algo) {
 		case RTE_CRYPTO_CIPHER_NULL:
@@ -332,7 +333,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 			memset(iv, 0, sa->iv_len);
 			break;
 		case RTE_CRYPTO_CIPHER_AES_CTR:
-			*iv = rte_cpu_to_be_64(sa->seq);
+			*iv = rte_cpu_to_be_64(sa_seq);
 			break;
 		default:
 			RTE_LOG(ERR, IPSEC_ESP,
@@ -373,7 +374,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		struct cnt_blk *icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
-		icb->iv = rte_cpu_to_be_64(sa->seq);
+		icb->iv = rte_cpu_to_be_64(sa_seq);
 		icb->cnt = rte_cpu_to_be_32(1);
 
 		aad = get_aad(m);
@@ -414,7 +415,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		struct cnt_blk *icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
-		icb->iv = rte_cpu_to_be_64(sa->seq);
+		icb->iv = rte_cpu_to_be_64(sa_seq);
 		icb->cnt = rte_cpu_to_be_32(1);
 
 		switch (sa->auth_algo) {
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 99f49d65f8..742d09aa36 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -87,7 +87,7 @@ struct ipsec_sa {
 	struct rte_ipsec_session ips; /* one session per sa for now */
 	uint32_t spi;
 	uint32_t cdev_id_qp;
-	uint64_t seq;
+	rte_atomic64_t seq;
 	uint32_t salt;
 	union {
 		struct rte_cryptodev_sym_session *crypto_session;
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index a7298a30c2..adf6ac3f9a 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -795,7 +795,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 			return -EINVAL;
 		}
 		*sa = entries[i];
-		sa->seq = 0;
+		rte_atomic64_set(&sa->seq, -1);
 
 		if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
 			sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
-- 
2.11.0