* [PATCH 1/2] net/cnxk: add lock for security session ops
@ 2025-06-20 5:09 Rahul Bhansali
2025-06-20 5:09 ` [PATCH 2/2] common/cnxk: add null pointer checks Rahul Bhansali
0 siblings, 1 reply; 3+ messages in thread
From: Rahul Bhansali @ 2025-06-20 5:09 UTC (permalink / raw)
To: dev, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori,
Satha Rao, Harman Kalra
Cc: jerinj, Rahul Bhansali
Add lock on security session update, write and read to
prevent corruption.
Signed-off-by: Rahul Bhansali <rbhansali@marvell.com>
---
drivers/net/cnxk/cn10k_ethdev_sec.c | 65 +++++++++++++++++++++++------
drivers/net/cnxk/cnxk_ethdev_sec.c | 60 ++++++++++++++++++++++++--
2 files changed, 109 insertions(+), 16 deletions(-)
diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 0dc5c22444..110630596e 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -786,7 +786,6 @@ cn10k_eth_sec_session_create(void *device,
inbound = !!(ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
inl_dev = !!dev->inb.inl_dev;
- memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
sess_priv.u64 = 0;
lock = inbound ? &dev->inb.lock : &dev->outb.lock;
@@ -796,6 +795,8 @@ cn10k_eth_sec_session_create(void *device,
if (inbound && inl_dev)
roc_nix_inl_dev_lock();
+ memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
+
if (inbound) {
struct roc_ot_ipsec_inb_sa *inb_sa, *inb_sa_dptr;
struct cn10k_inb_priv_data *inb_priv;
@@ -1007,7 +1008,7 @@ cn10k_eth_sec_session_create(void *device,
roc_nix_inl_dev_unlock();
rte_spinlock_unlock(lock);
- plt_nix_dbg("Created %s session with spi=%u, sa_idx=%u inl_dev=%u",
+ plt_nix_dbg("Created %s session with spi=0x%x, sa_idx=0x%x inl_dev=%u",
inbound ? "inbound" : "outbound", eth_sec->spi,
eth_sec->sa_idx, eth_sec->inl_dev);
/*
@@ -1089,7 +1090,7 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
rte_spinlock_unlock(lock);
- plt_nix_dbg("Destroyed %s session with spi=%u, sa_idx=%u, inl_dev=%u",
+ plt_nix_dbg("Destroyed %s session with spi=0x%x, sa_idx=0x%x, inl_dev=%u",
eth_sec->inb ? "inbound" : "outbound", eth_sec->spi,
eth_sec->sa_idx, eth_sec->inl_dev);
@@ -1112,7 +1113,8 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
struct cn10k_sec_sess_priv sess_priv;
struct rte_crypto_sym_xform *crypto;
struct cnxk_eth_sec_sess *eth_sec;
- bool inbound;
+ bool inbound, inl_dev;
+ rte_spinlock_t *lock;
int rc;
if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
@@ -1127,6 +1129,14 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
if (!eth_sec)
return -ENOENT;
+ inl_dev = !!dev->inb.inl_dev;
+ lock = inbound ? &dev->inb.lock : &dev->outb.lock;
+ rte_spinlock_lock(lock);
+
+ /* Acquire lock on inline dev for inbound */
+ if (inbound && inl_dev)
+ roc_nix_inl_dev_lock();
+
eth_sec->spi = conf->ipsec.spi;
if (inbound) {
@@ -1140,7 +1150,7 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto);
if (rc)
- return -EINVAL;
+ goto err;
/* Use cookie for original data */
inb_sa_dptr->w1.s.cookie = inb_sa->w1.s.cookie;
@@ -1158,7 +1168,7 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
eth_sec->inb,
sizeof(struct roc_ot_ipsec_inb_sa));
if (rc)
- return -EINVAL;
+ goto err;
/* Save userdata in inb private area */
inb_priv->userdata = conf->userdata;
@@ -1175,7 +1185,7 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
rc = cnxk_ot_ipsec_outb_sa_fill(outb_sa_dptr, ipsec, crypto);
if (rc)
- return -EINVAL;
+ goto err;
/* Save rlen info */
cnxk_ipsec_outb_rlens_get(rlens, ipsec, crypto);
@@ -1204,24 +1214,40 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
eth_sec->inb,
sizeof(struct roc_ot_ipsec_outb_sa));
if (rc)
- return -EINVAL;
+ goto err;
/* Save userdata */
outb_priv->userdata = conf->userdata;
sess->fast_mdata = sess_priv.u64;
}
+ if (inbound && inl_dev)
+ roc_nix_inl_dev_unlock();
+ rte_spinlock_unlock(lock);
+
+ plt_nix_dbg("Updated %s session with spi=0x%x, sa_idx=0x%x inl_dev=%u",
+ inbound ? "inbound" : "outbound", eth_sec->spi, eth_sec->sa_idx,
+ eth_sec->inl_dev);
return 0;
+
+err:
+ if (inbound && inl_dev)
+ roc_nix_inl_dev_unlock();
+ rte_spinlock_unlock(lock);
+
+ return rc;
}
static int
cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
- struct rte_security_stats *stats)
+ struct rte_security_stats *stats)
{
struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
struct cnxk_macsec_sess *macsec_sess;
struct cnxk_eth_sec_sess *eth_sec;
+ rte_spinlock_t *lock;
+ bool inl_dev, inb;
int rc;
eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
@@ -1232,10 +1258,18 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
return -EINVAL;
}
- rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
- ROC_NIX_INL_SA_OP_FLUSH);
+ inl_dev = !!dev->inb.inl_dev;
+ inb = eth_sec->inb;
+ lock = inb ? &dev->inb.lock : &dev->outb.lock;
+ rte_spinlock_lock(lock);
+
+ /* Acquire lock on inline dev for inbound */
+ if (inb && inl_dev)
+ roc_nix_inl_dev_lock();
+
+ rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb, ROC_NIX_INL_SA_OP_FLUSH);
if (rc)
- return -EINVAL;
+ goto err;
stats->protocol = RTE_SECURITY_PROTOCOL_IPSEC;
@@ -1251,7 +1285,12 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
((struct roc_ot_ipsec_outb_sa *)eth_sec->sa)->ctx.mib_octs;
}
- return 0;
+err:
+ if (inb && inl_dev)
+ roc_nix_inl_dev_unlock();
+ rte_spinlock_unlock(lock);
+
+ return rc;
}
static void
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 614997bd3d..ac6ee79f78 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -354,8 +354,25 @@ rte_pmd_cnxk_sa_flush(uint16_t portid, union rte_pmd_cnxk_ipsec_hw_sa *sess, boo
{
struct rte_eth_dev *eth_dev = &rte_eth_devices[portid];
struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+ rte_spinlock_t *lock;
+ bool inl_dev;
+ int rc;
+
+ inl_dev = !!dev->inb.inl_dev;
+ lock = inb ? &dev->inb.lock : &dev->outb.lock;
+ rte_spinlock_lock(lock);
+
+ /* Acquire lock on inline dev for inbound */
+ if (inb && inl_dev)
+ roc_nix_inl_dev_lock();
+
+ rc = roc_nix_inl_sa_sync(&dev->nix, sess, inb, ROC_NIX_INL_SA_OP_FLUSH);
+
+ if (inb && inl_dev)
+ roc_nix_inl_dev_unlock();
+ rte_spinlock_unlock(lock);
- return roc_nix_inl_sa_sync(&dev->nix, sess, inb, ROC_NIX_INL_SA_OP_FLUSH);
+ return rc;
}
RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pmd_cnxk_hw_sa_read, 22.07)
@@ -366,6 +383,8 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw
struct rte_eth_dev *eth_dev = &rte_eth_devices[portid];
struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
struct cnxk_eth_sec_sess *eth_sec;
+ rte_spinlock_t *lock;
+ bool inl_dev;
void *sa;
int rc;
@@ -375,13 +394,31 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw
else
sa = sess;
+ inl_dev = !!dev->inb.inl_dev;
+ lock = inb ? &dev->inb.lock : &dev->outb.lock;
+ rte_spinlock_lock(lock);
+
+ /* Acquire lock on inline dev for inbound */
+ if (inb && inl_dev)
+ roc_nix_inl_dev_lock();
+
rc = roc_nix_inl_sa_sync(&dev->nix, sa, inb, ROC_NIX_INL_SA_OP_FLUSH);
if (rc)
- return -EINVAL;
+ goto err;
+
+ if (inb && inl_dev)
+ roc_nix_inl_dev_unlock();
+ rte_spinlock_unlock(lock);
memcpy(data, sa, len);
return 0;
+err:
+ if (inb && inl_dev)
+ roc_nix_inl_dev_unlock();
+ rte_spinlock_unlock(lock);
+
+ return rc;
}
RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pmd_cnxk_hw_sa_write, 22.07)
@@ -393,7 +430,10 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h
struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
struct cnxk_eth_sec_sess *eth_sec;
struct roc_nix_inl_dev_q *q;
+ rte_spinlock_t *lock;
+ bool inl_dev;
void *sa;
+ int rc;
eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
if (eth_sec)
@@ -405,7 +445,21 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h
if (q && cnxk_nix_inl_fc_check(q->fc_addr, &q->fc_addr_sw, q->nb_desc, 1))
return -EAGAIN;
- return roc_nix_inl_ctx_write(&dev->nix, data, sa, inb, len);
+ inl_dev = !!dev->inb.inl_dev;
+ lock = inb ? &dev->inb.lock : &dev->outb.lock;
+ rte_spinlock_lock(lock);
+
+ /* Acquire lock on inline dev for inbound */
+ if (inb && inl_dev)
+ roc_nix_inl_dev_lock();
+
+ rc = roc_nix_inl_ctx_write(&dev->nix, data, sa, inb, len);
+
+ if (inb && inl_dev)
+ roc_nix_inl_dev_unlock();
+ rte_spinlock_unlock(lock);
+
+ return rc;
}
RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pmd_cnxk_inl_ipsec_res, 23.11)
--
2.25.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 2/2] common/cnxk: add null pointer checks
2025-06-20 5:09 [PATCH 1/2] net/cnxk: add lock for security session ops Rahul Bhansali
@ 2025-06-20 5:09 ` Rahul Bhansali
2025-06-20 10:53 ` Jerin Jacob
0 siblings, 1 reply; 3+ messages in thread
From: Rahul Bhansali @ 2025-06-20 5:09 UTC (permalink / raw)
To: dev, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori,
Satha Rao, Harman Kalra
Cc: jerinj, Rahul Bhansali
Adds null pointer check before executing CPT instruction.
Signed-off-by: Rahul Bhansali <rbhansali@marvell.com>
---
drivers/common/cnxk/roc_nix_inl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/common/cnxk/roc_nix_inl.c b/drivers/common/cnxk/roc_nix_inl.c
index bee8e25c7c..c7637ddbdc 100644
--- a/drivers/common/cnxk/roc_nix_inl.c
+++ b/drivers/common/cnxk/roc_nix_inl.c
@@ -1312,7 +1312,7 @@ static int
nix_inl_legacy_inb_init(struct roc_nix *roc_nix)
{
struct nix *nix = roc_nix_to_nix_priv(roc_nix);
- struct roc_cpt_inline_ipsec_inb_cfg cfg;
+ struct roc_cpt_inline_ipsec_inb_cfg cfg = {0};
struct idev_cfg *idev = idev_get_cfg();
uint16_t bpids[ROC_NIX_MAX_BPID_CNT];
struct roc_cpt *roc_cpt;
@@ -2219,7 +2219,7 @@ roc_nix_inl_sa_sync(struct roc_nix *roc_nix, void *sa, bool inb,
if (idev)
inl_dev = idev->nix_inl_dev;
- if (!inl_dev && roc_nix == NULL)
+ if ((!inl_dev && roc_nix == NULL) || sa == NULL)
return -EINVAL;
if (roc_nix) {
@@ -2299,7 +2299,7 @@ roc_nix_inl_ctx_write(struct roc_nix *roc_nix, void *sa_dptr, void *sa_cptr,
if (idev)
inl_dev = idev->nix_inl_dev;
- if (!inl_dev && roc_nix == NULL)
+ if ((!inl_dev && roc_nix == NULL) || sa_dptr == NULL || sa_cptr == NULL)
return -EINVAL;
if (roc_nix) {
--
2.25.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] common/cnxk: add null pointer checks
2025-06-20 5:09 ` [PATCH 2/2] common/cnxk: add null pointer checks Rahul Bhansali
@ 2025-06-20 10:53 ` Jerin Jacob
0 siblings, 0 replies; 3+ messages in thread
From: Jerin Jacob @ 2025-06-20 10:53 UTC (permalink / raw)
To: Rahul Bhansali
Cc: dev, Nithin Dabilpuram, Kiran Kumar K, Sunil Kumar Kori,
Satha Rao, Harman Kalra, jerinj
On Fri, Jun 20, 2025 at 10:57 AM Rahul Bhansali <rbhansali@marvell.com> wrote:
>
> Adds null pointer check before executing CPT instruction.
>
> Signed-off-by: Rahul Bhansali <rbhansali@marvell.com>
Add Fixes tag and start the commit with common/cnxk: fix ...
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-06-20 10:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-06-20 5:09 [PATCH 1/2] net/cnxk: add lock for security session ops Rahul Bhansali
2025-06-20 5:09 ` [PATCH 2/2] common/cnxk: add null pointer checks Rahul Bhansali
2025-06-20 10:53 ` Jerin Jacob
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).