From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D0B1F46BAE for ; Fri, 18 Jul 2025 21:38:56 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C524140E2D; Fri, 18 Jul 2025 21:38:56 +0200 (CEST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id 3F98440611 for ; Fri, 18 Jul 2025 21:38:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1752867534; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jbAHtepmH9NW2+O/98q+fpl9Ed8RVXM6kZZOad7SSRs=; b=MTbeTnlxN35SVAqOFxdYgV4ZiR3mEWmMRUaUGzbnXJCgIlVgbXgyv7GI9PI0ys69cThXON 1RADcXRpTJisc8TGOg26/d+m2DN31q4GiCzE5SmtIAGcZ1QjDGvuYjL3gd4VJuTeKCklJ8 1Zae4yj0uVJcuet2ob+jZlnQCg8f4c8= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-279-g6JEWC6uOiKC56UTx1PqBw-1; Fri, 18 Jul 2025 15:38:52 -0400 X-MC-Unique: g6JEWC6uOiKC56UTx1PqBw-1 X-Mimecast-MFC-AGG-ID: g6JEWC6uOiKC56UTx1PqBw_1752867531 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8165219560B0; Fri, 18 Jul 2025 19:38:51 +0000 (UTC) Received: from rh.redhat.com (unknown [10.44.32.40]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4236518003FC; Fri, 18 Jul 2025 19:38:49 +0000 (UTC) From: Kevin Traynor To: Rahul Bhansali Cc: dpdk stable Subject: patch 'net/cnxk: fix lock for security session operations' has been queued to stable release 24.11.3 Date: Fri, 18 Jul 2025 20:31:46 +0100 Message-ID: <20250718193247.1008129-172-ktraynor@redhat.com> In-Reply-To: <20250718193247.1008129-1-ktraynor@redhat.com> References: <20250718193247.1008129-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: u-tBw44JudxFMRbgLHKMpMK4Z2LVfI_jxPfrdtaR9ig_1752867531 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit content-type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 24.11.3 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 07/23/25. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/2c7e1dabd495e0c2233f387ba7f3a9bb2615334b Thanks. Kevin --- >From 2c7e1dabd495e0c2233f387ba7f3a9bb2615334b Mon Sep 17 00:00:00 2001 From: Rahul Bhansali Date: Mon, 23 Jun 2025 10:19:06 +0530 Subject: [PATCH] net/cnxk: fix lock for security session operations [ upstream commit 9bebc33703df999a405ed7103dc45230d0f1fbda ] Add fixes to have lock on security session update, write and read to prevent corruption. Fixes: a72e15611303 ("net/cnxk: add PMD API for IPsec SA base and flush") Fixes: 8efa348e8160 ("net/cnxk: support custom SA index") Signed-off-by: Rahul Bhansali --- drivers/net/cnxk/cn10k_ethdev_sec.c | 65 +++++++++++++++++++++++------ drivers/net/cnxk/cnxk_ethdev_sec.c | 60 ++++++++++++++++++++++++-- 2 files changed, 109 insertions(+), 16 deletions(-) diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c index 6acab8afa0..35b1665a10 100644 --- a/drivers/net/cnxk/cn10k_ethdev_sec.c +++ b/drivers/net/cnxk/cn10k_ethdev_sec.c @@ -801,5 +801,4 @@ cn10k_eth_sec_session_create(void *device, } - memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess)); sess_priv.u64 = 0; @@ -811,4 +810,6 @@ cn10k_eth_sec_session_create(void *device, roc_nix_inl_dev_lock(); + memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess)); + if (inbound) { struct roc_ot_ipsec_inb_sa *inb_sa, *inb_sa_dptr; @@ -1016,5 +1017,5 @@ cn10k_eth_sec_session_create(void *device, rte_spinlock_unlock(lock); - plt_nix_dbg("Created %s session with spi=%u, sa_idx=%u inl_dev=%u", + plt_nix_dbg("Created %s session with spi=0x%x, sa_idx=0x%x inl_dev=%u", inbound ? "inbound" : "outbound", eth_sec->spi, eth_sec->sa_idx, eth_sec->inl_dev); @@ -1098,5 +1099,5 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess) rte_spinlock_unlock(lock); - plt_nix_dbg("Destroyed %s session with spi=%u, sa_idx=%u, inl_dev=%u", + plt_nix_dbg("Destroyed %s session with spi=0x%x, sa_idx=0x%x, inl_dev=%u", eth_sec->inb ? "inbound" : "outbound", eth_sec->spi, eth_sec->sa_idx, eth_sec->inl_dev); @@ -1121,5 +1122,6 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, struct rte_crypto_sym_xform *crypto; struct cnxk_eth_sec_sess *eth_sec; - bool inbound; + bool inbound, inl_dev; + rte_spinlock_t *lock; int rc; @@ -1136,4 +1138,12 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, return -ENOENT; + inl_dev = !!dev->inb.inl_dev; + lock = inbound ? &dev->inb.lock : &dev->outb.lock; + rte_spinlock_lock(lock); + + /* Acquire lock on inline dev for inbound */ + if (inbound && inl_dev) + roc_nix_inl_dev_lock(); + eth_sec->spi = conf->ipsec.spi; @@ -1150,5 +1160,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, true); if (rc) - return -EINVAL; + goto err; /* Use cookie for original data */ inb_sa_dptr->w1.s.cookie = inb_sa->w1.s.cookie; @@ -1168,5 +1178,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, sizeof(struct roc_ot_ipsec_inb_sa)); if (rc) - return -EINVAL; + goto err; /* Save userdata in inb private area */ @@ -1185,5 +1195,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, rc = cnxk_ot_ipsec_outb_sa_fill(outb_sa_dptr, ipsec, crypto); if (rc) - return -EINVAL; + goto err; /* Save rlen info */ @@ -1214,5 +1224,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, sizeof(struct roc_ot_ipsec_outb_sa)); if (rc) - return -EINVAL; + goto err; /* Save userdata */ @@ -1221,10 +1231,24 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, } + if (inbound && inl_dev) + roc_nix_inl_dev_unlock(); + rte_spinlock_unlock(lock); + + plt_nix_dbg("Updated %s session with spi=0x%x, sa_idx=0x%x inl_dev=%u", + inbound ? "inbound" : "outbound", eth_sec->spi, eth_sec->sa_idx, + eth_sec->inl_dev); return 0; + +err: + if (inbound && inl_dev) + roc_nix_inl_dev_unlock(); + rte_spinlock_unlock(lock); + + return rc; } static int cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, - struct rte_security_stats *stats) + struct rte_security_stats *stats) { struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device; @@ -1232,4 +1256,6 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, struct cnxk_macsec_sess *macsec_sess; struct cnxk_eth_sec_sess *eth_sec; + rte_spinlock_t *lock; + bool inl_dev, inb; int rc; @@ -1242,8 +1268,16 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, } - rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb, - ROC_NIX_INL_SA_OP_FLUSH); + inl_dev = !!dev->inb.inl_dev; + inb = eth_sec->inb; + lock = inb ? &dev->inb.lock : &dev->outb.lock; + rte_spinlock_lock(lock); + + /* Acquire lock on inline dev for inbound */ + if (inb && inl_dev) + roc_nix_inl_dev_lock(); + + rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb, ROC_NIX_INL_SA_OP_FLUSH); if (rc) - return -EINVAL; + goto err; rte_delay_ms(1); @@ -1262,5 +1296,10 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, } - return 0; +err: + if (inb && inl_dev) + roc_nix_inl_dev_unlock(); + rte_spinlock_unlock(lock); + + return rc; } diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c index ef75e5f0f1..063e86a236 100644 --- a/drivers/net/cnxk/cnxk_ethdev_sec.c +++ b/drivers/net/cnxk/cnxk_ethdev_sec.c @@ -344,6 +344,23 @@ rte_pmd_cnxk_sa_flush(uint16_t portid, union rte_pmd_cnxk_ipsec_hw_sa *sess, boo struct rte_eth_dev *eth_dev = &rte_eth_devices[portid]; struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev); + rte_spinlock_t *lock; + bool inl_dev; + int rc; - return roc_nix_inl_sa_sync(&dev->nix, sess, inb, ROC_NIX_INL_SA_OP_FLUSH); + inl_dev = !!dev->inb.inl_dev; + lock = inb ? &dev->inb.lock : &dev->outb.lock; + rte_spinlock_lock(lock); + + /* Acquire lock on inline dev for inbound */ + if (inb && inl_dev) + roc_nix_inl_dev_lock(); + + rc = roc_nix_inl_sa_sync(&dev->nix, sess, inb, ROC_NIX_INL_SA_OP_FLUSH); + + if (inb && inl_dev) + roc_nix_inl_dev_unlock(); + rte_spinlock_unlock(lock); + + return rc; } @@ -355,4 +372,6 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev); struct cnxk_eth_sec_sess *eth_sec; + rte_spinlock_t *lock; + bool inl_dev; void *sa; int rc; @@ -364,11 +383,29 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw sa = sess; + inl_dev = !!dev->inb.inl_dev; + lock = inb ? &dev->inb.lock : &dev->outb.lock; + rte_spinlock_lock(lock); + + /* Acquire lock on inline dev for inbound */ + if (inb && inl_dev) + roc_nix_inl_dev_lock(); + rc = roc_nix_inl_sa_sync(&dev->nix, sa, inb, ROC_NIX_INL_SA_OP_FLUSH); if (rc) - return -EINVAL; + goto err; + + if (inb && inl_dev) + roc_nix_inl_dev_unlock(); + rte_spinlock_unlock(lock); memcpy(data, sa, len); return 0; +err: + if (inb && inl_dev) + roc_nix_inl_dev_unlock(); + rte_spinlock_unlock(lock); + + return rc; } @@ -381,5 +418,8 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h struct cnxk_eth_sec_sess *eth_sec; struct roc_nix_inl_dev_q *q; + rte_spinlock_t *lock; + bool inl_dev; void *sa; + int rc; eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess); @@ -393,5 +433,19 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h return -EAGAIN; - return roc_nix_inl_ctx_write(&dev->nix, data, sa, inb, len); + inl_dev = !!dev->inb.inl_dev; + lock = inb ? &dev->inb.lock : &dev->outb.lock; + rte_spinlock_lock(lock); + + /* Acquire lock on inline dev for inbound */ + if (inb && inl_dev) + roc_nix_inl_dev_lock(); + + rc = roc_nix_inl_ctx_write(&dev->nix, data, sa, inb, len); + + if (inb && inl_dev) + roc_nix_inl_dev_unlock(); + rte_spinlock_unlock(lock); + + return rc; } -- 2.50.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2025-07-18 20:29:17.007989215 +0100 +++ 0172-net-cnxk-fix-lock-for-security-session-operations.patch 2025-07-18 20:29:11.191908131 +0100 @@ -1 +1 @@ -From 9bebc33703df999a405ed7103dc45230d0f1fbda Mon Sep 17 00:00:00 2001 +From 2c7e1dabd495e0c2233f387ba7f3a9bb2615334b Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 9bebc33703df999a405ed7103dc45230d0f1fbda ] + @@ -11 +12,0 @@ -Cc: stable@dpdk.org @@ -20 +21 @@ -index 0dc5c22444..110630596e 100644 +index 6acab8afa0..35b1665a10 100644 @@ -23,2 +24,2 @@ -@@ -787,5 +787,4 @@ cn10k_eth_sec_session_create(void *device, - inl_dev = !!dev->inb.inl_dev; +@@ -801,5 +801,4 @@ cn10k_eth_sec_session_create(void *device, + } @@ -29 +30 @@ -@@ -797,4 +796,6 @@ cn10k_eth_sec_session_create(void *device, +@@ -811,4 +810,6 @@ cn10k_eth_sec_session_create(void *device, @@ -36 +37 @@ -@@ -1008,5 +1009,5 @@ cn10k_eth_sec_session_create(void *device, +@@ -1016,5 +1017,5 @@ cn10k_eth_sec_session_create(void *device, @@ -43 +44 @@ -@@ -1090,5 +1091,5 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess) +@@ -1098,5 +1099,5 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess) @@ -50 +51 @@ -@@ -1113,5 +1114,6 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, +@@ -1121,5 +1122,6 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, @@ -58 +59 @@ -@@ -1128,4 +1130,12 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, +@@ -1136,4 +1138,12 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, @@ -71,2 +72,2 @@ -@@ -1141,5 +1151,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, - rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto); +@@ -1150,5 +1160,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, + true); @@ -78 +79 @@ -@@ -1159,5 +1169,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, +@@ -1168,5 +1178,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, @@ -85 +86 @@ -@@ -1176,5 +1186,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, +@@ -1185,5 +1195,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, @@ -92 +93 @@ -@@ -1205,5 +1215,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, +@@ -1214,5 +1224,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, @@ -99 +100 @@ -@@ -1212,10 +1222,24 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, +@@ -1221,10 +1231,24 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess, @@ -125 +126 @@ -@@ -1223,4 +1247,6 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, +@@ -1232,4 +1256,6 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, @@ -132 +133 @@ -@@ -1233,8 +1259,16 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, +@@ -1242,8 +1268,16 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, @@ -149,0 +151 @@ + rte_delay_ms(1); @@ -151,2 +153 @@ - stats->protocol = RTE_SECURITY_PROTOCOL_IPSEC; -@@ -1252,5 +1286,10 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, +@@ -1262,5 +1296,10 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, @@ -165 +166 @@ -index 614997bd3d..ac6ee79f78 100644 +index ef75e5f0f1..063e86a236 100644 @@ -168 +169 @@ -@@ -355,6 +355,23 @@ rte_pmd_cnxk_sa_flush(uint16_t portid, union rte_pmd_cnxk_ipsec_hw_sa *sess, boo +@@ -344,6 +344,23 @@ rte_pmd_cnxk_sa_flush(uint16_t portid, union rte_pmd_cnxk_ipsec_hw_sa *sess, boo @@ -193 +194 @@ -@@ -367,4 +384,6 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw +@@ -355,4 +372,6 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw @@ -200 +201 @@ -@@ -376,11 +395,29 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw +@@ -364,11 +383,29 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw @@ -231 +232 @@ -@@ -394,5 +431,8 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h +@@ -381,5 +418,8 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h @@ -240 +241 @@ -@@ -406,5 +446,19 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h +@@ -393,5 +433,19 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h