[PATCH 22.11 v2] net/cnxk: fix lock for security session ops

Rahul Bhansali rbhansali at marvell.com
Tue Jul 8 09:15:12 CEST 2025


[ upstream commit 9bebc33703df999a405ed7103dc45230d0f1fbda ]

Add fixes to have lock on security session update, write and read to
prevent corruption.

Fixes: 8efa348e8160 ("net/cnxk: support custom SA index")

Signed-off-by: Rahul Bhansali <rbhansali at marvell.com>
---
Changes in v2: fix compilation failure.

 drivers/net/cnxk/cn10k_ethdev_sec.c | 109 +++++++++++++++++++++++-----
 1 file changed, 92 insertions(+), 17 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index ed5c335787..c264f0a1cd 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -636,7 +636,6 @@ cn10k_eth_sec_session_create(void *device,
 		return -EEXIST;
 	}

-	memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
 	sess_priv.u64 = 0;

 	lock = inbound ? &dev->inb.lock : &dev->outb.lock;
@@ -646,6 +645,8 @@ cn10k_eth_sec_session_create(void *device,
 	if (inbound && inl_dev)
 		roc_nix_inl_dev_lock();

+	memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
+
 	if (inbound) {
 		struct roc_ot_ipsec_inb_sa *inb_sa, *inb_sa_dptr;
 		struct cn10k_inb_priv_data *inb_priv;
@@ -831,7 +832,7 @@ cn10k_eth_sec_session_create(void *device,
 		roc_nix_inl_dev_unlock();
 	rte_spinlock_unlock(lock);

-	plt_nix_dbg("Created %s session with spi=%u, sa_idx=%u inl_dev=%u",
+	plt_nix_dbg("Created %s session with spi=0x%x, sa_idx=0x%x inl_dev=%u",
 		    inbound ? "inbound" : "outbound", eth_sec->spi,
 		    eth_sec->sa_idx, eth_sec->inl_dev);
 	/*
@@ -897,7 +898,7 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)

 	rte_spinlock_unlock(lock);

-	plt_nix_dbg("Destroyed %s session with spi=%u, sa_idx=%u, inl_dev=%u",
+	plt_nix_dbg("Destroyed %s session with spi=0x%x, sa_idx=0x%x, inl_dev=%u",
 		    eth_sec->inb ? "inbound" : "outbound", eth_sec->spi,
 		    eth_sec->sa_idx, eth_sec->inl_dev);

@@ -920,7 +921,8 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 	struct rte_security_ipsec_xform *ipsec;
 	struct rte_crypto_sym_xform *crypto;
 	struct cnxk_eth_sec_sess *eth_sec;
-	bool inbound;
+	bool inbound, inl_dev;
+	rte_spinlock_t *lock;
 	int rc;

 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
@@ -935,6 +937,14 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 	if (!eth_sec)
 		return -ENOENT;

+	inl_dev = !!dev->inb.inl_dev;
+	lock = inbound ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inbound && inl_dev)
+		roc_nix_inl_dev_lock();
+
 	eth_sec->spi = conf->ipsec.spi;

 	if (inbound) {
@@ -944,13 +954,13 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 		rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto,
 					       true);
 		if (rc)
-			return -EINVAL;
+			goto err;

 		rc = roc_nix_inl_ctx_write(&dev->nix, inb_sa_dptr, eth_sec->sa,
 					   eth_sec->inb,
 					   sizeof(struct roc_ot_ipsec_inb_sa));
 		if (rc)
-			return -EINVAL;
+			goto err;
 	} else {
 		struct roc_ot_ipsec_outb_sa *outb_sa_dptr;

@@ -959,15 +969,29 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,

 		rc = cnxk_ot_ipsec_outb_sa_fill(outb_sa_dptr, ipsec, crypto);
 		if (rc)
-			return -EINVAL;
+			goto err;
 		rc = roc_nix_inl_ctx_write(&dev->nix, outb_sa_dptr, eth_sec->sa,
 					   eth_sec->inb,
 					   sizeof(struct roc_ot_ipsec_outb_sa));
 		if (rc)
-			return -EINVAL;
+			goto err;
 	}

+	if (inbound && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	plt_nix_dbg("Updated %s session with spi=0x%x, sa_idx=0x%x inl_dev=%u",
+		    inbound ? "inbound" : "outbound", eth_sec->spi, eth_sec->sa_idx,
+		    eth_sec->inl_dev);
 	return 0;
+
+err:
+	if (inbound && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }

 int
@@ -977,20 +1001,42 @@ rte_pmd_cnxk_hw_sa_read(void *device, struct rte_security_session *sess,
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
 	struct cnxk_eth_sec_sess *eth_sec;
+	rte_spinlock_t *lock;
+	bool inl_dev, inb;
 	int rc;

 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
 	if (eth_sec == NULL)
 		return -EINVAL;

+	inl_dev = !!dev->inb.inl_dev;
+	inb = eth_sec->inb;
+	lock = inb ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inb && inl_dev)
+		roc_nix_inl_dev_lock();
+
 	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
 			    ROC_NIX_INL_SA_OP_FLUSH);
 	if (rc)
-		return -EINVAL;
+		goto err;
+
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
 	rte_delay_ms(1);
 	memcpy(data, eth_sec->sa, len);

 	return 0;
+err:
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }

 int
@@ -1000,36 +1046,60 @@ rte_pmd_cnxk_hw_sa_write(void *device, struct rte_security_session *sess,
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
 	struct cnxk_eth_sec_sess *eth_sec;
+	rte_spinlock_t *lock;
+	bool inl_dev, inb;
 	int rc = -EINVAL;

 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
 	if (eth_sec == NULL)
 		return rc;
+
+	inl_dev = !!dev->inb.inl_dev;
+	inb = eth_sec->inb;
+	lock = inb ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inb && inl_dev)
+		roc_nix_inl_dev_lock();
+
 	rc = roc_nix_inl_ctx_write(&dev->nix, data, eth_sec->sa, eth_sec->inb,
 				   len);
-	if (rc)
-		return rc;

-	return 0;
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }

 static int
 cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
-			    struct rte_security_stats *stats)
+				struct rte_security_stats *stats)
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
 	struct cnxk_eth_sec_sess *eth_sec;
+	rte_spinlock_t *lock;
+	bool inl_dev, inb;
 	int rc;

 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
 	if (eth_sec == NULL)
 		return -EINVAL;

-	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
-			    ROC_NIX_INL_SA_OP_FLUSH);
+	inl_dev = !!dev->inb.inl_dev;
+	inb = eth_sec->inb;
+	lock = inb ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inb && inl_dev)
+		roc_nix_inl_dev_lock();
+
+	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb, ROC_NIX_INL_SA_OP_FLUSH);
 	if (rc)
-		return -EINVAL;
+		goto err;
 	rte_delay_ms(1);

 	stats->protocol = RTE_SECURITY_PROTOCOL_IPSEC;
@@ -1046,7 +1116,12 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 			((struct roc_ot_ipsec_outb_sa *)eth_sec->sa)->ctx.mib_octs;
 	}

-	return 0;
+err:
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }

 void
--
2.25.1



More information about the stable mailing list