patch 'net/cnxk: fix lock for security session operations' has been queued to stable release 24.11.3

Kevin Traynor ktraynor at redhat.com
Fri Jul 18 21:31:46 CEST 2025


Hi,

FYI, your patch has been queued to stable release 24.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/23/25. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/2c7e1dabd495e0c2233f387ba7f3a9bb2615334b

Thanks.

Kevin

---
>From 2c7e1dabd495e0c2233f387ba7f3a9bb2615334b Mon Sep 17 00:00:00 2001
From: Rahul Bhansali <rbhansali at marvell.com>
Date: Mon, 23 Jun 2025 10:19:06 +0530
Subject: [PATCH] net/cnxk: fix lock for security session operations

[ upstream commit 9bebc33703df999a405ed7103dc45230d0f1fbda ]

Add fixes to have lock on security session update, write and read to
prevent corruption.

Fixes: a72e15611303 ("net/cnxk: add PMD API for IPsec SA base and flush")
Fixes: 8efa348e8160 ("net/cnxk: support custom SA index")

Signed-off-by: Rahul Bhansali <rbhansali at marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c | 65 +++++++++++++++++++++++------
 drivers/net/cnxk/cnxk_ethdev_sec.c  | 60 ++++++++++++++++++++++++--
 2 files changed, 109 insertions(+), 16 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 6acab8afa0..35b1665a10 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -801,5 +801,4 @@ cn10k_eth_sec_session_create(void *device,
 	}
 
-	memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
 	sess_priv.u64 = 0;
 
@@ -811,4 +810,6 @@ cn10k_eth_sec_session_create(void *device,
 		roc_nix_inl_dev_lock();
 
+	memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
+
 	if (inbound) {
 		struct roc_ot_ipsec_inb_sa *inb_sa, *inb_sa_dptr;
@@ -1016,5 +1017,5 @@ cn10k_eth_sec_session_create(void *device,
 	rte_spinlock_unlock(lock);
 
-	plt_nix_dbg("Created %s session with spi=%u, sa_idx=%u inl_dev=%u",
+	plt_nix_dbg("Created %s session with spi=0x%x, sa_idx=0x%x inl_dev=%u",
 		    inbound ? "inbound" : "outbound", eth_sec->spi,
 		    eth_sec->sa_idx, eth_sec->inl_dev);
@@ -1098,5 +1099,5 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
 	rte_spinlock_unlock(lock);
 
-	plt_nix_dbg("Destroyed %s session with spi=%u, sa_idx=%u, inl_dev=%u",
+	plt_nix_dbg("Destroyed %s session with spi=0x%x, sa_idx=0x%x, inl_dev=%u",
 		    eth_sec->inb ? "inbound" : "outbound", eth_sec->spi,
 		    eth_sec->sa_idx, eth_sec->inl_dev);
@@ -1121,5 +1122,6 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 	struct rte_crypto_sym_xform *crypto;
 	struct cnxk_eth_sec_sess *eth_sec;
-	bool inbound;
+	bool inbound, inl_dev;
+	rte_spinlock_t *lock;
 	int rc;
 
@@ -1136,4 +1138,12 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 		return -ENOENT;
 
+	inl_dev = !!dev->inb.inl_dev;
+	lock = inbound ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inbound && inl_dev)
+		roc_nix_inl_dev_lock();
+
 	eth_sec->spi = conf->ipsec.spi;
 
@@ -1150,5 +1160,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 					       true);
 		if (rc)
-			return -EINVAL;
+			goto err;
 		/* Use cookie for original data */
 		inb_sa_dptr->w1.s.cookie = inb_sa->w1.s.cookie;
@@ -1168,5 +1178,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 					   sizeof(struct roc_ot_ipsec_inb_sa));
 		if (rc)
-			return -EINVAL;
+			goto err;
 
 		/* Save userdata in inb private area */
@@ -1185,5 +1195,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 		rc = cnxk_ot_ipsec_outb_sa_fill(outb_sa_dptr, ipsec, crypto);
 		if (rc)
-			return -EINVAL;
+			goto err;
 
 		/* Save rlen info */
@@ -1214,5 +1224,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 					   sizeof(struct roc_ot_ipsec_outb_sa));
 		if (rc)
-			return -EINVAL;
+			goto err;
 
 		/* Save userdata */
@@ -1221,10 +1231,24 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
 	}
 
+	if (inbound && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	plt_nix_dbg("Updated %s session with spi=0x%x, sa_idx=0x%x inl_dev=%u",
+		    inbound ? "inbound" : "outbound", eth_sec->spi, eth_sec->sa_idx,
+		    eth_sec->inl_dev);
 	return 0;
+
+err:
+	if (inbound && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }
 
 static int
 cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
-			    struct rte_security_stats *stats)
+				struct rte_security_stats *stats)
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
@@ -1232,4 +1256,6 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
+	rte_spinlock_t *lock;
+	bool inl_dev, inb;
 	int rc;
 
@@ -1242,8 +1268,16 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 	}
 
-	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
-			    ROC_NIX_INL_SA_OP_FLUSH);
+	inl_dev = !!dev->inb.inl_dev;
+	inb = eth_sec->inb;
+	lock = inb ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inb && inl_dev)
+		roc_nix_inl_dev_lock();
+
+	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb, ROC_NIX_INL_SA_OP_FLUSH);
 	if (rc)
-		return -EINVAL;
+		goto err;
 	rte_delay_ms(1);
 
@@ -1262,5 +1296,10 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 	}
 
-	return 0;
+err:
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }
 
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index ef75e5f0f1..063e86a236 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -344,6 +344,23 @@ rte_pmd_cnxk_sa_flush(uint16_t portid, union rte_pmd_cnxk_ipsec_hw_sa *sess, boo
 	struct rte_eth_dev *eth_dev = &rte_eth_devices[portid];
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	rte_spinlock_t *lock;
+	bool inl_dev;
+	int rc;
 
-	return roc_nix_inl_sa_sync(&dev->nix, sess, inb, ROC_NIX_INL_SA_OP_FLUSH);
+	inl_dev = !!dev->inb.inl_dev;
+	lock = inb ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inb && inl_dev)
+		roc_nix_inl_dev_lock();
+
+	rc = roc_nix_inl_sa_sync(&dev->nix, sess, inb, ROC_NIX_INL_SA_OP_FLUSH);
+
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }
 
@@ -355,4 +372,6 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
 	struct cnxk_eth_sec_sess *eth_sec;
+	rte_spinlock_t *lock;
+	bool inl_dev;
 	void *sa;
 	int rc;
@@ -364,11 +383,29 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw
 		sa = sess;
 
+	inl_dev = !!dev->inb.inl_dev;
+	lock = inb ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inb && inl_dev)
+		roc_nix_inl_dev_lock();
+
 	rc = roc_nix_inl_sa_sync(&dev->nix, sa, inb, ROC_NIX_INL_SA_OP_FLUSH);
 	if (rc)
-		return -EINVAL;
+		goto err;
+
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
 
 	memcpy(data, sa, len);
 
 	return 0;
+err:
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }
 
@@ -381,5 +418,8 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h
 	struct cnxk_eth_sec_sess *eth_sec;
 	struct roc_nix_inl_dev_q *q;
+	rte_spinlock_t *lock;
+	bool inl_dev;
 	void *sa;
+	int rc;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
@@ -393,5 +433,19 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h
 		return -EAGAIN;
 
-	return roc_nix_inl_ctx_write(&dev->nix, data, sa, inb, len);
+	inl_dev = !!dev->inb.inl_dev;
+	lock = inb ? &dev->inb.lock : &dev->outb.lock;
+	rte_spinlock_lock(lock);
+
+	/* Acquire lock on inline dev for inbound */
+	if (inb && inl_dev)
+		roc_nix_inl_dev_lock();
+
+	rc = roc_nix_inl_ctx_write(&dev->nix, data, sa, inb, len);
+
+	if (inb && inl_dev)
+		roc_nix_inl_dev_unlock();
+	rte_spinlock_unlock(lock);
+
+	return rc;
 }
 
-- 
2.50.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2025-07-18 20:29:17.007989215 +0100
+++ 0172-net-cnxk-fix-lock-for-security-session-operations.patch	2025-07-18 20:29:11.191908131 +0100
@@ -1 +1 @@
-From 9bebc33703df999a405ed7103dc45230d0f1fbda Mon Sep 17 00:00:00 2001
+From 2c7e1dabd495e0c2233f387ba7f3a9bb2615334b Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 9bebc33703df999a405ed7103dc45230d0f1fbda ]
+
@@ -11 +12,0 @@
-Cc: stable at dpdk.org
@@ -20 +21 @@
-index 0dc5c22444..110630596e 100644
+index 6acab8afa0..35b1665a10 100644
@@ -23,2 +24,2 @@
-@@ -787,5 +787,4 @@ cn10k_eth_sec_session_create(void *device,
- 	inl_dev = !!dev->inb.inl_dev;
+@@ -801,5 +801,4 @@ cn10k_eth_sec_session_create(void *device,
+ 	}
@@ -29 +30 @@
-@@ -797,4 +796,6 @@ cn10k_eth_sec_session_create(void *device,
+@@ -811,4 +810,6 @@ cn10k_eth_sec_session_create(void *device,
@@ -36 +37 @@
-@@ -1008,5 +1009,5 @@ cn10k_eth_sec_session_create(void *device,
+@@ -1016,5 +1017,5 @@ cn10k_eth_sec_session_create(void *device,
@@ -43 +44 @@
-@@ -1090,5 +1091,5 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
+@@ -1098,5 +1099,5 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
@@ -50 +51 @@
-@@ -1113,5 +1114,6 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
+@@ -1121,5 +1122,6 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
@@ -58 +59 @@
-@@ -1128,4 +1130,12 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
+@@ -1136,4 +1138,12 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
@@ -71,2 +72,2 @@
-@@ -1141,5 +1151,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
- 		rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto);
+@@ -1150,5 +1160,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
+ 					       true);
@@ -78 +79 @@
-@@ -1159,5 +1169,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
+@@ -1168,5 +1178,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
@@ -85 +86 @@
-@@ -1176,5 +1186,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
+@@ -1185,5 +1195,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
@@ -92 +93 @@
-@@ -1205,5 +1215,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
+@@ -1214,5 +1224,5 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
@@ -99 +100 @@
-@@ -1212,10 +1222,24 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
+@@ -1221,10 +1231,24 @@ cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
@@ -125 +126 @@
-@@ -1223,4 +1247,6 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
+@@ -1232,4 +1256,6 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
@@ -132 +133 @@
-@@ -1233,8 +1259,16 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
+@@ -1242,8 +1268,16 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
@@ -149,0 +151 @@
+ 	rte_delay_ms(1);
@@ -151,2 +153 @@
- 	stats->protocol = RTE_SECURITY_PROTOCOL_IPSEC;
-@@ -1252,5 +1286,10 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
+@@ -1262,5 +1296,10 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
@@ -165 +166 @@
-index 614997bd3d..ac6ee79f78 100644
+index ef75e5f0f1..063e86a236 100644
@@ -168 +169 @@
-@@ -355,6 +355,23 @@ rte_pmd_cnxk_sa_flush(uint16_t portid, union rte_pmd_cnxk_ipsec_hw_sa *sess, boo
+@@ -344,6 +344,23 @@ rte_pmd_cnxk_sa_flush(uint16_t portid, union rte_pmd_cnxk_ipsec_hw_sa *sess, boo
@@ -193 +194 @@
-@@ -367,4 +384,6 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw
+@@ -355,4 +372,6 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw
@@ -200 +201 @@
-@@ -376,11 +395,29 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw
+@@ -364,11 +383,29 @@ rte_pmd_cnxk_hw_sa_read(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_hw
@@ -231 +232 @@
-@@ -394,5 +431,8 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h
+@@ -381,5 +418,8 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h
@@ -240 +241 @@
-@@ -406,5 +446,19 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h
+@@ -393,5 +433,19 @@ rte_pmd_cnxk_hw_sa_write(uint16_t portid, void *sess, union rte_pmd_cnxk_ipsec_h



More information about the stable mailing list