patch 'net/ixgbe: fix pointer handling in IPsec' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Thu Feb 26 14:10:09 CET 2026

Previous message (by thread): patch 'net/ixgbe: fix potential null dereference in IPsec flow' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/i40e: move filter config to flow create' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/02/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/b83f2367fe2dbb0b5d359c86e678f5e81af501ec

Thanks.

Kevin

---
>From b83f2367fe2dbb0b5d359c86e678f5e81af501ec Mon Sep 17 00:00:00 2001
From: Anatoly Burakov <anatoly.burakov at intel.com>
Date: Fri, 13 Feb 2026 09:10:07 +0000
Subject: [PATCH] net/ixgbe: fix pointer handling in IPsec

[ upstream commit f82b3ed6abeb7a450e5bff0be76a38ee7f92f101 ]

The original IPsec "add SA from flow" function expected a void* pointer
to security session as its first argument. However, the actual code was
not passing that, instead it passed `rte_flow_action_security` which was
a *container* for security session pointer.

Fix it by passing correct pointer type, as well as make typing more
explicit to let compiler catch such bugs in the future.

Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")

Signed-off-by: Anatoly Burakov <anatoly.burakov at intel.com>
Acked-by: Radu Nicolau <radu.nicolau at intel.com>
---
 drivers/net/intel/ixgbe/ixgbe_flow.c  | 24 ++++++++++++++++++++++--
 drivers/net/intel/ixgbe/ixgbe_ipsec.c | 18 ++++++------------
 drivers/net/intel/ixgbe/ixgbe_ipsec.h | 16 +++++++++++++---
 3 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/drivers/net/intel/ixgbe/ixgbe_flow.c b/drivers/net/intel/ixgbe/ixgbe_flow.c
index 90a24806d2..6a7edc6377 100644
--- a/drivers/net/intel/ixgbe/ixgbe_flow.c
+++ b/drivers/net/intel/ixgbe/ixgbe_flow.c
@@ -222,4 +222,7 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
 	if (act->type == RTE_FLOW_ACTION_TYPE_SECURITY) {
 		const void *conf = act->conf;
+		const struct rte_flow_action_security *sec_act;
+		struct rte_security_session *session;
+		struct ip_spec spec;
 
 		if (conf == NULL) {
@@ -260,6 +263,23 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
 
 		filter->proto = IPPROTO_ESP;
-		return ixgbe_crypto_add_ingress_sa_from_flow(conf, item->spec,
-					item->type == RTE_FLOW_ITEM_TYPE_IPV6);
+		sec_act = (const struct rte_flow_action_security *)conf;
+		spec.is_ipv6 = item->type == RTE_FLOW_ITEM_TYPE_IPV6;
+		if (spec.is_ipv6) {
+			const struct rte_flow_item_ipv6 *ipv6 = item->spec;
+			spec.spec.ipv6 = *ipv6;
+		} else {
+			const struct rte_flow_item_ipv4 *ipv4 = item->spec;
+			spec.spec.ipv4 = *ipv4;
+		}
+
+		/*
+		 * we get pointer to security session from security action,
+		 * which is const. however, we do need to act on the session, so
+		 * either we do some kind of pointer based lookup to get session
+		 * pointer internally (which quickly gets unwieldy for lots of
+		 * flows case), or we simply cast away constness.
+		 */
+		session = RTE_CAST_PTR(struct rte_security_session *, sec_act->security_session);
+		return ixgbe_crypto_add_ingress_sa_from_flow(session, &spec);
 	}
 #endif
diff --git a/drivers/net/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/intel/ixgbe/ixgbe_ipsec.c
index df0964a51d..fe9a96c54d 100644
--- a/drivers/net/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/intel/ixgbe/ixgbe_ipsec.c
@@ -665,18 +665,12 @@ ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev)
 
 int
-ixgbe_crypto_add_ingress_sa_from_flow(const void *sess,
-				      const void *ip_spec,
-				      uint8_t is_ipv6)
+ixgbe_crypto_add_ingress_sa_from_flow(struct rte_security_session *sess,
+		const struct ip_spec *spec)
 {
-	/**
-	 * FIXME Updating the session priv data when the session is const.
-	 * Typecasting done here is wrong and the implementation need to be corrected.
-	 */
-	struct ixgbe_crypto_session *ic_session = (void *)(uintptr_t)
-			((const struct rte_security_session *)sess)->driver_priv_data;
+	struct ixgbe_crypto_session *ic_session = SECURITY_GET_SESS_PRIV(sess);
 
 	if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION) {
-		if (is_ipv6) {
-			const struct rte_flow_item_ipv6 *ipv6 = ip_spec;
+		if (spec->is_ipv6) {
+			const struct rte_flow_item_ipv6 *ipv6 = &spec->spec.ipv6;
 			ic_session->src_ip.type = IPv6;
 			ic_session->dst_ip.type = IPv6;
@@ -686,5 +680,5 @@ ixgbe_crypto_add_ingress_sa_from_flow(const void *sess,
 				   &ipv6->hdr.dst_addr, 16);
 		} else {
-			const struct rte_flow_item_ipv4 *ipv4 = ip_spec;
+			const struct rte_flow_item_ipv4 *ipv4 = &spec->spec.ipv4;
 			ic_session->src_ip.type = IPv4;
 			ic_session->dst_ip.type = IPv4;
diff --git a/drivers/net/intel/ixgbe/ixgbe_ipsec.h b/drivers/net/intel/ixgbe/ixgbe_ipsec.h
index be39199be1..e7c7186264 100644
--- a/drivers/net/intel/ixgbe/ixgbe_ipsec.h
+++ b/drivers/net/intel/ixgbe/ixgbe_ipsec.h
@@ -7,4 +7,7 @@
 
 #include <rte_security.h>
+#include <rte_security_driver.h>
+
+#include <rte_flow.h>
 
 #define IPSRXIDX_RX_EN                                    0x00000001
@@ -110,7 +113,14 @@ struct ixgbe_ipsec {
 int ixgbe_ipsec_ctx_create(struct rte_eth_dev *dev);
 int ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev);
-int ixgbe_crypto_add_ingress_sa_from_flow(const void *sess,
-					  const void *ip_spec,
-					  uint8_t is_ipv6);
+
+struct ip_spec {
+	bool is_ipv6;
+	union {
+		struct rte_flow_item_ipv4 ipv4;
+		struct rte_flow_item_ipv6 ipv6;
+	} spec;
+};
+int ixgbe_crypto_add_ingress_sa_from_flow(struct rte_security_session *sess,
+		const struct ip_spec *ip_spec);
 
 
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-02-26 10:16:52.018516166 +0000
+++ 0127-net-ixgbe-fix-pointer-handling-in-IPsec.patch	2026-02-26 10:16:47.184460256 +0000
@@ -1 +1 @@
-From f82b3ed6abeb7a450e5bff0be76a38ee7f92f101 Mon Sep 17 00:00:00 2001
+From b83f2367fe2dbb0b5d359c86e678f5e81af501ec Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit f82b3ed6abeb7a450e5bff0be76a38ee7f92f101 ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org

Previous message (by thread): patch 'net/ixgbe: fix potential null dereference in IPsec flow' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/i40e: move filter config to flow create' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list