patch 'net/ixgbe: fix non-shared data in IPsec session' has been queued to stable release 24.11.7

[luca.boccassi at gmail.com]

Hi,

FYI, your patch has been queued to stable release 24.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/13/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/5aa2d070c887adf93fc05fa643ed860c9be176e2

Thanks.

Luca Boccassi

---
>From 5aa2d070c887adf93fc05fa643ed860c9be176e2 Mon Sep 17 00:00:00 2001
From: Anatoly Burakov <anatoly.burakov at intel.com>
Date: Thu, 30 Apr 2026 12:14:32 +0100
Subject: [PATCH] net/ixgbe: fix non-shared data in IPsec session

[ upstream commit 98cc2abfb25092b32b38dd15bf90655f7ca1549f ]

Currently, ixgbe IPsec session private data stores an ethdev pointer.
That pointer is process local, but the session private data is shared,
so a secondary process can read an invalid pointer value.

Fix this by storing ethdev data pointer in session private data instead,
and using it for session/device binding checks and dev_private lookups
when adding SAs.

Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")

Signed-off-by: Anatoly Burakov <anatoly.burakov at intel.com>
Acked-by: Bruce Richardson <bruce.richardson at intel.com>
---
 drivers/net/ixgbe/ixgbe_ipsec.c | 10 +++++-----
 drivers/net/ixgbe/ixgbe_ipsec.h |  3 ++-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
index 778004cbe4..f051f2ce43 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ixgbe/ixgbe_ipsec.c
@@ -88,10 +88,10 @@ ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
 static int
 ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
 {
-	struct rte_eth_dev *dev = ic_session->dev;
-	struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
+	struct rte_eth_dev_data *dev_data = ic_session->dev_data;
+	struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev_data->dev_private);
 	struct ixgbe_ipsec *priv = IXGBE_DEV_PRIVATE_TO_IPSEC(
-			dev->data->dev_private);
+			dev_data->dev_private);
 	uint32_t reg_val;
 	int sa_index = -1;
 
@@ -405,7 +405,7 @@ ixgbe_crypto_create_session(void *device,
 	memcpy(&ic_session->salt,
 	       &aead_xform->key.data[aead_xform->key.length], 4);
 	ic_session->spi = conf->ipsec.spi;
-	ic_session->dev = eth_dev;
+	ic_session->dev_data = eth_dev->data;
 
 	if (ic_session->op == IXGBE_OP_AUTHENTICATED_ENCRYPTION) {
 		if (ixgbe_crypto_add_sa(ic_session)) {
@@ -430,7 +430,7 @@ ixgbe_crypto_remove_session(void *device,
 	struct rte_eth_dev *eth_dev = device;
 	struct ixgbe_crypto_session *ic_session = SECURITY_GET_SESS_PRIV(session);
 
-	if (eth_dev != ic_session->dev) {
+	if (eth_dev->data != ic_session->dev_data) {
 		PMD_DRV_LOG(ERR, "Session not bound to this device");
 		return -ENODEV;
 	}
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.h b/drivers/net/ixgbe/ixgbe_ipsec.h
index be39199be1..f70b8821ec 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.h
+++ b/drivers/net/ixgbe/ixgbe_ipsec.h
@@ -5,6 +5,7 @@
 #ifndef IXGBE_IPSEC_H_
 #define IXGBE_IPSEC_H_
 
+#include <ethdev_driver.h>
 #include <rte_security.h>
 
 #define IPSRXIDX_RX_EN                                    0x00000001
@@ -69,7 +70,7 @@ struct __rte_cache_aligned ixgbe_crypto_session {
 	uint32_t spi;
 	struct ipaddr src_ip;
 	struct ipaddr dst_ip;
-	struct rte_eth_dev *dev;
+	struct rte_eth_dev_data *dev_data;
 };
 
 struct ixgbe_crypto_rx_ip_table {
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-06-11 14:20:03.028709391 +0100
+++ 0043-net-ixgbe-fix-non-shared-data-in-IPsec-session.patch	2026-06-11 14:20:01.222746177 +0100
@@ -1 +1 @@
-From 98cc2abfb25092b32b38dd15bf90655f7ca1549f Mon Sep 17 00:00:00 2001
+From 5aa2d070c887adf93fc05fa643ed860c9be176e2 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 98cc2abfb25092b32b38dd15bf90655f7ca1549f ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org
@@ -20,2 +21,2 @@
- drivers/net/intel/ixgbe/ixgbe_ipsec.c | 10 +++++-----
- drivers/net/intel/ixgbe/ixgbe_ipsec.h |  3 ++-
+ drivers/net/ixgbe/ixgbe_ipsec.c | 10 +++++-----
+ drivers/net/ixgbe/ixgbe_ipsec.h |  3 ++-
@@ -24,4 +25,4 @@
-diff --git a/drivers/net/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/intel/ixgbe/ixgbe_ipsec.c
-index fe9a96c54d..88225bccc0 100644
---- a/drivers/net/intel/ixgbe/ixgbe_ipsec.c
-+++ b/drivers/net/intel/ixgbe/ixgbe_ipsec.c
+diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
+index 778004cbe4..f051f2ce43 100644
+--- a/drivers/net/ixgbe/ixgbe_ipsec.c
++++ b/drivers/net/ixgbe/ixgbe_ipsec.c
@@ -60,4 +61,4 @@
-diff --git a/drivers/net/intel/ixgbe/ixgbe_ipsec.h b/drivers/net/intel/ixgbe/ixgbe_ipsec.h
-index e7c7186264..356817c61b 100644
---- a/drivers/net/intel/ixgbe/ixgbe_ipsec.h
-+++ b/drivers/net/intel/ixgbe/ixgbe_ipsec.h
+diff --git a/drivers/net/ixgbe/ixgbe_ipsec.h b/drivers/net/ixgbe/ixgbe_ipsec.h
+index be39199be1..f70b8821ec 100644
+--- a/drivers/net/ixgbe/ixgbe_ipsec.h
++++ b/drivers/net/ixgbe/ixgbe_ipsec.h
@@ -70 +70,0 @@
- #include <rte_security_driver.h>
@@ -72 +72,2 @@
-@@ -72,7 +73,7 @@ struct __rte_cache_aligned ixgbe_crypto_session {
+ #define IPSRXIDX_RX_EN                                    0x00000001
+@@ -69,7 +70,7 @@ struct __rte_cache_aligned ixgbe_crypto_session {