diff mbox series

[01/34] net/cnxk: allow duplicate SPI in outbound IPsec

Message ID	20250131080530.3224977-1-ndabilpuram@marvell.com (mailing list archive)
State	Changes Requested
Delegated to:	Jerin Jacob
Headers	From: Nithin Dabilpuram <ndabilpuram@marvell.com> To: <jerinj@marvell.com>, Nithin Dabilpuram <ndabilpuram@marvell.com>, "Kiran Kumar K" <kirankumark@marvell.com>, Sunil Kumar Kori <skori@marvell.com>, Satha Rao <skoteshwar@marvell.com>, Harman Kalra <hkalra@marvell.com> CC: <dev@dpdk.org> Subject: [PATCH 01/34] net/cnxk: allow duplicate SPI in outbound IPsec Date: Fri, 31 Jan 2025 13:34:56 +0530 Message-ID: <20250131080530.3224977-1-ndabilpuram@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Errors-To: dev-bounces@dpdk.org
Series	[01/34] net/cnxk: allow duplicate SPI in outbound IPsec \| [01/34] net/cnxk: allow duplicate SPI in outbound IPsec [02/34] common/cnxk: remove unused param in SA init [03/34] net/cnxk: remove unnecessary delay on stats read [04/34] common/cnxk: move CTX defines to common [05/34] common/cnxk: add cn20k CPT result struct [06/34] common/cnxk: enable IE with cn9k and cn10k only [07/34] common/cnxk: make special handling only for 9k [08/34] common/cnxk: add CPT cn20k device enumeration [09/34] common/cnxk: add CPT LMT defines [10/34] common/cnxk: add 20k defines for IPsec [11/34] common/cnxk: update default eng group for cn20k [12/34] common/cnxk: support for cn20k IPsec session [13/34] common/cnxk: add cn20k meta pkt structs [14/34] common/cnxk: support for inline IPsec for cn20k [15/34] common/cnxk: support inline SA context invalidate [16/34] common/cnxk: update feature flags for cn20k [17/34] common/cnxk: add mbox define for inline profile support [18/34] common/cnxk: support for inline inbound queue [19/34] common/cnxk: add NIX inline reassembly profile config [20/34] common/cnxk: add API to fetch inline profile ID [21/34] common/cnxk: add NPC action2 support [22/34] common/cnxk: support for NPC inline rule for cn20k [23/34] net/cnxk: support for cn20k inline IPsec session [24/34] common/cnxk: update CPT RXC time config mbox for cn20k [25/34] net/cnxk: store pool buffer size in lookup memory [26/34] net/cnxk: inline IPsec Rx support for cn20k [27/34] event/cnxk: inline IPsec Rx support for cn20k [28/34] common/cnxk: enable allmulti mode on rpm/cgx VF [29/34] net/cnxk: fix of NIX send header L3 type [30/34] common/cnxk: fix inbound IPsec sa setup [31/34] common/cnxk: add stats reset for inline device [32/34] common/cnxk: change the error log to a debug log [33/34] net/cnxk: update MC address list configure API [34/34] common/cnxk: move interrupt handling to platform-specific

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/loongarch-compilation	warning	apply patch failure
ci/iol-testing	warning	apply patch failure

Commit Message

Nithin Dabilpuram Jan. 31, 2025, 8:04 a.m. UTC

Since outbound IPsec is not really dependent on SPI,
allow duplicate SPI in outbound inline IPsec sessions.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---

Depends-on: series-34428 ("[v4,1/2] common/cnxk: support NPC flow on cn20k")

 drivers/net/cnxk/cn10k_ethdev_sec.c | 14 +++++++-------
 drivers/net/cnxk/cn9k_ethdev_sec.c  | 14 +++++++-------
 drivers/net/cnxk/cnxk_ethdev.h      |  4 ++--
 drivers/net/cnxk/cnxk_ethdev_sec.c  |  8 ++++++--
 4 files changed, 22 insertions(+), 18 deletions(-)

diff mbox series

Patch

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 6acab8afa0..41dfba36d3 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -793,13 +793,6 @@  cn10k_eth_sec_session_create(void *device,
 	inbound = !!(ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
 	inl_dev = !!dev->inb.inl_dev;
 
-	/* Search if a session already exits */
-	if (cnxk_eth_sec_sess_get_by_spi(dev, ipsec->spi, inbound)) {
-		plt_err("%s SA with SPI %u already in use",
-			inbound ? "Inbound" : "Outbound", ipsec->spi);
-		return -EEXIST;
-	}
-
 	memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
 	sess_priv.u64 = 0;
 
@@ -821,6 +814,13 @@  cn10k_eth_sec_session_create(void *device,
 
 		spi_mask = roc_nix_inl_inb_spi_range(nix, inl_dev, NULL, NULL);
 
+		/* Search if a session already exits */
+		if (cnxk_eth_sec_sess_get_by_sa_idx(dev, ipsec->spi & spi_mask, true)) {
+			plt_err("Inbound SA with SPI/SA index %u already in use", ipsec->spi);
+			rc = -EEXIST;
+			goto err;
+		}
+
 		/* Get Inbound SA from NIX_RX_IPSEC_SA_BASE */
 		sa = roc_nix_inl_inb_sa_get(nix, inl_dev, ipsec->spi);
 		if (!sa && dev->inb.inl_dev) {
diff --git a/drivers/net/cnxk/cn9k_ethdev_sec.c b/drivers/net/cnxk/cn9k_ethdev_sec.c
index 390853c728..5e13dc862e 100644
--- a/drivers/net/cnxk/cn9k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn9k_ethdev_sec.c
@@ -604,13 +604,6 @@  cn9k_eth_sec_session_create(void *device,
 	crypto = conf->crypto_xform;
 	inbound = !!(ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
 
-	/* Search if a session already exists */
-	if (cnxk_eth_sec_sess_get_by_spi(dev, ipsec->spi, inbound)) {
-		plt_err("%s SA with SPI %u already in use",
-			inbound ? "Inbound" : "Outbound", ipsec->spi);
-		return -EEXIST;
-	}
-
 	lock = inbound ? &dev->inb.lock : &dev->outb.lock;
 	rte_spinlock_lock(lock);
 
@@ -633,6 +626,13 @@  cn9k_eth_sec_session_create(void *device,
 
 		spi_mask = roc_nix_inl_inb_spi_range(nix, false, NULL, NULL);
 
+		/* Search if a session already exits */
+		if (cnxk_eth_sec_sess_get_by_sa_idx(dev, ipsec->spi & spi_mask, true)) {
+			plt_err("Inbound SA with SPI/SA index %u already in use", ipsec->spi);
+			rc = -EEXIST;
+			goto err;
+		}
+
 		/* Get Inbound SA from NIX_RX_IPSEC_SA_BASE. Assume no inline
 		 * device always for CN9K.
 		 */
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index 350adc1161..eae5336a9b 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -729,8 +729,8 @@  typedef void (*cnxk_ethdev_rx_offload_cb_t)(uint16_t port_id, uint64_t flags);
 __rte_internal
 void cnxk_ethdev_rx_offload_cb_register(cnxk_ethdev_rx_offload_cb_t cb);
 
-struct cnxk_eth_sec_sess *cnxk_eth_sec_sess_get_by_spi(struct cnxk_eth_dev *dev,
-						       uint32_t spi, bool inb);
+struct cnxk_eth_sec_sess *cnxk_eth_sec_sess_get_by_sa_idx(struct cnxk_eth_dev *dev,
+							  uint32_t sa_idx, bool inb);
 struct cnxk_eth_sec_sess *
 cnxk_eth_sec_sess_get_by_sess(struct cnxk_eth_dev *dev,
 			      struct rte_security_session *sess);
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index ef75e5f0f1..2c649c985a 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -231,6 +231,10 @@  cnxk_eth_outb_sa_idx_get(struct cnxk_eth_dev *dev, uint32_t *idx_p,
 		if (spi > dev->outb.max_sa)
 			return -ENOTSUP;
 		idx = spi;
+		if (!plt_bitmap_get(dev->outb.sa_bmap, idx)) {
+			plt_err("Outbound SA index %u already in use", idx);
+			return -EEXIST;
+		}
 	} else {
 		/* Scan bitmap to get the free sa index */
 		rc = plt_bitmap_scan(dev->outb.sa_bmap, &pos, &slab);
@@ -265,14 +269,14 @@  cnxk_eth_outb_sa_idx_put(struct cnxk_eth_dev *dev, uint32_t idx)
 }
 
 struct cnxk_eth_sec_sess *
-cnxk_eth_sec_sess_get_by_spi(struct cnxk_eth_dev *dev, uint32_t spi, bool inb)
+cnxk_eth_sec_sess_get_by_sa_idx(struct cnxk_eth_dev *dev, uint32_t sa_idx, bool inb)
 {
 	struct cnxk_eth_sec_sess_list *list;
 	struct cnxk_eth_sec_sess *eth_sec;
 
 	list = inb ? &dev->inb.list : &dev->outb.list;
 	TAILQ_FOREACH(eth_sec, list, entry) {
-		if (eth_sec->spi == spi)
+		if (eth_sec->sa_idx == sa_idx)
 			return eth_sec;
 	}