net/octeontx2: clear SA valid during session destroy

SA table entry would be reserved for inline inbound operations. Clear valid bit of the SA so that CPT would treat SA entry as invalid. Also, move setting of valid bit to the end in case of session_create() to eliminate possibility of hardware seeing partial data. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-07-13 15:57:08 +05:30 · 2021-07-13 15:57:08 +05:30 · ee9b17ea58
commit ee9b17ea58
parent 87e1160c2c
2 changed files with 24 additions and 5 deletions
--- a/drivers/crypto/octeontx2/otx2_ipsec_fp.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@ -364,7 +364,6 @@ ipsec_fp_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 		ctl->esn_en = 1;

 	ctl->spi = rte_cpu_to_be_32(ipsec->spi);
-	ctl->valid = 1;

 	return 0;
 }
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@ -455,6 +455,9 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 			goto cpt_put;
 	}

+	rte_io_wmb();
+	ctl->valid = 1;
+
 	return 0;
 cpt_put:
 	otx2_sec_idev_tx_cpt_qp_put(sess->qp);
@ -595,6 +598,9 @@ eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
 		sa->esn_hi = 0;
 	}

+	rte_io_wmb();
+	ctl->valid = 1;
+
 	rte_spinlock_unlock(&dev->ipsec_tbl_lock);
 	return 0;

@ -682,10 +688,12 @@ otx2_eth_sec_free_anti_replay(struct otx2_ipsec_fp_in_sa *sa)
 }

 static int
-otx2_eth_sec_session_destroy(void *device __rte_unused,
+otx2_eth_sec_session_destroy(void *device,
 			     struct rte_security_session *sess)
 {
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(device);
 	struct otx2_sec_session_ipsec_ip *sess_ip;
+	struct otx2_ipsec_fp_in_sa *sa;
 	struct otx2_sec_session *priv;
 	struct rte_mempool *sess_mp;
 	int ret;
@ -696,9 +704,21 @@ otx2_eth_sec_session_destroy(void *device __rte_unused,

 	sess_ip = &priv->ipsec.ip;

-	/* Release the anti replay window */
-	if (priv->ipsec.dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
-		otx2_eth_sec_free_anti_replay(sess_ip->in_sa);
+	if (priv->ipsec.dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		rte_spinlock_lock(&dev->ipsec_tbl_lock);
+		sa = sess_ip->in_sa;
+
+		/* Release the anti replay window */
+		otx2_eth_sec_free_anti_replay(sa);
+
+		/* Clear SA table entry */
+		if (sa != NULL) {
+			sa->ctl.valid = 0;
+			rte_io_wmb();
+		}
+
+		rte_spinlock_unlock(&dev->ipsec_tbl_lock);
+	}

 	/* Release CPT LF used for this session */
 	if (sess_ip->qp != NULL) {