[PATCH v5 05/12] net/ixgbe: fix wrong pointer handling in IPsec

Thu, 12 Feb 2026 04:54:28 -0800 

The original IPsec "add SA from flow" function expected a void* pointer to
security session as its first argument. However, the actual code was not
passing that, instead it passed `rte_flow_action_security` which was a
*container* for security session pointer.

Fix it by passing correct pointer type, as well as make typing more
explicit to let compiler catch such bugs in the future.

Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")
Cc: [email protected]
Cc: [email protected]

Signed-off-by: Anatoly Burakov <[email protected]>
---
 drivers/net/intel/ixgbe/ixgbe_flow.c  | 14 ++++++++++++--
 drivers/net/intel/ixgbe/ixgbe_ipsec.c | 19 +++++++------------
 drivers/net/intel/ixgbe/ixgbe_ipsec.h | 16 +++++++++++++---
 3 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/drivers/net/intel/ixgbe/ixgbe_flow.c 
b/drivers/net/intel/ixgbe/ixgbe_flow.c
index 90a24806d2..461fcf0857 100644
--- a/drivers/net/intel/ixgbe/ixgbe_flow.c
+++ b/drivers/net/intel/ixgbe/ixgbe_flow.c
@@ -221,6 +221,8 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
        act = next_no_void_action(actions, NULL);
        if (act->type == RTE_FLOW_ACTION_TYPE_SECURITY) {
                const void *conf = act->conf;
+               const struct rte_flow_action_security *sec_act;
+               struct ip_spec spec;
 
                if (conf == NULL) {
                        rte_flow_error_set(error, EINVAL,
@@ -259,8 +261,16 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
                }
 
                filter->proto = IPPROTO_ESP;
-               return ixgbe_crypto_add_ingress_sa_from_flow(conf, item->spec,
-                                       item->type == RTE_FLOW_ITEM_TYPE_IPV6);
+               sec_act = (const struct rte_flow_action_security *)conf;
+               spec.is_ipv6 = item->type == RTE_FLOW_ITEM_TYPE_IPV6;
+               if (spec.is_ipv6) {
+                       const struct rte_flow_item_ipv6 *ipv6 = item->spec;
+                       spec.spec.ipv6 = *ipv6;
+               } else {
+                       const struct rte_flow_item_ipv4 *ipv4 = item->spec;
+                       spec.spec.ipv4 = *ipv4;
+               }
+               return 
ixgbe_crypto_add_ingress_sa_from_flow(sec_act->security_session, &spec);
        }
 #endif
 
diff --git a/drivers/net/intel/ixgbe/ixgbe_ipsec.c 
b/drivers/net/intel/ixgbe/ixgbe_ipsec.c
index df0964a51d..f76ce5b3ee 100644
--- a/drivers/net/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/intel/ixgbe/ixgbe_ipsec.c
@@ -664,20 +664,15 @@ ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev)
 }
 
 int
-ixgbe_crypto_add_ingress_sa_from_flow(const void *sess,
-                                     const void *ip_spec,
-                                     uint8_t is_ipv6)
+ixgbe_crypto_add_ingress_sa_from_flow(struct rte_security_session *sess,
+               const struct ip_spec *spec)
 {
-       /**
-        * FIXME Updating the session priv data when the session is const.
-        * Typecasting done here is wrong and the implementation need to be 
corrected.
-        */
-       struct ixgbe_crypto_session *ic_session = (void *)(uintptr_t)
-                       ((const struct rte_security_session 
*)sess)->driver_priv_data;
+       struct ixgbe_crypto_session *ic_session =
+                       RTE_CAST_PTR(struct ixgbe_crypto_session *, 
sess->driver_priv_data);
 
        if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION) {
-               if (is_ipv6) {
-                       const struct rte_flow_item_ipv6 *ipv6 = ip_spec;
+               if (spec->is_ipv6) {
+                       const struct rte_flow_item_ipv6 *ipv6 = 
&spec->spec.ipv6;
                        ic_session->src_ip.type = IPv6;
                        ic_session->dst_ip.type = IPv6;
                        rte_memcpy(ic_session->src_ip.ipv6,
@@ -685,7 +680,7 @@ ixgbe_crypto_add_ingress_sa_from_flow(const void *sess,
                        rte_memcpy(ic_session->dst_ip.ipv6,
                                   &ipv6->hdr.dst_addr, 16);
                } else {
-                       const struct rte_flow_item_ipv4 *ipv4 = ip_spec;
+                       const struct rte_flow_item_ipv4 *ipv4 = 
&spec->spec.ipv4;
                        ic_session->src_ip.type = IPv4;
                        ic_session->dst_ip.type = IPv4;
                        ic_session->src_ip.ipv4 = ipv4->hdr.src_addr;
diff --git a/drivers/net/intel/ixgbe/ixgbe_ipsec.h 
b/drivers/net/intel/ixgbe/ixgbe_ipsec.h
index be39199be1..e7c7186264 100644
--- a/drivers/net/intel/ixgbe/ixgbe_ipsec.h
+++ b/drivers/net/intel/ixgbe/ixgbe_ipsec.h
@@ -6,6 +6,9 @@
 #define IXGBE_IPSEC_H_
 
 #include <rte_security.h>
+#include <rte_security_driver.h>
+
+#include <rte_flow.h>
 
 #define IPSRXIDX_RX_EN                                    0x00000001
 #define IPSRXIDX_TABLE_IP                                 0x00000002
@@ -109,9 +112,16 @@ struct ixgbe_ipsec {
 
 int ixgbe_ipsec_ctx_create(struct rte_eth_dev *dev);
 int ixgbe_crypto_enable_ipsec(struct rte_eth_dev *dev);
-int ixgbe_crypto_add_ingress_sa_from_flow(const void *sess,
-                                         const void *ip_spec,
-                                         uint8_t is_ipv6);
+
+struct ip_spec {
+       bool is_ipv6;
+       union {
+               struct rte_flow_item_ipv4 ipv4;
+               struct rte_flow_item_ipv6 ipv6;
+       } spec;
+};
+int ixgbe_crypto_add_ingress_sa_from_flow(struct rte_security_session *sess,
+               const struct ip_spec *ip_spec);
 
 
 
-- 
2.47.3

Reply via email to