DPDK-dev Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH v2] eal: silence -Wconstant-logical-operand in RTE_IS_POWER_OF_2
From: Thomas Monjalon @ 2026-05-27  8:41 UTC (permalink / raw)
  To: Stephen Hemminger
  Cc: dev, stable, Bruce Richardson, Jack Bond-Preston, Pablo de Lara,
	Gavin Hu, Honnappa Nagarahalli
In-Reply-To: <20260519135046.367128-1-stephen@networkplumber.org>

19/05/2026 15:49, Stephen Hemminger:
> Newer GCC warns when a non-boolean constant is an operand of &&, which
> trips whenever RTE_IS_POWER_OF_2 is used in a static_assert with a
> power-of-two literal. Make the zero check explicit.
> 
> Fixes: 7c872b96983a ("hash: validate hash bucket entries while compiling")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> Acked-by: Bruce Richardson <bruce.richardson@intel.com>
> Acked-by: Jack Bond-Preston <jack.bond-preston@foss.arm.com>
> ---
> v2 - use suggestion to make both sides comparisons

Applied, thanks.




^ permalink raw reply

* Re: [PATCH v5] mempool: improve cache behaviour and performance
From: Bruce Richardson @ 2026-05-27  8:48 UTC (permalink / raw)
  To: Morten Brørup
  Cc: dev, Andrew Rybchenko, Jingjing Wu, Praveen Shetty,
	Hemant Agrawal, Sachin Saxena
In-Reply-To: <98CBD80474FA8B44BF855DF32C47DC35F6589F@smartserver.smartshare.dk>

On Tue, May 26, 2026 at 07:45:24PM +0200, Morten Brørup wrote:
> > From: Morten Brørup [mailto:mb@smartsharesystems.com]
> > Sent: Tuesday, 26 May 2026 12.37
> > 
> > > From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> > > Sent: Tuesday, 26 May 2026 11.40
> > >
> 
> [...]
> 
> > > [In all this, I am making the assumption that burst size is well less
> > > than
> > > cache size. Also, similar logic would be applicable for the inverse
> > > scenario, e.g. flush to empty (and fill burst) and fill to 75%]
> > 
> > I'm not so sure about this assumption.
> > With a cache size of 512 and a bursts of 64, the cache only holds 8
> > bursts.
> > 50% is 4 bursts, and 25% is only 2 bursts.
> > 
> > Using a replenish/drain level in the middle requires 5 bursts in either
> > direction to pass the edge (and trigger replenish/flush).
> > Using a replenish/drain level 25% from the edge requires only 3 bursts
> > in the wrong direction to pass the edge (and trigger replenish/flush).
> > Much higher probability with random get/put.
> > 
> > >
> > > Now, all said, I tend to agree that we want to leave space for a
> > decent
> > > size burst after a fill. That is why I think that filling to 75% is
> > > reasonable. After an alloc that triggers a fill, I don't want the
> > cache
> > > less than 50% full, but not completely full so there is room for a
> > free
> > > without a flush, and similarly for a free that triggers a flush, the
> > > cache
> > > should not be empty, but also should not be more than half full.
> > >
> > > One suggestion - we could always add a simple tunable that specifies
> > > the
> > > margin, or reserved entries for alloc and free. We can then guide in
> > > the
> > > docs that the value should be e.g. "zero for apps where alloc and
> > free
> > > take
> > > place on different cores. 20%-50% of cache is recommended where alloc
> > > and
> > > free take place on the same core"
> > 
> > Yes, a simple tunable is a really good idea.
> > 
> > At this point, I think we should optimize for use case #1, and go for
> > the 50% fill level.
> > Then we can add a tunable to optimize for use case #2 later. I will try
> > to come up with a draft for such a follow-up patch within the next few
> > days.
> 
> Adding a tunable is not so simple...
> The choice of mempool cache algorithm (drain/replenish to 50% vs. drain/replenish completely) should be passed via the "flags" parameter in rte_mempool_create(), but rte_pktmbuf_pool_create() is missing the "flags" parameter.
> We can add it at the next ABI breaking release.
> WDYT?
> 
I don't want this just a binary flag with two settings, I think it should
be an actual numeric value. Can we not use function versioning to add the
new parameter to all functions needing it, without worrying about ABI
breakage.

/Bruce

^ permalink raw reply

* [PATCH 1/2] test/crypto: validate ML crypto keys
From: Gowrishankar Muthukrishnan @ 2026-05-27  8:52 UTC (permalink / raw)
  To: dev, Akhil Goyal, Fan Zhang, Gowrishankar Muthukrishnan; +Cc: stable

Validate ML-KEM and ML-DSA keys.

Fixes: 76a5877072c ("test/crypto: add ML-KEM and ML-DSA cases")
Cc: stable@dpdk.org

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
---
 app/test/test_cryptodev_asym.c                | 48 ++++++++-----------
 app/test/test_cryptodev_ml_dsa_test_vectors.h |  8 ++++
 app/test/test_cryptodev_ml_kem_test_vectors.h |  8 ++++
 3 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index bf1a1fc417..73a8198e53 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -3949,19 +3949,15 @@ mlkem_keygen(const void *test_data)
 		rte_crypto_ml_kem_pubkey_size[vector->type],
 		"Incorrect Encapsulation key length\n");
 
-	/* If the seed is all zero, keys are deterministic */
-	if (memcmp(vector->d.data, (uint8_t [32]) {0},
-			vector->d.length) == 0) {
-		TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->dk.data,
-			self->result_op->asym->mlkem.keygen.dk.data,
-			self->result_op->asym->mlkem.keygen.dk.length,
-			"Incorrect Decapsulation key\n");
-		TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->ek.data,
-			self->result_op->asym->mlkem.keygen.ek.data,
-			self->result_op->asym->mlkem.keygen.ek.length,
-			"Incorrect Encapsulation key\n");
-		RTE_LOG(DEBUG, USER1, "Deterministic keygen test passed\n");
-	}
+	TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->dk.data,
+		self->result_op->asym->mlkem.keygen.dk.data,
+		self->result_op->asym->mlkem.keygen.dk.length,
+		"Incorrect Decapsulation key\n");
+	TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->ek.data,
+		self->result_op->asym->mlkem.keygen.ek.data,
+		self->result_op->asym->mlkem.keygen.ek.length,
+		"Incorrect Encapsulation key\n");
+	RTE_LOG(DEBUG, USER1, "Deterministic keygen test passed\n");
 
 	rte_cryptodev_asym_session_free(dev_id, self->sess);
 	return TEST_SUCCESS;
@@ -4071,7 +4067,7 @@ mlkem_encap(const void *test_data)
 	self->op->asym->mlkem.decap.sk.data = sk;
 	self->op->asym->mlkem.decap.sk.length = 32;
 
-	TEST_ASSERT_SUCCESS(send_one(),
+	TEST_ASSERT_SUCCESS(send_one_no_status_check(),
 		"Failed to process crypto op (ML-KEM Decap)");
 
 	debug_hexdump(stdout, "Shared secret from negative test",
@@ -4149,7 +4145,7 @@ mlkem_decap(const void *test_data)
 	self->op->asym->mlkem.decap.sk.data = sk;
 	self->op->asym->mlkem.decap.sk.length = 32;
 
-	TEST_ASSERT_SUCCESS(send_one(),
+	TEST_ASSERT_SUCCESS(send_one_no_status_check(),
 		"Failed to process crypto op (ML-KEM Decap)");
 
 	debug_hexdump(stdout, "Shared secret from negative test",
@@ -4214,19 +4210,15 @@ mldsa_keygen(const void *test_data)
 		rte_crypto_ml_dsa_pubkey_size[vector->type],
 		"Incorrect Public key length\n");
 
-	/* If the seed is all zero, keys are deterministic */
-	if (memcmp(vector->seed.data, (uint8_t [32]) {0},
-			vector->seed.length) == 0) {
-		TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->privkey.data,
-			self->result_op->asym->mldsa.keygen.privkey.data,
-			self->result_op->asym->mldsa.keygen.privkey.length,
-			"Incorrect Private key\n");
-		TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->pubkey.data,
-			self->result_op->asym->mldsa.keygen.pubkey.data,
-			self->result_op->asym->mldsa.keygen.pubkey.length,
-			"Incorrect Public key\n");
-		RTE_LOG(DEBUG, USER1, "Deterministic keygen test passed\n");
-	}
+	TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->privkey.data,
+		self->result_op->asym->mldsa.keygen.privkey.data,
+		self->result_op->asym->mldsa.keygen.privkey.length,
+		"Incorrect Private key\n");
+	TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->pubkey.data,
+		self->result_op->asym->mldsa.keygen.pubkey.data,
+		self->result_op->asym->mldsa.keygen.pubkey.length,
+		"Incorrect Public key\n");
+	RTE_LOG(DEBUG, USER1, "Deterministic keygen test passed\n");
 
 	rte_cryptodev_asym_session_free(dev_id, self->sess);
 	return TEST_SUCCESS;
diff --git a/app/test/test_cryptodev_ml_dsa_test_vectors.h b/app/test/test_cryptodev_ml_dsa_test_vectors.h
index f2453b9f34..675a6fad04 100644
--- a/app/test/test_cryptodev_ml_dsa_test_vectors.h
+++ b/app/test/test_cryptodev_ml_dsa_test_vectors.h
@@ -1653,6 +1653,14 @@ struct crypto_testsuite_mldsa_params mldsa_keygen_test_vectors[] = {
 			.data = mldsa_44_seed,
 			.length = sizeof(mldsa_44_seed),
 		},
+		.privkey = {
+			.data = mldsa_44_privkey,
+			.length = sizeof(mldsa_44_privkey),
+		},
+		.pubkey = {
+			.data = mldsa_44_pubkey,
+			.length = sizeof(mldsa_44_pubkey),
+		},
 	},
 	{
 		.name = "mldsa_44_keygen (deterministic)",
diff --git a/app/test/test_cryptodev_ml_kem_test_vectors.h b/app/test/test_cryptodev_ml_kem_test_vectors.h
index 8294acc29e..a1d727b969 100644
--- a/app/test/test_cryptodev_ml_kem_test_vectors.h
+++ b/app/test/test_cryptodev_ml_kem_test_vectors.h
@@ -785,6 +785,14 @@ struct crypto_testsuite_mlkem_params mlkem_keygen_test_vectors[] = {
 			.data = mlkem_512_z,
 			.length = sizeof(mlkem_512_z),
 		},
+		.dk = {
+			.data = mlkem_512_dk,
+			.length = sizeof(mlkem_512_dk),
+		},
+		.ek = {
+			.data = mlkem_512_ek,
+			.length = sizeof(mlkem_512_ek),
+		}
 	},
 	{
 		.name = "mlkem_512_keygen (deterministic)",
-- 
2.37.1


^ permalink raw reply related

* [PATCH 2/2] test/crypto: fix prehash in MLDSA session
From: Gowrishankar Muthukrishnan @ 2026-05-27  8:52 UTC (permalink / raw)
  To: dev, Akhil Goyal, Fan Zhang, Gowrishankar Muthukrishnan; +Cc: stable
In-Reply-To: <20260527085257.1933-1-gmuthukrishn@marvell.com>

Set prehash flag in MLDSA session as per test parameter.

Fixes: 76a5877072c ("test/crypto: add ML-KEM and ML-DSA cases")
Cc: stable@dpdk.org

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
---
 app/test/test_cryptodev_asym.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 73a8198e53..90af49e485 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -4236,6 +4236,7 @@ mldsa_sign(const void *test_data)
 
 	xform.mldsa.type = vector->type;
 	xform.mldsa.sign_deterministic = vector->sign_deterministic;
+	xform.mldsa.sign_prehash = !!vector->hash;
 	xform.xform_type = RTE_CRYPTO_ASYM_XFORM_ML_DSA;
 
 	rte_cryptodev_info_get(dev_id, &dev_info);
@@ -4310,6 +4311,7 @@ mldsa_sign(const void *test_data)
 	self->op->asym->mldsa.sigver.pubkey.length = vector->pubkey.length;
 	self->op->asym->mldsa.sigver.sign.data = sign;
 	self->op->asym->mldsa.sigver.sign.length = sign_len;
+	self->op->asym->mldsa.sigver.hash = vector->hash;
 
 	TEST_ASSERT_SUCCESS(send_one(),
 		"Failed to process crypto op (ML-DSA Verify)");
@@ -4332,6 +4334,7 @@ mldsa_sign(const void *test_data)
 	self->op->asym->mldsa.sigver.pubkey.length = vector->pubkey.length;
 	self->op->asym->mldsa.sigver.sign.data = sign;
 	self->op->asym->mldsa.sigver.sign.length = sign_len;
+	self->op->asym->mldsa.sigver.hash = vector->hash;
 
 	TEST_ASSERT_SUCCESS(send_one_no_status_check(),
 		"Failed to process crypto op (ML-DSA Verify)");
@@ -4352,12 +4355,26 @@ mldsa_verify(const void *test_data)
 	const struct crypto_testsuite_mldsa_params *vector = test_data;
 	const uint8_t dev_id = params->valid_devs[0];
 	struct rte_crypto_asym_xform xform = {0};
+	struct rte_cryptodev_info dev_info;
 	uint8_t sign[TEST_DATA_SIZE] = {0};
 	size_t sign_len;
 
 	xform.mldsa.type = vector->type;
 	xform.mldsa.sign_deterministic = vector->sign_deterministic;
+	xform.mldsa.sign_prehash = !!vector->hash;
 	xform.xform_type = RTE_CRYPTO_ASYM_XFORM_ML_DSA;
+
+	rte_cryptodev_info_get(dev_id, &dev_info);
+
+	/* Check if prehash is supported */
+	if (vector->hash) {
+		if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_MLDSA_SIGN_PREHASH)) {
+			RTE_LOG(DEBUG, USER1,
+				"Device doesn't support prehash in ML-DSA verify. Test skipped\n");
+			return TEST_SKIPPED;
+		}
+	}
+
 	if (rte_cryptodev_asym_session_create(dev_id, &xform,
 			params->session_mpool, &self->sess) < 0) {
 		RTE_LOG(ERR, USER1, "line %u FAILED: Session creation failed",
@@ -4379,6 +4396,7 @@ mldsa_verify(const void *test_data)
 	self->op->asym->mldsa.sigver.pubkey.length = vector->pubkey.length;
 	self->op->asym->mldsa.sigver.sign.data = vector->sign.data;
 	self->op->asym->mldsa.sigver.sign.length = vector->sign.length;
+	self->op->asym->mldsa.sigver.hash = vector->hash;
 
 	TEST_ASSERT_SUCCESS(send_one(),
 		"Failed to process crypto op (ML-DSA Verify)");
@@ -4403,6 +4421,7 @@ mldsa_verify(const void *test_data)
 	self->op->asym->mldsa.sigver.pubkey.length = vector->pubkey.length;
 	self->op->asym->mldsa.sigver.sign.data = sign;
 	self->op->asym->mldsa.sigver.sign.length = sign_len;
+	self->op->asym->mldsa.sigver.hash = vector->hash;
 
 	TEST_ASSERT_SUCCESS(send_one_no_status_check(),
 		"Failed to process crypto op (ML-DSA Verify)");
-- 
2.37.1


^ permalink raw reply related

* [v2 1/2] test/crypto: validate ML crypto keys
From: Gowrishankar Muthukrishnan @ 2026-05-27  9:13 UTC (permalink / raw)
  To: dev, Akhil Goyal, Fan Zhang, Gowrishankar Muthukrishnan; +Cc: stable
In-Reply-To: <20260527085257.1933-1-gmuthukrishn@marvell.com>

Validate ML-KEM and ML-DSA keys.

Fixes: 76a5877072c0 ("test/crypto: add ML-KEM and ML-DSA cases")
Cc: stable@dpdk.org

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
---
v2:
 - corrected Fixes tag.
---
 app/test/test_cryptodev_asym.c                | 48 ++++++++-----------
 app/test/test_cryptodev_ml_dsa_test_vectors.h |  8 ++++
 app/test/test_cryptodev_ml_kem_test_vectors.h |  8 ++++
 3 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index bf1a1fc417..73a8198e53 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -3949,19 +3949,15 @@ mlkem_keygen(const void *test_data)
 		rte_crypto_ml_kem_pubkey_size[vector->type],
 		"Incorrect Encapsulation key length\n");
 
-	/* If the seed is all zero, keys are deterministic */
-	if (memcmp(vector->d.data, (uint8_t [32]) {0},
-			vector->d.length) == 0) {
-		TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->dk.data,
-			self->result_op->asym->mlkem.keygen.dk.data,
-			self->result_op->asym->mlkem.keygen.dk.length,
-			"Incorrect Decapsulation key\n");
-		TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->ek.data,
-			self->result_op->asym->mlkem.keygen.ek.data,
-			self->result_op->asym->mlkem.keygen.ek.length,
-			"Incorrect Encapsulation key\n");
-		RTE_LOG(DEBUG, USER1, "Deterministic keygen test passed\n");
-	}
+	TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->dk.data,
+		self->result_op->asym->mlkem.keygen.dk.data,
+		self->result_op->asym->mlkem.keygen.dk.length,
+		"Incorrect Decapsulation key\n");
+	TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->ek.data,
+		self->result_op->asym->mlkem.keygen.ek.data,
+		self->result_op->asym->mlkem.keygen.ek.length,
+		"Incorrect Encapsulation key\n");
+	RTE_LOG(DEBUG, USER1, "Deterministic keygen test passed\n");
 
 	rte_cryptodev_asym_session_free(dev_id, self->sess);
 	return TEST_SUCCESS;
@@ -4071,7 +4067,7 @@ mlkem_encap(const void *test_data)
 	self->op->asym->mlkem.decap.sk.data = sk;
 	self->op->asym->mlkem.decap.sk.length = 32;
 
-	TEST_ASSERT_SUCCESS(send_one(),
+	TEST_ASSERT_SUCCESS(send_one_no_status_check(),
 		"Failed to process crypto op (ML-KEM Decap)");
 
 	debug_hexdump(stdout, "Shared secret from negative test",
@@ -4149,7 +4145,7 @@ mlkem_decap(const void *test_data)
 	self->op->asym->mlkem.decap.sk.data = sk;
 	self->op->asym->mlkem.decap.sk.length = 32;
 
-	TEST_ASSERT_SUCCESS(send_one(),
+	TEST_ASSERT_SUCCESS(send_one_no_status_check(),
 		"Failed to process crypto op (ML-KEM Decap)");
 
 	debug_hexdump(stdout, "Shared secret from negative test",
@@ -4214,19 +4210,15 @@ mldsa_keygen(const void *test_data)
 		rte_crypto_ml_dsa_pubkey_size[vector->type],
 		"Incorrect Public key length\n");
 
-	/* If the seed is all zero, keys are deterministic */
-	if (memcmp(vector->seed.data, (uint8_t [32]) {0},
-			vector->seed.length) == 0) {
-		TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->privkey.data,
-			self->result_op->asym->mldsa.keygen.privkey.data,
-			self->result_op->asym->mldsa.keygen.privkey.length,
-			"Incorrect Private key\n");
-		TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->pubkey.data,
-			self->result_op->asym->mldsa.keygen.pubkey.data,
-			self->result_op->asym->mldsa.keygen.pubkey.length,
-			"Incorrect Public key\n");
-		RTE_LOG(DEBUG, USER1, "Deterministic keygen test passed\n");
-	}
+	TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->privkey.data,
+		self->result_op->asym->mldsa.keygen.privkey.data,
+		self->result_op->asym->mldsa.keygen.privkey.length,
+		"Incorrect Private key\n");
+	TEST_ASSERT_BUFFERS_ARE_EQUAL(vector->pubkey.data,
+		self->result_op->asym->mldsa.keygen.pubkey.data,
+		self->result_op->asym->mldsa.keygen.pubkey.length,
+		"Incorrect Public key\n");
+	RTE_LOG(DEBUG, USER1, "Deterministic keygen test passed\n");
 
 	rte_cryptodev_asym_session_free(dev_id, self->sess);
 	return TEST_SUCCESS;
diff --git a/app/test/test_cryptodev_ml_dsa_test_vectors.h b/app/test/test_cryptodev_ml_dsa_test_vectors.h
index f2453b9f34..675a6fad04 100644
--- a/app/test/test_cryptodev_ml_dsa_test_vectors.h
+++ b/app/test/test_cryptodev_ml_dsa_test_vectors.h
@@ -1653,6 +1653,14 @@ struct crypto_testsuite_mldsa_params mldsa_keygen_test_vectors[] = {
 			.data = mldsa_44_seed,
 			.length = sizeof(mldsa_44_seed),
 		},
+		.privkey = {
+			.data = mldsa_44_privkey,
+			.length = sizeof(mldsa_44_privkey),
+		},
+		.pubkey = {
+			.data = mldsa_44_pubkey,
+			.length = sizeof(mldsa_44_pubkey),
+		},
 	},
 	{
 		.name = "mldsa_44_keygen (deterministic)",
diff --git a/app/test/test_cryptodev_ml_kem_test_vectors.h b/app/test/test_cryptodev_ml_kem_test_vectors.h
index 8294acc29e..a1d727b969 100644
--- a/app/test/test_cryptodev_ml_kem_test_vectors.h
+++ b/app/test/test_cryptodev_ml_kem_test_vectors.h
@@ -785,6 +785,14 @@ struct crypto_testsuite_mlkem_params mlkem_keygen_test_vectors[] = {
 			.data = mlkem_512_z,
 			.length = sizeof(mlkem_512_z),
 		},
+		.dk = {
+			.data = mlkem_512_dk,
+			.length = sizeof(mlkem_512_dk),
+		},
+		.ek = {
+			.data = mlkem_512_ek,
+			.length = sizeof(mlkem_512_ek),
+		}
 	},
 	{
 		.name = "mlkem_512_keygen (deterministic)",
-- 
2.37.1


^ permalink raw reply related

* [v2 2/2] test/crypto: fix prehash in MLDSA session
From: Gowrishankar Muthukrishnan @ 2026-05-27  9:14 UTC (permalink / raw)
  To: dev, Akhil Goyal, Fan Zhang, Gowrishankar Muthukrishnan; +Cc: stable
In-Reply-To: <20260527091405.2105-1-gmuthukrishn@marvell.com>

Set prehash flag in MLDSA session as per test parameter.

Fixes: 76a5877072c0 ("test/crypto: add ML-KEM and ML-DSA cases")
Cc: stable@dpdk.org

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
---
v2:
 - Corrected Fixes tag.
---
 app/test/test_cryptodev_asym.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 73a8198e53..90af49e485 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -4236,6 +4236,7 @@ mldsa_sign(const void *test_data)
 
 	xform.mldsa.type = vector->type;
 	xform.mldsa.sign_deterministic = vector->sign_deterministic;
+	xform.mldsa.sign_prehash = !!vector->hash;
 	xform.xform_type = RTE_CRYPTO_ASYM_XFORM_ML_DSA;
 
 	rte_cryptodev_info_get(dev_id, &dev_info);
@@ -4310,6 +4311,7 @@ mldsa_sign(const void *test_data)
 	self->op->asym->mldsa.sigver.pubkey.length = vector->pubkey.length;
 	self->op->asym->mldsa.sigver.sign.data = sign;
 	self->op->asym->mldsa.sigver.sign.length = sign_len;
+	self->op->asym->mldsa.sigver.hash = vector->hash;
 
 	TEST_ASSERT_SUCCESS(send_one(),
 		"Failed to process crypto op (ML-DSA Verify)");
@@ -4332,6 +4334,7 @@ mldsa_sign(const void *test_data)
 	self->op->asym->mldsa.sigver.pubkey.length = vector->pubkey.length;
 	self->op->asym->mldsa.sigver.sign.data = sign;
 	self->op->asym->mldsa.sigver.sign.length = sign_len;
+	self->op->asym->mldsa.sigver.hash = vector->hash;
 
 	TEST_ASSERT_SUCCESS(send_one_no_status_check(),
 		"Failed to process crypto op (ML-DSA Verify)");
@@ -4352,12 +4355,26 @@ mldsa_verify(const void *test_data)
 	const struct crypto_testsuite_mldsa_params *vector = test_data;
 	const uint8_t dev_id = params->valid_devs[0];
 	struct rte_crypto_asym_xform xform = {0};
+	struct rte_cryptodev_info dev_info;
 	uint8_t sign[TEST_DATA_SIZE] = {0};
 	size_t sign_len;
 
 	xform.mldsa.type = vector->type;
 	xform.mldsa.sign_deterministic = vector->sign_deterministic;
+	xform.mldsa.sign_prehash = !!vector->hash;
 	xform.xform_type = RTE_CRYPTO_ASYM_XFORM_ML_DSA;
+
+	rte_cryptodev_info_get(dev_id, &dev_info);
+
+	/* Check if prehash is supported */
+	if (vector->hash) {
+		if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_MLDSA_SIGN_PREHASH)) {
+			RTE_LOG(DEBUG, USER1,
+				"Device doesn't support prehash in ML-DSA verify. Test skipped\n");
+			return TEST_SKIPPED;
+		}
+	}
+
 	if (rte_cryptodev_asym_session_create(dev_id, &xform,
 			params->session_mpool, &self->sess) < 0) {
 		RTE_LOG(ERR, USER1, "line %u FAILED: Session creation failed",
@@ -4379,6 +4396,7 @@ mldsa_verify(const void *test_data)
 	self->op->asym->mldsa.sigver.pubkey.length = vector->pubkey.length;
 	self->op->asym->mldsa.sigver.sign.data = vector->sign.data;
 	self->op->asym->mldsa.sigver.sign.length = vector->sign.length;
+	self->op->asym->mldsa.sigver.hash = vector->hash;
 
 	TEST_ASSERT_SUCCESS(send_one(),
 		"Failed to process crypto op (ML-DSA Verify)");
@@ -4403,6 +4421,7 @@ mldsa_verify(const void *test_data)
 	self->op->asym->mldsa.sigver.pubkey.length = vector->pubkey.length;
 	self->op->asym->mldsa.sigver.sign.data = sign;
 	self->op->asym->mldsa.sigver.sign.length = sign_len;
+	self->op->asym->mldsa.sigver.hash = vector->hash;
 
 	TEST_ASSERT_SUCCESS(send_one_no_status_check(),
 		"Failed to process crypto op (ML-DSA Verify)");
-- 
2.37.1


^ permalink raw reply related

* RE: [PATCH v2] app/test-pmd: add generic PROG action parser support
From: Ajmera, Megha @ 2026-05-27  9:20 UTC (permalink / raw)
  To: Stephen Hemminger
  Cc: Richardson, Bruce, Dumitrescu, Cristian, Shetty, Praveen,
	Singh, Aman Deep, dev@dpdk.org
In-Reply-To: <20260526122218.1c29d917@phoenix.local>

> 
> This looks like a third attempt to parse text into rte_flow.
> Not sure how this fits in and why it would be useful?

Thanks for the feedback.
I wanted to clarify the intent of this patch. The backend support for the PROG action already exists in the PMD. This patch is focused on adding the corresponding frontend (testpmd) parser support so that users can configure and exercise this functionality via CLI.
The motivation here is to enable configuration of programmable actions that are already supported in the backend but cannot currently be invoked through testpmd. With this addition, new actions that are exposed through PROG can be configured using the flow command interface.

Regards,
Megha

^ permalink raw reply

* RE: [PATCH v5] mempool: improve cache behaviour and performance
From: Morten Brørup @ 2026-05-27  9:22 UTC (permalink / raw)
  To: Bruce Richardson
  Cc: dev, Andrew Rybchenko, Jingjing Wu, Praveen Shetty,
	Hemant Agrawal, Sachin Saxena
In-Reply-To: <ahavyHwTzyPPDkQ4@bricha3-mobl1.ger.corp.intel.com>

> From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> Sent: Wednesday, 27 May 2026 10.48
> 
> On Tue, May 26, 2026 at 07:45:24PM +0200, Morten Brørup wrote:
> > > From: Morten Brørup [mailto:mb@smartsharesystems.com]
> > > Sent: Tuesday, 26 May 2026 12.37
> > >
> > > > From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> > > > Sent: Tuesday, 26 May 2026 11.40
> > > >
> >
> > [...]
> >
> > > > [In all this, I am making the assumption that burst size is well
> less
> > > > than
> > > > cache size. Also, similar logic would be applicable for the
> inverse
> > > > scenario, e.g. flush to empty (and fill burst) and fill to 75%]
> > >
> > > I'm not so sure about this assumption.
> > > With a cache size of 512 and a bursts of 64, the cache only holds 8
> > > bursts.
> > > 50% is 4 bursts, and 25% is only 2 bursts.
> > >
> > > Using a replenish/drain level in the middle requires 5 bursts in
> either
> > > direction to pass the edge (and trigger replenish/flush).
> > > Using a replenish/drain level 25% from the edge requires only 3
> bursts
> > > in the wrong direction to pass the edge (and trigger
> replenish/flush).
> > > Much higher probability with random get/put.
> > >
> > > >
> > > > Now, all said, I tend to agree that we want to leave space for a
> > > decent
> > > > size burst after a fill. That is why I think that filling to 75%
> is
> > > > reasonable. After an alloc that triggers a fill, I don't want the
> > > cache
> > > > less than 50% full, but not completely full so there is room for
> a
> > > free
> > > > without a flush, and similarly for a free that triggers a flush,
> the
> > > > cache
> > > > should not be empty, but also should not be more than half full.
> > > >
> > > > One suggestion - we could always add a simple tunable that
> specifies
> > > > the
> > > > margin, or reserved entries for alloc and free. We can then guide
> in
> > > > the
> > > > docs that the value should be e.g. "zero for apps where alloc and
> > > free
> > > > take
> > > > place on different cores. 20%-50% of cache is recommended where
> alloc
> > > > and
> > > > free take place on the same core"
> > >
> > > Yes, a simple tunable is a really good idea.
> > >
> > > At this point, I think we should optimize for use case #1, and go
> for
> > > the 50% fill level.
> > > Then we can add a tunable to optimize for use case #2 later. I will
> try
> > > to come up with a draft for such a follow-up patch within the next
> few
> > > days.
> >
> > Adding a tunable is not so simple...
> > The choice of mempool cache algorithm (drain/replenish to 50% vs.
> drain/replenish completely) should be passed via the "flags" parameter
> in rte_mempool_create(), but rte_pktmbuf_pool_create() is missing the
> "flags" parameter.
> > We can add it at the next ABI breaking release.
> > WDYT?
> >
> I don't want this just a binary flag with two settings, I think it
> should be an actual numeric value.

If it was plain and simple to support a numeric value, I'd do it.
But the two algorithms differ too much.
If needed, the flag can be used as an enum to support more algorithms in the future.

My WIP (not even build tested), where you can see the different algorithms steered by the cache->flags field, looks like this:

static __rte_always_inline void
rte_mempool_do_generic_put(struct rte_mempool *mp, void * const *obj_table,
			   unsigned int n, struct rte_mempool_cache *cache)
{
	void **cache_objs;

	/* No cache provided? */
	if (unlikely(cache == NULL))
		goto driver_enqueue;

	/* Increment stats now, adding in mempool always succeeds. */
	RTE_MEMPOOL_CACHE_STAT_ADD(cache, put_bulk, 1);
	RTE_MEMPOOL_CACHE_STAT_ADD(cache, put_objs, n);

	__rte_assume(cache->size <= RTE_MEMPOOL_CACHE_MAX_SIZE);
	__rte_assume(cache->len <= RTE_MEMPOOL_CACHE_MAX_SIZE);
	__rte_assume(cache->len <= cache->size);
	if (likely(cache->len + n <= cache->size)) {
		/* Sufficient room in the cache for the objects. */
		cache_objs = &cache->objs[cache->len];
		cache->len += n;

        /* Add the objects to the cache. */
        rte_memcpy(cache_objs, obj_table, sizeof(void *) * n);

        return;
	}

    /* Insufficient room in the cache for the objects. */

    if (cache->flags & RTE_MEMPOOL_F_CACHE_ACCESS_ONE_WAY) {
        /* The algorithm is optimized for put or get operations only. */
        /* The request itself exceeds the cache bounce buffer limit? */
        __rte_assume(cache->size <= RTE_MEMPOOL_CACHE_MAX_SIZE);
        if (n > cache->size)
            goto driver_enqueue_stats_incremented;

        /* Fill the cache completely by adding the first part of the objects. */
        cache_objs = &cache->objs[cache->len];
        rte_memcpy(cache_objs, obj_table, sizeof(void *) * (cache->size - cache->len));
        obj_table += cache->size - cache->len;

        /* Flush the entire cache to the backend. */
        rte_mempool_ops_enqueue_bulk(mp, &cache->objs[0], cache->size);

        /* Add the remaining objects to the cache. */
        cache->len = n - (cache->size - cache->len);
        rte_memcpy(&cache->objs[0], obj_table, sizeof(void *) * cache->len);
    } else {
        /* The algorithm is optimized for a balanced mix of put and get operations. */
        /* The request itself exceeds the cache bounce buffer limit? */
        __rte_assume(cache->size / 2 <= RTE_MEMPOOL_CACHE_MAX_SIZE / 2);
        if (n > cache->size / 2)
            goto driver_enqueue_stats_incremented;

        /*
         * Flush part of the cache to the backend to make room for the objects;
         * flush (size / 2) objects from the bottom of the cache, where
         * objects are less hot, and move down the remaining objects, which
         * are more hot, from the upper half of the cache.
         */
        __rte_assume(cache->len > cache->size / 2);
        rte_mempool_ops_enqueue_bulk(mp, &cache->objs[0], cache->size / 2);
        rte_memcpy(&cache->objs[0], &cache->objs[cache->size / 2],
                sizeof(void *) * (cache->len - cache->size / 2));
        cache_objs = &cache->objs[cache->len - cache->size / 2];
        cache->len = cache->len - cache->size / 2 + n;

        /* Add the objects to the cache. */
        rte_memcpy(cache_objs, obj_table, sizeof(void *) * n);
    }

    return;

driver_enqueue:

	/* increment stat now, adding in mempool always success */
	RTE_MEMPOOL_STAT_ADD(mp, put_bulk, 1);
	RTE_MEMPOOL_STAT_ADD(mp, put_objs, n);

driver_enqueue_stats_incremented:

	/* push objects to the backend */
	rte_mempool_ops_enqueue_bulk(mp, obj_table, n);
}



> Can we not use function versioning to add the
> new parameter to all functions needing it, without worrying about ABI
> breakage.

The public structures will also change, so I don't think so.

> 
> /Bruce

^ permalink raw reply

* Re: [PATCH V2 00/15] power: unify and improve lcore ID verification
From: lihuisong (C) @ 2026-05-27  9:54 UTC (permalink / raw)
  To: Stephen Hemminger
  Cc: anatoly.burakov, sivaprasad.tummala, dev, thomas, fengchengwen,
	yangxingui, zhanjie9
In-Reply-To: <20260526121813.0e15163e@phoenix.local>


On 5/27/2026 3:18 AM, Stephen Hemminger wrote:
> On Tue, 19 May 2026 21:09:47 +0800
> "lihuisong (C)" <lihuisong@huawei.com> wrote:
>
>> Thanks for giving me this AI review feedback.
>> Some of them are still acceptable. will fix it in next version.
>>
>> Is this summary from AI generated for each patche series?
>> May ask where you obtained this information about AI review?
> There is automated review from CI which is done after CI tests runs pass.
> But it is using older version of AGENTS.md and missing tool skills support.
> I use Claude AI project with current version of AGENTS.md.
> It gives the best reviews since it is willing to go look at the existing code.
> Other methods just look at the patch itself.
Got it. Thanks for your AI review.

^ permalink raw reply

* Re: [RFC v2 2/3] lib: add fastmem library
From: Mattias Rönnblom @ 2026-05-27 10:12 UTC (permalink / raw)
  To: Stephen Hemminger
  Cc: dev, Morten Brørup, Konstantin Ananyev,
	Mattias Rönnblom, Yogaraj Baskaravel
In-Reply-To: <20260526062312.33f76fcc@phoenix.local>

On 5/26/26 15:23, Stephen Hemminger wrote:
> On Tue, 26 May 2026 10:57:42 +0200
> Mattias Rönnblom <hofors@lysator.liu.se> wrote:
> 
>> +__rte_experimental
>> +void *
>> +rte_fastmem_alloc(size_t size, size_t align, unsigned int flags)
>> +	__rte_alloc_size(1) __rte_alloc_align(2);
> 
> Should also add attribute __rte_malloc which tells compiler
> that pointer returned cannot alias other memory
> 
> And add __rte_dealloc(rte_fastmem_free, 1)
> which tells compiler that the returned pointer should only go
> back to fastmem (not free, rte_free, etc).

Done. Only works for the single-object ops (not bulk) though.

I've had a look at how to extend fastmem to support larger allocations 
(without suggesting this is the way to go).

Seems to me that implementation should be something like
a) slab allocator for small objects.
b) a cache-less per-socket page run allocator for mid-sized objects.
c) per-object memzones for large objects.

If one would implement that, you would essentially have a plug-in 
replacement for rte_malloc.h (maybe minus some debug and some more 
esoteric DPDK heap features).

Should fastmem be an outright replacement, or something that at least 
initially lives alongside the regular heap, maybe with a run- or 
compile-time option to make rte_malloc.h functions delegate to fastmem? 
This is unclear to me at this point. I fear the more ambitious, cleaner 
and more risky DPDK heap replacement path will go they way my attempts 
to replace rte_memcpy or rte_timer went.

I would agree with anyone saying that we should have only one heap-like 
API for memory allocations. rte_malloc.h obviously needs to stay, for 
backward compatibility reason, if nothing else. I would like to add bulk 
alloc/free, and allow for smaller alignments than 64, since slabs can do 
that efficiently (DPDK heap per-object header is 128 bytes!). One could 
either go about that by extending rte_malloc.h or deprecating that API 
and starting anew. In the latter case, one could do many more minor 
tweaks, like removing the type pointers (only a nuance), remove the 
validate function, change and extend the stats interface, etc.


^ permalink raw reply

* Re: [RFC v2 2/3] lib: add fastmem library
From: Bruce Richardson @ 2026-05-27 10:18 UTC (permalink / raw)
  To: Mattias Rönnblom
  Cc: Stephen Hemminger, dev, Morten Brørup, Konstantin Ananyev,
	Mattias Rönnblom, Yogaraj Baskaravel
In-Reply-To: <b3982582-3023-4f2c-9c62-10d4af20d4e2@lysator.liu.se>

On Wed, May 27, 2026 at 12:12:19PM +0200, Mattias Rönnblom wrote:
> On 5/26/26 15:23, Stephen Hemminger wrote:
> > On Tue, 26 May 2026 10:57:42 +0200
> > Mattias Rönnblom <hofors@lysator.liu.se> wrote:
> > 
> > > +__rte_experimental
> > > +void *
> > > +rte_fastmem_alloc(size_t size, size_t align, unsigned int flags)
> > > +	__rte_alloc_size(1) __rte_alloc_align(2);
> > 
> > Should also add attribute __rte_malloc which tells compiler
> > that pointer returned cannot alias other memory
> > 
> > And add __rte_dealloc(rte_fastmem_free, 1)
> > which tells compiler that the returned pointer should only go
> > back to fastmem (not free, rte_free, etc).
> 
> Done. Only works for the single-object ops (not bulk) though.
> 
> I've had a look at how to extend fastmem to support larger allocations
> (without suggesting this is the way to go).
> 
> Seems to me that implementation should be something like
> a) slab allocator for small objects.
> b) a cache-less per-socket page run allocator for mid-sized objects.
> c) per-object memzones for large objects.
> 
> If one would implement that, you would essentially have a plug-in
> replacement for rte_malloc.h (maybe minus some debug and some more esoteric
> DPDK heap features).
> 
> Should fastmem be an outright replacement, or something that at least
> initially lives alongside the regular heap, maybe with a run- or
> compile-time option to make rte_malloc.h functions delegate to fastmem? This
> is unclear to me at this point. I fear the more ambitious, cleaner and more
> risky DPDK heap replacement path will go they way my attempts to replace
> rte_memcpy or rte_timer went.
> 
> I would agree with anyone saying that we should have only one heap-like API
> for memory allocations. rte_malloc.h obviously needs to stay, for backward
> compatibility reason, if nothing else. I would like to add bulk alloc/free,
> and allow for smaller alignments than 64, since slabs can do that
> efficiently (DPDK heap per-object header is 128 bytes!). One could either go
> about that by extending rte_malloc.h or deprecating that API and starting
> anew. In the latter case, one could do many more minor tweaks, like removing
> the type pointers (only a nuance), remove the validate function, change and
> extend the stats interface, etc.
> 
+1 for replacing rte_malloc. For a replacement, I'd tend towards aiming for
compatibilty over trying to fix too many little things at once. While
changing a couple of things is ok, I'd rather not force applications to
make too many updates to their code when moving from one DPDK version to
another.

/Bruce

^ permalink raw reply

* [PATCH] ethdev: promote flow metadata APIs to stable
From: Dariusz Sosnowski @ 2026-05-27 10:32 UTC (permalink / raw)
  To: Ori Kam, Thomas Monjalon, Andrew Rybchenko; +Cc: dev

Following experimental symbols related to flow metadata
were added in v19.11:

- rte_flow_dynf_metadata_register
- rte_flow_dynf_metadata_offs
- rte_flow_dynf_metadata_mask

Type of rte_flow_dynf_metadata_offs was changed from int to int32_t
in v20.05 release.
There were no changes to these symbols since then.

This patch promotes these symbols and removes __rte_experimental
from the following inline functions:

- rte_flow_dynf_metadata_avail
- rte_flow_dynf_metadata_get
- rte_flow_dynf_metadata_set

All these symbols and functions will be used by netdev-doca
backend in Open vSwitch [1].
Stabilizing these symbols is required by current OVS policy
to remove the need for ALLOW_EXPERIMENTAL_API [2].

[1]: https://patchwork.ozlabs.org/project/openvswitch/list/?series=504726&state=%2A&archive=both
[2]: https://mail.openvswitch.org/pipermail/ovs-dev/2026-May/432066.html

Signed-off-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
---
 lib/ethdev/rte_flow.c | 6 +++---
 lib/ethdev/rte_flow.h | 4 ----
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/lib/ethdev/rte_flow.c b/lib/ethdev/rte_flow.c
index 7a51b667cf..ec0fe08355 100644
--- a/lib/ethdev/rte_flow.c
+++ b/lib/ethdev/rte_flow.c
@@ -23,11 +23,11 @@
 #define FLOW_LOG RTE_ETHDEV_LOG_LINE
 
 /* Mbuf dynamic field name for metadata. */
-RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_flow_dynf_metadata_offs, 19.11)
+RTE_EXPORT_SYMBOL(rte_flow_dynf_metadata_offs)
 int32_t rte_flow_dynf_metadata_offs = -1;
 
 /* Mbuf dynamic field flag bit number for metadata. */
-RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_flow_dynf_metadata_mask, 19.11)
+RTE_EXPORT_SYMBOL(rte_flow_dynf_metadata_mask)
 uint64_t rte_flow_dynf_metadata_mask;
 
 /**
@@ -281,7 +281,7 @@ static const struct rte_flow_desc_data rte_flow_desc_action[] = {
 	MK_FLOW_ACTION(JUMP_TO_TABLE_INDEX, sizeof(struct rte_flow_action_jump_to_table_index)),
 };
 
-RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_flow_dynf_metadata_register, 19.11)
+RTE_EXPORT_SYMBOL(rte_flow_dynf_metadata_register)
 int
 rte_flow_dynf_metadata_register(void)
 {
diff --git a/lib/ethdev/rte_flow.h b/lib/ethdev/rte_flow.h
index ba3bcc89a3..0c6d42c0d8 100644
--- a/lib/ethdev/rte_flow.h
+++ b/lib/ethdev/rte_flow.h
@@ -4253,14 +4253,12 @@ extern uint64_t rte_flow_dynf_metadata_mask;
 #define RTE_MBUF_DYNFLAG_RX_METADATA (rte_flow_dynf_metadata_mask)
 #define RTE_MBUF_DYNFLAG_TX_METADATA (rte_flow_dynf_metadata_mask)
 
-__rte_experimental
 static inline uint32_t
 rte_flow_dynf_metadata_get(struct rte_mbuf *m)
 {
 	return *RTE_FLOW_DYNF_METADATA(m);
 }
 
-__rte_experimental
 static inline void
 rte_flow_dynf_metadata_set(struct rte_mbuf *m, uint32_t v)
 {
@@ -4590,7 +4588,6 @@ rte_flow_dev_dump(uint16_t port_id, struct rte_flow *flow,
  * @return
  *   True if registered, false otherwise.
  */
-__rte_experimental
 static inline int
 rte_flow_dynf_metadata_avail(void)
 {
@@ -4607,7 +4604,6 @@ rte_flow_dynf_metadata_avail(void)
  * @return
  *   0 on success, a negative errno value otherwise and rte_errno is set.
  */
-__rte_experimental
 int
 rte_flow_dynf_metadata_register(void);
 
-- 
2.47.3


^ permalink raw reply related

* [PATCH] net/mlx5: promote private API to stable
From: Dariusz Sosnowski @ 2026-05-27 10:33 UTC (permalink / raw)
  To: Viacheslav Ovsiienko, Bing Zhao, Ori Kam, Suanming Mou,
	Matan Azrad; +Cc: dev

Following experimental functions are exposed by mlx5 PMD
since 25.11 release:

- rte_pmd_mlx5_driver_event_cb_register
- rte_pmd_mlx5_driver_event_cb_unregister
- rte_pmd_mlx5_enable_steering
- rte_pmd_mlx5_disable_steering

First two are used to register callbacks for driver events
(when Rx/Tx queues are created or destroyed).
Other two are used to enable/disable flow steering in mlx5 PMD.
No changes were made and no changes are planned to these symbols.

These are currently used by NVIDIA DOCA SDK since version 3.3,
which started depending on upstream DPDK releases [1].
Purpose of their use is to:

- expose HW identifiers of Rx/Tx mlx5 queues managed by DPDK and
- allow flow steering to happen outside of DPDK.

Also, some of these symbols will be used by netdev-doca backend
in Open vSwitch [2].
Whenever a DOCA netdev would be added/removed in Open vSwitch,
it will have to disable/enable steering for mlx5 driver.
Stabilizing these symbols is required by current OVS policy
to remove the need for ALLOW_EXPERIMENTAL_API [3].

This patch promotes aforementioned symbols to stable.

[1]: https://docs.nvidia.com/doca/sdk/customer-affecting-changes/index.html
[2]: https://patchwork.ozlabs.org/project/openvswitch/list/?series=504726&state=%2A&archive=both
[3]: https://mail.openvswitch.org/pipermail/ovs-dev/2026-May/432066.html

Signed-off-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
---
 drivers/net/mlx5/mlx5_driver_event.c | 4 ++--
 drivers/net/mlx5/mlx5_flow.c         | 4 ++--
 drivers/net/mlx5/rte_pmd_mlx5.h      | 4 ----
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_driver_event.c b/drivers/net/mlx5/mlx5_driver_event.c
index 1dc8029ee5..89e49331c8 100644
--- a/drivers/net/mlx5/mlx5_driver_event.c
+++ b/drivers/net/mlx5/mlx5_driver_event.c
@@ -236,7 +236,7 @@ notify_existing_devices(rte_pmd_mlx5_driver_event_callback_t cb, void *opaque)
 		notify_existing_queues(port_id, cb, opaque);
 }
 
-RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pmd_mlx5_driver_event_cb_register, 25.11)
+RTE_EXPORT_SYMBOL(rte_pmd_mlx5_driver_event_cb_register)
 int
 rte_pmd_mlx5_driver_event_cb_register(rte_pmd_mlx5_driver_event_callback_t cb, void *opaque)
 {
@@ -264,7 +264,7 @@ rte_pmd_mlx5_driver_event_cb_register(rte_pmd_mlx5_driver_event_callback_t cb, v
 	return 0;
 }
 
-RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pmd_mlx5_driver_event_cb_unregister, 25.11)
+RTE_EXPORT_SYMBOL(rte_pmd_mlx5_driver_event_cb_unregister)
 int
 rte_pmd_mlx5_driver_event_cb_unregister(rte_pmd_mlx5_driver_event_callback_t cb)
 {
diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 915ea29a5a..a95dd9dc94 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -12506,7 +12506,7 @@ flow_disable_steering_run_on_related(struct rte_eth_dev *dev,
 	}
 }
 
-RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pmd_mlx5_disable_steering, 25.11)
+RTE_EXPORT_SYMBOL(rte_pmd_mlx5_disable_steering)
 void
 rte_pmd_mlx5_disable_steering(void)
 {
@@ -12532,7 +12532,7 @@ rte_pmd_mlx5_disable_steering(void)
 	mlx5_steering_disabled = true;
 }
 
-RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_pmd_mlx5_enable_steering, 25.11)
+RTE_EXPORT_SYMBOL(rte_pmd_mlx5_enable_steering)
 int
 rte_pmd_mlx5_enable_steering(void)
 {
diff --git a/drivers/net/mlx5/rte_pmd_mlx5.h b/drivers/net/mlx5/rte_pmd_mlx5.h
index 7acfdae97d..8f355070e1 100644
--- a/drivers/net/mlx5/rte_pmd_mlx5.h
+++ b/drivers/net/mlx5/rte_pmd_mlx5.h
@@ -546,7 +546,6 @@ int rte_pmd_mlx5_external_sq_disable(uint16_t port_id, uint32_t sq_num);
  *   - (-EEXIST) if @p cb was already registered.
  *   - (-ENOMEM) if failed to allocate memory for callback entry.
  */
-__rte_experimental
 int
 rte_pmd_mlx5_driver_event_cb_register(rte_pmd_mlx5_driver_event_callback_t cb, void *opaque);
 
@@ -567,7 +566,6 @@ rte_pmd_mlx5_driver_event_cb_register(rte_pmd_mlx5_driver_event_callback_t cb, v
  *   - 0 if callback was successfully unregistered or if no such callback was registered.
  *   - (-EINVAL) if @p cb is NULL.
  */
-__rte_experimental
 int
 rte_pmd_mlx5_driver_event_cb_unregister(rte_pmd_mlx5_driver_event_callback_t cb);
 
@@ -605,7 +603,6 @@ rte_pmd_mlx5_driver_event_cb_unregister(rte_pmd_mlx5_driver_event_callback_t cb)
  * with other functions from ethdev API used to configure any of the mlx5 ports.
  * It is the responsibility of the application to enforce this.
  */
-__rte_experimental
 void
 rte_pmd_mlx5_disable_steering(void);
 
@@ -623,7 +620,6 @@ rte_pmd_mlx5_disable_steering(void);
  *   - 0 - Flow steering was successfully enabled or it flow steering was never disabled.
  *   - (-EBUSY) - There are mlx5 ports probed and re-enabling steering cannot be done safely.
  */
-__rte_experimental
 int
 rte_pmd_mlx5_enable_steering(void);
 
-- 
2.47.3


^ permalink raw reply related

* [v1] crypto/openssl: update to OpenSSL 3.0 minimum version
From: Emma Finn @ 2026-05-27 11:02 UTC (permalink / raw)
  To: Kai Ji; +Cc: dev, Emma Finn

Update the OpenSSL PMD to require OpenSSL 3.0.0 as the minimum
supported version, removing all compatibility code for earlier
versions (1.0.1, 1.1.0, 1.1.1).

Signed-off-by: Emma Finn <emma.finn@intel.com>
---
 doc/guides/cryptodevs/openssl.rst            |   4 +-
 doc/guides/rel_notes/release_26_07.rst       |   5 +
 drivers/crypto/openssl/compat.h              | 203 ------
 drivers/crypto/openssl/openssl_pmd_private.h |  30 -
 drivers/crypto/openssl/rte_openssl_pmd.c     | 648 +------------------
 drivers/crypto/openssl/rte_openssl_pmd_ops.c | 206 ------
 6 files changed, 19 insertions(+), 1077 deletions(-)

diff --git a/doc/guides/cryptodevs/openssl.rst b/doc/guides/cryptodevs/openssl.rst
index 9d94668a9a..b4e2a014e2 100644
--- a/doc/guides/cryptodevs/openssl.rst
+++ b/doc/guides/cryptodevs/openssl.rst
@@ -74,9 +74,9 @@ To compile the OpenSSL PMD the openssl library must be installed. It will
 then be picked up by the Meson/Ninja build system.
 
 To ensure that you have the latest security fixes it is recommended that you
-use version 1.1.1g or newer.
+use the latest stable version of OpenSSL 3.x.
 
-* 1.1.1g, 2020-Apr-21. https://www.openssl.org/source/
+* OpenSSL 3.0.0 or newer: https://www.openssl.org/source/
 
 Initialization
 --------------
diff --git a/doc/guides/rel_notes/release_26_07.rst b/doc/guides/rel_notes/release_26_07.rst
index 58d782f77e..cf2776b606 100644
--- a/doc/guides/rel_notes/release_26_07.rst
+++ b/doc/guides/rel_notes/release_26_07.rst
@@ -90,6 +90,11 @@ Removed Items
    Also, make sure to start the actual text at the margin.
    =======================================================
 
+* **crypto/openssl: Removed support for OpenSSL 1.x versions from the OpenSSL crypto PMD.
+
+  The OpenSSL crypto PMD now requires OpenSSL 3.0 as the minimum version,
+  and all compatibility code for OpenSSL 1.0.1, 1.1.0, and 1.1.1 versions has been removed.
+
 
 API Changes
 -----------
diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index e1814fea8c..14104dbf2e 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -5,7 +5,6 @@
 #ifndef __RTA_COMPAT_H__
 #define __RTA_COMPAT_H__
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static __rte_always_inline void
 free_hmac_ctx(EVP_MAC_CTX *ctx)
 {
@@ -17,120 +16,7 @@ free_cmac_ctx(EVP_MAC_CTX *ctx)
 {
 	EVP_MAC_CTX_free(ctx);
 }
-#else
-static __rte_always_inline void
-free_hmac_ctx(HMAC_CTX *ctx)
-{
-	HMAC_CTX_free(ctx);
-}
-
-static __rte_always_inline void
-free_cmac_ctx(CMAC_CTX *ctx)
-{
-	CMAC_CTX_free(ctx);
-}
-#endif
-
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-
-static __rte_always_inline int
-set_rsa_params(RSA *rsa, BIGNUM *p, BIGNUM *q)
-{
-	rsa->p = p;
-	rsa->q = q;
-	return 0;
-}
-
-static __rte_always_inline int
-set_rsa_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-{
-	rsa->dmp1 = dmp1;
-	rsa->dmq1 = dmq1;
-	rsa->iqmp = iqmp;
-	return 0;
-}
-
-static __rte_always_inline int
-set_rsa_keys(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-{
-	rsa->n = n;
-	rsa->e = e;
-	rsa->d = d;
-	return 0;
-}
-
-static __rte_always_inline int
-set_dh_params(DH *dh, BIGNUM *p, BIGNUM *g)
-{
-	dh->p = p;
-	dh->q = NULL;
-	dh->g = g;
-	return 0;
-}
-
-static __rte_always_inline int
-set_dh_priv_key(DH *dh, BIGNUM *priv_key)
-{
-	dh->priv_key = priv_key;
-	return 0;
-}
-
-static __rte_always_inline int
-set_dsa_params(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
-	dsa->p = p;
-	dsa->q = q;
-	dsa->g = g;
-	return 0;
-}
-
-static __rte_always_inline void
-get_dh_pub_key(DH *dh, const BIGNUM **pub_key)
-{
-	*pub_key = dh->pub_key;
-}
-
-static __rte_always_inline void
-get_dh_priv_key(DH *dh, const BIGNUM **priv_key)
-{
-	*priv_key = dh->priv_key;
-}
-
-static __rte_always_inline void
-set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
-{
-	sign->r = r;
-	sign->s = s;
-}
-
-static __rte_always_inline void
-get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
-{
-	*r = sign->r;
-	*s = sign->s;
-}
-
-static __rte_always_inline int
-set_dsa_keys(DSA *dsa, BIGNUM *pub, BIGNUM *priv)
-{
-	dsa->pub_key = pub;
-	dsa->priv_key = priv;
-	return 0;
-}
-
-static __rte_always_inline void
-set_dsa_pub_key(DSA *dsa, BIGNUM *pub)
-{
-	dsa->pub_key = pub;
-}
-
-static __rte_always_inline void
-get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
-{
-	*priv_key = dsa->priv_key;
-}
 
-#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 static __rte_always_inline void
 set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
 {
@@ -142,94 +28,5 @@ get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
 {
 	DSA_SIG_get0(sign, r, s);
 }
-#else
-
-static __rte_always_inline int
-set_rsa_params(RSA *rsa, BIGNUM *p, BIGNUM *q)
-{
-	return !(RSA_set0_factors(rsa, p, q));
-}
-
-static __rte_always_inline int
-set_rsa_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-{
-	return !(RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp));
-}
-
-/* n, e must be non-null, d can be NULL */
-
-static __rte_always_inline  int
-set_rsa_keys(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-{
-	return !(RSA_set0_key(rsa, n, e, d));
-}
-
-static __rte_always_inline int
-set_dh_params(DH *dh, BIGNUM *p, BIGNUM *g)
-{
-	return !(DH_set0_pqg(dh, p, NULL, g));
-}
-
-static __rte_always_inline int
-set_dh_priv_key(DH *dh, BIGNUM *priv_key)
-{
-	return !(DH_set0_key(dh, NULL, priv_key));
-}
-
-static __rte_always_inline void
-get_dh_pub_key(DH *dh_key, const BIGNUM **pub_key)
-{
-	DH_get0_key(dh_key, pub_key, NULL);
-}
-
-static __rte_always_inline void
-get_dh_priv_key(DH *dh_key, const BIGNUM **priv_key)
-{
-	DH_get0_key(dh_key, NULL, priv_key);
-}
-
-static __rte_always_inline int
-set_dsa_params(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
-	return !(DSA_set0_pqg(dsa, p, q, g));
-}
-
-static __rte_always_inline void
-set_dsa_priv_key(DSA *dsa, BIGNUM *priv_key)
-{
-	DSA_set0_key(dsa, NULL, priv_key);
-}
-
-static __rte_always_inline void
-set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
-{
-	DSA_SIG_set0(sign, r, s);
-}
-
-static __rte_always_inline void
-get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
-{
-	DSA_SIG_get0(sign, r, s);
-}
-
-static __rte_always_inline int
-set_dsa_keys(DSA *dsa, BIGNUM *pub, BIGNUM *priv)
-{
-	return !(DSA_set0_key(dsa, pub, priv));
-}
-
-static __rte_always_inline void
-set_dsa_pub_key(DSA *dsa, BIGNUM *pub_key)
-{
-	DSA_set0_key(dsa, pub_key, NULL);
-}
-
-static __rte_always_inline void
-get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
-{
-	DSA_get0_key(dsa, NULL, priv_key);
-}
-
-#endif /* version < 10100000 */
 
 #endif /* __RTA_COMPAT_H__ */
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index d5a751600a..ab40012d61 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -13,10 +13,8 @@
 #include <openssl/dh.h>
 #include <openssl/dsa.h>
 #include <openssl/ec.h>
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 #include <openssl/provider.h>
 #include <openssl/core_names.h>
-#endif
 
 #define CRYPTODEV_NAME_OPENSSL_PMD	crypto_openssl
 /**< Open SSL Crypto PMD device name */
@@ -84,13 +82,8 @@ struct evp_ctx_pair {
 	EVP_CIPHER_CTX *cipher;
 	union {
 		EVP_MD_CTX *auth;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 		EVP_MAC_CTX *hmac;
 		EVP_MAC_CTX *cmac;
-#else
-		HMAC_CTX *hmac;
-		CMAC_CTX *cmac;
-#endif
 	};
 };
 
@@ -153,24 +146,13 @@ struct __rte_cache_aligned openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
 				EVP_MAC_CTX * ctx;
-# else
-				HMAC_CTX *ctx;
-# endif
 				/**< pointer to EVP context structure */
 			} hmac;
 
 			struct {
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
 				EVP_MAC_CTX * ctx;
 				/**< pointer to EVP context structure */
-# else
-				const EVP_CIPHER * evp_algo;
-				/**< pointer to EVP algorithm function */
-				CMAC_CTX *ctx;
-				/**< pointer to EVP context structure */
-# endif
 			} cmac;
 		};
 
@@ -198,9 +180,7 @@ struct __rte_cache_aligned openssl_asym_session {
 		struct rsa {
 			RSA *rsa;
 			uint32_t pad;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 			EVP_PKEY_CTX * ctx;
-#endif
 		} r;
 		struct exp {
 			BIGNUM *exp;
@@ -216,38 +196,28 @@ struct __rte_cache_aligned openssl_asym_session {
 			uint32_t key_op;
 			BIGNUM *p;
 			BIGNUM *g;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 			OSSL_PARAM_BLD * param_bld;
 			OSSL_PARAM_BLD *param_bld_peer;
-#endif
 		} dh;
 		struct {
 			DSA *dsa;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 			OSSL_PARAM_BLD * param_bld;
 			BIGNUM *p;
 			BIGNUM *g;
 			BIGNUM *q;
 			BIGNUM *priv_key;
-#endif
 		} s;
 		struct {
 			uint8_t curve_id;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 			EC_GROUP * group;
 			BIGNUM *priv_key;
-#endif
 		} ec;
 		struct {
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 			OSSL_PARAM * params;
-#endif
 		} sm2;
 		struct {
 			uint8_t curve_id;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 			OSSL_PARAM * params;
-#endif
 		} eddsa;
 		struct {
 			uint8_t type;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index c34efb8ad0..8748ef6195 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -19,35 +19,14 @@
 #include "openssl_pmd_private.h"
 #include "compat.h"
 
-#define DES_BLOCK_SIZE 8
-
-static uint8_t cryptodev_driver_id;
-
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-static HMAC_CTX *HMAC_CTX_new(void)
-{
-	HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
-
-	if (ctx != NULL)
-		HMAC_CTX_init(ctx);
-	return ctx;
-}
-
-static void HMAC_CTX_free(HMAC_CTX *ctx)
-{
-	if (ctx != NULL) {
-		HMAC_CTX_cleanup(ctx);
-		OPENSSL_free(ctx);
-	}
-}
-#endif
-
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-
 #include <openssl/provider.h>
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
 
+#define DES_BLOCK_SIZE 8
+
+static uint8_t cryptodev_driver_id;
+
 #define MAX_OSSL_ALGO_NAME_SIZE		16
 
 OSSL_PROVIDER *legacy;
@@ -104,7 +83,6 @@ digest_name_get(enum rte_crypto_auth_algorithm algo)
 		return NULL;
 	}
 }
-#endif
 
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
 
@@ -306,14 +284,12 @@ get_auth_algo(enum rte_crypto_auth_algorithm sessalgo,
 		case RTE_CRYPTO_AUTH_SHA3_512_HMAC:
 			*algo = EVP_sha3_512();
 			break;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		case RTE_CRYPTO_AUTH_SHAKE_128:
 			*algo = EVP_shake128();
 			break;
 		case RTE_CRYPTO_AUTH_SHAKE_256:
 			*algo = EVP_shake256();
 			break;
-#endif
 		default:
 			res = -EINVAL;
 			break;
@@ -659,12 +635,10 @@ static int
 openssl_set_session_auth_parameters(struct openssl_session *sess,
 		const struct rte_crypto_sym_xform *xform)
 {
-# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
 	OSSL_PARAM params[2];
 	const char *algo;
 	EVP_MAC *mac;
-# endif
 	/* Select auth generate/verify */
 	sess->auth.operation = xform->auth.op;
 	sess->auth.algo = xform->auth.algo;
@@ -708,10 +682,8 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 	case RTE_CRYPTO_AUTH_SHA3_256:
 	case RTE_CRYPTO_AUTH_SHA3_384:
 	case RTE_CRYPTO_AUTH_SHA3_512:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	case RTE_CRYPTO_AUTH_SHAKE_128:
 	case RTE_CRYPTO_AUTH_SHAKE_256:
-#endif
 		sess->auth.mode = OPENSSL_AUTH_AS_AUTH;
 		if (get_auth_algo(xform->auth.algo,
 				&sess->auth.auth.evp_algo) != 0)
@@ -720,7 +692,6 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		break;
 
 	case RTE_CRYPTO_AUTH_AES_CMAC:
-# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		if (xform->auth.key.length == 16)
 			algo = SN_aes_128_cbc;
 		else if (xform->auth.key.length == 24)
@@ -745,22 +716,8 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				xform->auth.key.length,
 				params) != 1)
 			return -EINVAL;
-# else
-		sess->auth.mode = OPENSSL_AUTH_AS_CMAC;
-		sess->auth.cmac.ctx = CMAC_CTX_new();
-		if (get_cipher_algo(RTE_CRYPTO_CIPHER_AES_CBC,
-				    xform->auth.key.length,
-				    &sess->auth.cmac.evp_algo) != 0)
-			return -EINVAL;
-		if (CMAC_Init(sess->auth.cmac.ctx,
-			      xform->auth.key.data,
-			      xform->auth.key.length,
-			      sess->auth.cmac.evp_algo, NULL) != 1)
-			return -EINVAL;
-# endif
 		break;
 
-# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -794,30 +751,6 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				params) != 1)
 			return -EINVAL;
 		break;
-# else
-	case RTE_CRYPTO_AUTH_MD5_HMAC:
-	case RTE_CRYPTO_AUTH_SHA1_HMAC:
-	case RTE_CRYPTO_AUTH_SHA224_HMAC:
-	case RTE_CRYPTO_AUTH_SHA256_HMAC:
-	case RTE_CRYPTO_AUTH_SHA384_HMAC:
-	case RTE_CRYPTO_AUTH_SHA512_HMAC:
-	case RTE_CRYPTO_AUTH_SHA3_224_HMAC:
-	case RTE_CRYPTO_AUTH_SHA3_256_HMAC:
-	case RTE_CRYPTO_AUTH_SHA3_384_HMAC:
-	case RTE_CRYPTO_AUTH_SHA3_512_HMAC:
-		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
-		sess->auth.hmac.ctx = HMAC_CTX_new();
-		if (get_auth_algo(xform->auth.algo,
-				&sess->auth.hmac.evp_algo) != 0)
-			return -EINVAL;
-
-		if (HMAC_Init_ex(sess->auth.hmac.ctx,
-				xform->auth.key.data,
-				xform->auth.key.length,
-				sess->auth.hmac.evp_algo, NULL) != 1)
-			return -EINVAL;
-		break;
-# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -1295,10 +1228,6 @@ process_openssl_auth_encryption_gcm(struct rte_mbuf *mbuf_src, int offset,
 		uint8_t *dst, uint8_t *tag, EVP_CIPHER_CTX *ctx)
 {
 	int len = 0;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-	int unused = 0;
-	uint8_t empty[] = {};
-#endif
 
 	if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
 		goto process_auth_encryption_gcm_err;
@@ -1312,12 +1241,6 @@ process_openssl_auth_encryption_gcm(struct rte_mbuf *mbuf_src, int offset,
 				srclen, ctx, 0))
 			goto process_auth_encryption_gcm_err;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-	/* Workaround open ssl bug in version less then 1.0.1f */
-	if (EVP_EncryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
-		goto process_auth_encryption_gcm_err;
-#endif
-
 	if (EVP_EncryptFinal_ex(ctx, dst, &len) <= 0)
 		goto process_auth_encryption_gcm_err;
 
@@ -1379,10 +1302,6 @@ process_openssl_auth_decryption_gcm(struct rte_mbuf *mbuf_src, int offset,
 		uint8_t *dst, uint8_t *tag, EVP_CIPHER_CTX *ctx)
 {
 	int len = 0;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-	int unused = 0;
-	uint8_t empty[] = {};
-#endif
 
 	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag) <= 0)
 		goto process_auth_decryption_gcm_err;
@@ -1399,12 +1318,6 @@ process_openssl_auth_decryption_gcm(struct rte_mbuf *mbuf_src, int offset,
 				srclen, ctx, 0))
 			goto process_auth_decryption_gcm_err;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-	/* Workaround open ssl bug in version less then 1.0.1f */
-	if (EVP_DecryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
-		goto process_auth_decryption_gcm_err;
-#endif
-
 	if (EVP_DecryptFinal_ex(ctx, dst, &len) <= 0)
 		return -EFAULT;
 
@@ -1500,17 +1413,11 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 process_auth_final:
 	/* SHAKE algorithms are XOFs and require EVP_DigestFinalXOF */
 	if (algo == EVP_shake128() || algo == EVP_shake256()) {
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		/* Set XOF output length before calling EVP_DigestFinalXOF */
 		if (EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, digest_length, NULL) <= 0)
 			goto process_auth_err;
 		if (EVP_DigestFinalXOF(ctx, dst, digest_length) <= 0)
 			goto process_auth_err;
-#else
-		RTE_SET_USED(digest_length);
-		OPENSSL_LOG(ERR, "SHAKE algorithms require OpenSSL 3.0+");
-		goto process_auth_err;
-#endif
 	} else {
 		if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
 			goto process_auth_err;
@@ -1523,7 +1430,6 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }
 
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
 /** Process standard openssl auth algorithms with hmac/cmac */
 static int
 process_openssl_auth_mac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1576,109 +1482,6 @@ process_openssl_auth_mac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
-# else
-/** Process standard openssl auth algorithms with hmac */
-static int
-process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
-		int srclen, HMAC_CTX *ctx)
-{
-	unsigned int dstlen;
-	struct rte_mbuf *m;
-	int l, n = srclen;
-	uint8_t *src;
-
-	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
-			m = m->next)
-		offset -= rte_pktmbuf_data_len(m);
-
-	if (m == 0)
-		goto process_auth_err;
-
-	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
-
-	l = rte_pktmbuf_data_len(m) - offset;
-	if (srclen <= l) {
-		if (HMAC_Update(ctx, (unsigned char *)src, srclen) != 1)
-			goto process_auth_err;
-		goto process_auth_final;
-	}
-
-	if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
-		goto process_auth_err;
-
-	n -= l;
-
-	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
-		src = rte_pktmbuf_mtod(m, uint8_t *);
-		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
-		if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
-			goto process_auth_err;
-		n -= l;
-	}
-
-process_auth_final:
-	if (HMAC_Final(ctx, dst, &dstlen) != 1)
-		goto process_auth_err;
-
-	if (unlikely(HMAC_Init_ex(ctx, NULL, 0, NULL, NULL) != 1))
-		goto process_auth_err;
-
-	return 0;
-
-process_auth_err:
-	OPENSSL_LOG(ERR, "Process openssl auth failed");
-	return -EINVAL;
-}
-
-/** Process standard openssl auth algorithms with cmac */
-static int
-process_openssl_auth_cmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
-		int srclen, CMAC_CTX *ctx)
-{
-	unsigned int dstlen;
-	struct rte_mbuf *m;
-	int l, n = srclen;
-	uint8_t *src;
-
-	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
-			m = m->next)
-		offset -= rte_pktmbuf_data_len(m);
-
-	if (m == 0)
-		goto process_auth_err;
-
-	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
-
-	l = rte_pktmbuf_data_len(m) - offset;
-	if (srclen <= l) {
-		if (CMAC_Update(ctx, (unsigned char *)src, srclen) != 1)
-			goto process_auth_err;
-		goto process_auth_final;
-	}
-
-	if (CMAC_Update(ctx, (unsigned char *)src, l) != 1)
-		goto process_auth_err;
-
-	n -= l;
-
-	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
-		src = rte_pktmbuf_mtod(m, uint8_t *);
-		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
-		if (CMAC_Update(ctx, (unsigned char *)src, l) != 1)
-			goto process_auth_err;
-		n -= l;
-	}
-
-process_auth_final:
-	if (CMAC_Final(ctx, dst, (size_t *)&dstlen) != 1)
-		goto process_auth_err;
-	return 0;
-
-process_auth_err:
-	OPENSSL_LOG(ERR, "Process openssl cmac auth failed");
-	return -EINVAL;
-}
-# endif
 /*----------------------------------------------------------------------------*/
 
 static inline EVP_CIPHER_CTX *
@@ -1695,7 +1498,7 @@ get_local_cipher_ctx(struct openssl_session *sess, struct openssl_qp *qp)
 		/* EVP_CIPHER_CTX_dup() added in OSSL 3.2 */
 		*lctx = EVP_CIPHER_CTX_dup(sess->cipher.ctx);
 		return *lctx;
-#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
+#else
 		if (sess->chain_order == OPENSSL_CHAIN_COMBINED) {
 			/* AESNI special-cased to use openssl_aesni_ctx_clone()
 			 * to allow for working around lack of
@@ -1706,10 +1509,10 @@ get_local_cipher_ctx(struct openssl_session *sess, struct openssl_qp *qp)
 				*lctx = NULL;
 			return *lctx;
 		}
-#endif
 
 		*lctx = EVP_CIPHER_CTX_new();
 		EVP_CIPHER_CTX_copy(*lctx, sess->cipher.ctx);
+#endif
 	}
 
 	return *lctx;
@@ -1737,11 +1540,7 @@ get_local_auth_ctx(struct openssl_session *sess, struct openssl_qp *qp)
 	return *lctx;
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static inline EVP_MAC_CTX *
-#else
-static inline HMAC_CTX *
-#endif
 get_local_hmac_ctx(struct openssl_session *sess, struct openssl_qp *qp)
 {
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x30003000L)
@@ -1759,31 +1558,16 @@ get_local_hmac_ctx(struct openssl_session *sess, struct openssl_qp *qp)
 	if (sess->ctx_copies_len == 0)
 		return sess->auth.hmac.ctx;
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-	EVP_MAC_CTX **lctx =
-#else
-	HMAC_CTX **lctx =
-#endif
-		&sess->qp_ctx[qp->id].hmac;
+	EVP_MAC_CTX **lctx = &sess->qp_ctx[qp->id].hmac;
 
-	if (unlikely(*lctx == NULL)) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if (unlikely(*lctx == NULL))
 		*lctx = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
-#else
-		*lctx = HMAC_CTX_new();
-		HMAC_CTX_copy(*lctx, sess->auth.hmac.ctx);
-#endif
-	}
 
 	return *lctx;
 #endif
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static inline EVP_MAC_CTX *
-#else
-static inline CMAC_CTX *
-#endif
 get_local_cmac_ctx(struct openssl_session *sess, struct openssl_qp *qp)
 {
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x30003000L)
@@ -1801,21 +1585,10 @@ get_local_cmac_ctx(struct openssl_session *sess, struct openssl_qp *qp)
 	if (sess->ctx_copies_len == 0)
 		return sess->auth.cmac.ctx;
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-	EVP_MAC_CTX **lctx =
-#else
-	CMAC_CTX **lctx =
-#endif
-		&sess->qp_ctx[qp->id].cmac;
+	EVP_MAC_CTX **lctx = &sess->qp_ctx[qp->id].cmac;
 
-	if (unlikely(*lctx == NULL)) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if (unlikely(*lctx == NULL))
 		*lctx = EVP_MAC_CTX_dup(sess->auth.cmac.ctx);
-#else
-		*lctx = CMAC_CTX_new();
-		CMAC_CTX_copy(*lctx, sess->auth.cmac.ctx);
-#endif
-	}
 
 	return *lctx;
 #endif
@@ -2055,13 +1828,8 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	EVP_MAC_CTX *ctx_h;
 	EVP_MAC_CTX *ctx_c;
-# else
-	HMAC_CTX *ctx_h;
-	CMAC_CTX *ctx_c;
-# endif
 
 	srclen = op->sym->auth.data.length;
 
@@ -2076,30 +1844,18 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		ctx_h = get_local_hmac_ctx(sess, qp);
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
 		status = process_openssl_auth_mac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
-# else
-		status = process_openssl_auth_hmac(mbuf_src, dst,
-				op->sym->auth.data.offset, srclen,
-				ctx_h);
-# endif
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x30003000L)
 		EVP_MAC_CTX_free(ctx_h);
 #endif
 		break;
 	case OPENSSL_AUTH_AS_CMAC:
 		ctx_c = get_local_cmac_ctx(sess, qp);
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
 		status = process_openssl_auth_mac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_c);
-# else
-		status = process_openssl_auth_cmac(mbuf_src, dst,
-				op->sym->auth.data.offset, srclen,
-				ctx_c);
-# endif
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x30003000L)
 		EVP_MAC_CTX_free(ctx_c);
 #endif
@@ -2130,7 +1886,6 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 }
 
 /* process dsa sign operation */
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 static int
 process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
 		struct openssl_asym_session *sess)
@@ -2296,92 +2051,8 @@ process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
 
 	return ret;
 }
-#else
-static int
-process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
-		struct openssl_asym_session *sess)
-{
-	struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
-	DSA *dsa = sess->u.s.dsa;
-	DSA_SIG *sign = NULL;
-
-	sign = DSA_do_sign(op->message.data,
-			op->message.length,
-			dsa);
-
-	if (sign == NULL) {
-		OPENSSL_LOG(ERR, "%s:%d", __func__, __LINE__);
-		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-	} else {
-		const BIGNUM *r = NULL, *s = NULL;
-		get_dsa_sign(sign, &r, &s);
-
-		op->r.length = BN_bn2bin(r, op->r.data);
-		op->s.length = BN_bn2bin(s, op->s.data);
-		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
-	}
-
-	DSA_SIG_free(sign);
-
-	return 0;
-}
-
-/* process dsa verify operation */
-static int
-process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
-		struct openssl_asym_session *sess)
-{
-	struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
-	DSA *dsa = sess->u.s.dsa;
-	int ret;
-	DSA_SIG *sign = DSA_SIG_new();
-	BIGNUM *r = NULL, *s = NULL;
-	BIGNUM *pub_key = NULL;
-
-	if (sign == NULL) {
-		OPENSSL_LOG(ERR, " %s:%d", __func__, __LINE__);
-		cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
-		return -1;
-	}
-
-	r = BN_bin2bn(op->r.data,
-			op->r.length,
-			r);
-	s = BN_bin2bn(op->s.data,
-			op->s.length,
-			s);
-	pub_key = BN_bin2bn(op->y.data,
-			op->y.length,
-			pub_key);
-	if (!r || !s || !pub_key) {
-		BN_free(r);
-		BN_free(s);
-		BN_free(pub_key);
-
-		cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
-		return -1;
-	}
-	set_dsa_sign(sign, r, s);
-	set_dsa_pub_key(dsa, pub_key);
-
-	ret = DSA_do_verify(op->message.data,
-			op->message.length,
-			sign,
-			dsa);
-
-	if (ret != 1)
-		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-	else
-		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
-
-	DSA_SIG_free(sign);
-
-	return 0;
-}
-#endif
 
 /* process dh operation */
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 static int
 process_openssl_dh_op_evp(struct rte_crypto_op *cop,
 		struct openssl_asym_session *sess)
@@ -2555,141 +2226,6 @@ process_openssl_dh_op_evp(struct rte_crypto_op *cop,
 
 	return ret;
 }
-#else
-static int
-process_openssl_dh_op(struct rte_crypto_op *cop,
-		struct openssl_asym_session *sess)
-{
-	struct rte_crypto_dh_op_param *op = &cop->asym->dh;
-	struct rte_crypto_asym_op *asym_op = cop->asym;
-	DH *dh_key = sess->u.dh.dh_key;
-	BIGNUM *priv_key = NULL;
-	int ret = 0;
-
-	if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
-		/* compute shared secret using peer public key
-		 * and current private key
-		 * shared secret = peer_key ^ priv_key mod p
-		 */
-		BIGNUM *peer_key = NULL;
-
-		/* copy private key and peer key and compute shared secret */
-		peer_key = BN_bin2bn(op->pub_key.data,
-				op->pub_key.length,
-				peer_key);
-		if (peer_key == NULL) {
-			cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
-			return -1;
-		}
-		priv_key = BN_bin2bn(op->priv_key.data,
-				op->priv_key.length,
-				priv_key);
-		if (priv_key == NULL) {
-			BN_free(peer_key);
-			cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
-			return -1;
-		}
-		ret = set_dh_priv_key(dh_key, priv_key);
-		if (ret) {
-			OPENSSL_LOG(ERR, "Failed to set private key");
-			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-			BN_free(peer_key);
-			BN_free(priv_key);
-			return 0;
-		}
-
-		ret = DH_compute_key(
-				op->shared_secret.data,
-				peer_key, dh_key);
-		if (ret < 0) {
-			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-			BN_free(peer_key);
-			/* priv key is already loaded into dh,
-			 * let's not free that directly here.
-			 * DH_free() will auto free it later.
-			 */
-			return 0;
-		}
-		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
-		op->shared_secret.length = ret;
-		BN_free(peer_key);
-		return 0;
-	}
-
-	/*
-	 * other options are public and private key generations.
-	 *
-	 * if user provides private key,
-	 * then first set DH with user provided private key
-	 */
-	if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE &&
-			op->priv_key.length) {
-		/* generate public key using user-provided private key
-		 * pub_key = g ^ priv_key mod p
-		 */
-
-		/* load private key into DH */
-		priv_key = BN_bin2bn(op->priv_key.data,
-				op->priv_key.length,
-				priv_key);
-		if (priv_key == NULL) {
-			cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
-			return -1;
-		}
-		ret = set_dh_priv_key(dh_key, priv_key);
-		if (ret) {
-			OPENSSL_LOG(ERR, "Failed to set private key");
-			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-			BN_free(priv_key);
-			return 0;
-		}
-	}
-
-	/* generate public and private key pair.
-	 *
-	 * if private key already set, generates only public key.
-	 *
-	 * if private key is not already set, then set it to random value
-	 * and update internal private key.
-	 */
-	if (!DH_generate_key(dh_key)) {
-		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-		return 0;
-	}
-
-	if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
-		const BIGNUM *pub_key = NULL;
-
-		OPENSSL_LOG(DEBUG, "%s:%d update public key",
-				__func__, __LINE__);
-
-		/* get the generated keys */
-		get_dh_pub_key(dh_key, &pub_key);
-
-		/* output public key */
-		op->pub_key.length = BN_bn2bin(pub_key,
-				op->pub_key.data);
-	}
-
-	if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
-		const BIGNUM *priv_key = NULL;
-
-		OPENSSL_LOG(DEBUG, "%s:%d updated priv key",
-				__func__, __LINE__);
-
-		/* get the generated keys */
-		get_dh_priv_key(dh_key, &priv_key);
-
-		/* provide generated private key back to user */
-		op->priv_key.length = BN_bn2bin(priv_key,
-				op->priv_key.data);
-	}
-
-	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
-
-	return 0;
-}
-#endif
 
 /* process modinv operation */
 static int
@@ -2757,7 +2293,6 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
 }
 
 /* process rsa operations */
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 static int
 process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
 		struct openssl_asym_session *sess)
@@ -3333,133 +2868,7 @@ process_openssl_eddsa_op_evp(struct rte_crypto_op *cop,
 	return ret;
 }
 
-#else
-static int
-process_openssl_rsa_op(struct rte_crypto_op *cop,
-		struct openssl_asym_session *sess)
-{
-	int ret = 0;
-	struct rte_crypto_asym_op *op = cop->asym;
-	RSA *rsa = sess->u.r.rsa;
-	uint32_t pad = sess->u.r.pad;
-	uint8_t *tmp;
 
-	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
-
-	switch (pad) {
-	case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
-		pad = RSA_PKCS1_PADDING;
-		break;
-	case RTE_CRYPTO_RSA_PADDING_NONE:
-		pad = RSA_NO_PADDING;
-		break;
-	default:
-		cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
-		OPENSSL_LOG(ERR,
-				"rsa pad type not supported %d", pad);
-		return 0;
-	}
-
-	switch (op->rsa.op_type) {
-	case RTE_CRYPTO_ASYM_OP_ENCRYPT:
-		ret = RSA_public_encrypt(op->rsa.message.length,
-				op->rsa.message.data,
-				op->rsa.cipher.data,
-				rsa,
-				pad);
-
-		if (ret > 0)
-			op->rsa.cipher.length = ret;
-		OPENSSL_LOG(DEBUG,
-				"length of encrypted text %d", ret);
-		break;
-
-	case RTE_CRYPTO_ASYM_OP_DECRYPT:
-		ret = RSA_private_decrypt(op->rsa.cipher.length,
-				op->rsa.cipher.data,
-				op->rsa.message.data,
-				rsa,
-				pad);
-		if (ret > 0)
-			op->rsa.message.length = ret;
-		break;
-
-	case RTE_CRYPTO_ASYM_OP_SIGN:
-		ret = RSA_private_encrypt(op->rsa.message.length,
-				op->rsa.message.data,
-				op->rsa.sign.data,
-				rsa,
-				pad);
-		if (ret > 0)
-			op->rsa.sign.length = ret;
-		break;
-
-	case RTE_CRYPTO_ASYM_OP_VERIFY:
-		tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
-		if (tmp == NULL) {
-			OPENSSL_LOG(ERR, "Memory allocation failed");
-			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-			break;
-		}
-		ret = RSA_public_decrypt(op->rsa.sign.length,
-				op->rsa.sign.data,
-				tmp,
-				rsa,
-				pad);
-
-		OPENSSL_LOG(DEBUG,
-				"Length of public_decrypt %d "
-				"length of message %zd",
-				ret, op->rsa.message.length);
-		if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,
-				op->rsa.message.length))) {
-			OPENSSL_LOG(ERR, "RSA sign Verification failed");
-			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-		}
-		rte_free(tmp);
-		break;
-
-	default:
-		/* allow ops with invalid args to be pushed to
-		 * completion queue
-		 */
-		cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
-		break;
-	}
-
-	if (ret < 0)
-		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
-
-	return 0;
-}
-
-static int
-process_openssl_ecfpm_op(struct rte_crypto_op *cop,
-		struct openssl_asym_session *sess)
-{
-	RTE_SET_USED(cop);
-	RTE_SET_USED(sess);
-	return -ENOTSUP;
-}
-
-static int
-process_openssl_sm2_op(struct rte_crypto_op *cop,
-		struct openssl_asym_session *sess)
-{
-	RTE_SET_USED(cop);
-	RTE_SET_USED(sess);
-	return -ENOTSUP;
-}
-
-static int
-process_openssl_eddsa_op(struct rte_crypto_op *cop,
-		struct openssl_asym_session *sess)
-{
-	RTE_SET_USED(cop);
-	RTE_SET_USED(sess);
-	return -ENOTSUP;
-}
-#endif
 
 #if (OPENSSL_VERSION_NUMBER >= 0x30500000L)
 static int
@@ -4085,14 +3494,12 @@ mldsa_sign_op_evp(struct rte_crypto_op *cop,
 	case RTE_CRYPTO_AUTH_SHA3_512:
 		check_md = EVP_sha3_512();
 		break;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	case RTE_CRYPTO_AUTH_SHAKE_128:
 		check_md = EVP_shake128();
 		break;
 	case RTE_CRYPTO_AUTH_SHAKE_256:
 		check_md = EVP_shake256();
 		break;
-#endif
 	default:
 		break;
 	}
@@ -4328,11 +3735,7 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 
 	switch (sess->xfrm_type) {
 	case RTE_CRYPTO_ASYM_XFORM_RSA:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		retval = process_openssl_rsa_op_evp(op, sess);
-# else
-		retval = process_openssl_rsa_op(op, sess);
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_MODEX:
 		retval = process_openssl_modexp_op(op, sess);
@@ -4341,51 +3744,26 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		retval = process_openssl_modinv_op(op, sess);
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DH:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		retval = process_openssl_dh_op_evp(op, sess);
-# else
-		retval = process_openssl_dh_op(op, sess);
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DSA:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
 			retval = process_openssl_dsa_sign_op_evp(op, sess);
 		else if (op->asym->dsa.op_type ==
 				RTE_CRYPTO_ASYM_OP_VERIFY)
 			retval =
 				process_openssl_dsa_verify_op_evp(op, sess);
-#else
-		if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
-			retval = process_openssl_dsa_sign_op(op, sess);
-		else if (op->asym->dsa.op_type ==
-				RTE_CRYPTO_ASYM_OP_VERIFY)
-			retval =
-				process_openssl_dsa_verify_op(op, sess);
 		else
 			op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_ECFPM:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		retval = process_openssl_ecfpm_op_evp(op, sess);
-#else
-		retval = process_openssl_ecfpm_op(op, sess);
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_SM2:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		retval = process_openssl_sm2_op_evp(op, sess);
-#else
-		retval = process_openssl_sm2_op(op, sess);
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_EDDSA:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		retval = process_openssl_eddsa_op_evp(op, sess);
-#else
-		retval = process_openssl_eddsa_op(op, sess);
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_ML_KEM:
 #if (OPENSSL_VERSION_NUMBER >= 0x30500000L)
@@ -4590,13 +3968,12 @@ cryptodev_openssl_create(const char *name,
 
 	rte_cryptodev_pmd_probing_finish(dev);
 
-# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	/* Load legacy provider
 	 * Some algorithms are no longer available in earlier version of openssl,
 	 * unless the legacy provider explicitly loaded. e.g. DES
 	 */
 	ossl_legacy_provider_load();
-# endif
+
 	return 0;
 
 init_error:
@@ -4645,9 +4022,8 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
 	if (cryptodev == NULL)
 		return -ENODEV;
 
-# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	ossl_legacy_provider_unload();
-# endif
+
 	return rte_cryptodev_pmd_destroy(cryptodev);
 }
 
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 4e5fb07bb2..d927cc5228 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -10,11 +10,9 @@
 
 #include "openssl_pmd_private.h"
 #include "compat.h"
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 #include <openssl/provider.h>
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
-#endif
 
 static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 	{	/* MD5 HMAC */
@@ -457,7 +455,6 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 			}, }
 		}, }
 	},
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 	{   /* SHAKE_128 */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -500,7 +497,6 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 			}, }
 		}, }
 	},
-#endif
 	{	/* AES CBC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -1222,7 +1218,6 @@ static int openssl_set_asym_session_parameters(
 			goto err_rsa;
 
 		asym_session->u.r.pad = xform->rsa.padding.type;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
 		if (!param_bld) {
 			OPENSSL_LOG(ERR, "failed to allocate resources");
@@ -1323,79 +1318,7 @@ static int openssl_set_asym_session_parameters(
 		OSSL_PARAM_BLD_free(param_bld);
 		OSSL_PARAM_free(params);
 		ret = 0;
-#else
-		RSA *rsa = RSA_new();
-		if (rsa == NULL)
-			goto err_rsa;
-
-		if (xform->rsa.d.length > 0) {
-			d = BN_bin2bn(
-			(const unsigned char *)xform->rsa.d.data,
-			xform->rsa.d.length,
-			d);
-			if (!d) {
-				RSA_free(rsa);
-				goto err_rsa;
-			}
-		}
-
-		if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_QT) {
-			p = BN_bin2bn((const unsigned char *)
-					xform->rsa.qt.p.data,
-					xform->rsa.qt.p.length,
-					p);
-			q = BN_bin2bn((const unsigned char *)
-					xform->rsa.qt.q.data,
-					xform->rsa.qt.q.length,
-					q);
-			dmp1 = BN_bin2bn((const unsigned char *)
-					xform->rsa.qt.dP.data,
-					xform->rsa.qt.dP.length,
-					dmp1);
-			dmq1 = BN_bin2bn((const unsigned char *)
-					xform->rsa.qt.dQ.data,
-					xform->rsa.qt.dQ.length,
-					dmq1);
-			iqmp = BN_bin2bn((const unsigned char *)
-					xform->rsa.qt.qInv.data,
-					xform->rsa.qt.qInv.length,
-					iqmp);
 
-			if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
-				RSA_free(rsa);
-				goto err_rsa;
-			}
-			ret = set_rsa_params(rsa, p, q);
-			if (ret) {
-				OPENSSL_LOG(ERR,
-					"failed to set rsa params");
-				RSA_free(rsa);
-				goto err_rsa;
-			}
-			ret = set_rsa_crt_params(rsa, dmp1, dmq1, iqmp);
-			if (ret) {
-				OPENSSL_LOG(ERR,
-					"failed to set crt params");
-				RSA_free(rsa);
-				/*
-				 * set already populated params to NULL
-				 * as its freed by call to RSA_free
-				 */
-				p = q = NULL;
-				goto err_rsa;
-			}
-		}
-
-		ret = set_rsa_keys(rsa, n, e, d);
-		if (ret) {
-			OPENSSL_LOG(ERR, "Failed to load rsa keys");
-			RSA_free(rsa);
-			return ret;
-		}
-		asym_session->u.r.rsa = rsa;
-		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
-		break;
-#endif
 err_rsa:
 		BN_clear_free(n);
 		BN_clear_free(e);
@@ -1469,7 +1392,6 @@ static int openssl_set_asym_session_parameters(
 	case RTE_CRYPTO_ASYM_XFORM_DH:
 	{
 		DH *dh = NULL;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		BIGNUM **p = &asym_session->u.dh.p;
 		BIGNUM **g = &asym_session->u.dh.g;
 
@@ -1520,51 +1442,18 @@ static int openssl_set_asym_session_parameters(
 
 		asym_session->u.dh.param_bld = param_bld;
 		asym_session->u.dh.param_bld_peer = param_bld_peer;
-#else
-		BIGNUM *p = NULL;
-		BIGNUM *g = NULL;
-
-		p = BN_bin2bn((const unsigned char *)
-				xform->dh.p.data,
-				xform->dh.p.length,
-				p);
-		g = BN_bin2bn((const unsigned char *)
-				xform->dh.g.data,
-				xform->dh.g.length,
-				g);
-		if (!p || !g)
-			goto err_dh;
-
-		dh = DH_new();
-		if (dh == NULL) {
-			OPENSSL_LOG(ERR,
-				"failed to allocate resources");
-			goto err_dh;
-		}
-		ret = set_dh_params(dh, p, g);
-		if (ret) {
-			DH_free(dh);
-			goto err_dh;
-		}
-#endif
 		asym_session->u.dh.dh_key = dh;
 		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH;
 		break;
 
 err_dh:
 		OPENSSL_LOG(ERR, " failed to set dh params");
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		BN_free(*p);
 		BN_free(*g);
-#else
-		BN_free(p);
-		BN_free(g);
-#endif
 		return -1;
 	}
 	case RTE_CRYPTO_ASYM_XFORM_DSA:
 	{
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		BIGNUM **p = &asym_session->u.s.p;
 		BIGNUM **g = &asym_session->u.s.g;
 		BIGNUM **q = &asym_session->u.s.q;
@@ -1615,85 +1504,16 @@ static int openssl_set_asym_session_parameters(
 		asym_session->u.s.param_bld = param_bld;
 
 		break;
-#else
-		BIGNUM *p = NULL, *g = NULL;
-		BIGNUM *q = NULL, *priv_key = NULL;
-		BIGNUM *pub_key = BN_new();
-		BN_zero(pub_key);
-
-		p = BN_bin2bn((const unsigned char *)
-				xform->dsa.p.data,
-				xform->dsa.p.length,
-				p);
-
-		g = BN_bin2bn((const unsigned char *)
-				xform->dsa.g.data,
-				xform->dsa.g.length,
-				g);
-
-		q = BN_bin2bn((const unsigned char *)
-				xform->dsa.q.data,
-				xform->dsa.q.length,
-				q);
-		if (!p || !q || !g)
-			goto err_dsa;
-
-		priv_key = BN_bin2bn((const unsigned char *)
-				xform->dsa.x.data,
-				xform->dsa.x.length,
-				priv_key);
-		if (priv_key == NULL)
-			goto err_dsa;
-
-		DSA *dsa = DSA_new();
-		if (dsa == NULL) {
-			OPENSSL_LOG(ERR,
-				" failed to allocate resources");
-			goto err_dsa;
-		}
-
-		ret = set_dsa_params(dsa, p, q, g);
-		if (ret) {
-			DSA_free(dsa);
-			OPENSSL_LOG(ERR, "Failed to dsa params");
-			goto err_dsa;
-		}
-
-		/*
-		 * openssl 1.1.0 mandate that public key can't be
-		 * NULL in very first call. so set a dummy pub key.
-		 * to keep consistency, lets follow same approach for
-		 * both versions
-		 */
-		/* just set dummy public for very 1st call */
-		ret = set_dsa_keys(dsa, pub_key, priv_key);
-		if (ret) {
-			DSA_free(dsa);
-			OPENSSL_LOG(ERR, "Failed to set keys");
-			goto err_dsa;
-		}
-		asym_session->u.s.dsa = dsa;
-		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
-		break;
-#endif
 err_dsa:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		BN_free(*p);
 		BN_free(*q);
 		BN_free(*g);
 		BN_free(*priv_key);
-#else
-		BN_free(p);
-		BN_free(q);
-		BN_free(g);
-		BN_free(priv_key);
-#endif
 		BN_free(pub_key);
 		return -1;
 	}
 	case RTE_CRYPTO_ASYM_XFORM_ECFPM:
 	{
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		EC_GROUP *ecgrp = NULL;
 
 		asym_session->xfrm_type = xform->xform_type;
@@ -1727,14 +1547,9 @@ static int openssl_set_asym_session_parameters(
 		asym_session->u.ec.curve_id = xform->ec.curve_id;
 		asym_session->u.ec.group = ecgrp;
 		break;
-#else
-		OPENSSL_LOG(WARNING, "ECFPM unsupported for OpenSSL Version < 3.0");
-		return -ENOTSUP;
-#endif
 	}
 	case RTE_CRYPTO_ASYM_XFORM_SM2:
 	{
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 #ifndef OPENSSL_NO_SM2
 		OSSL_PARAM_BLD *param_bld = NULL;
 		OSSL_PARAM *params = NULL;
@@ -1818,10 +1633,6 @@ static int openssl_set_asym_session_parameters(
 #else
 		OPENSSL_LOG(WARNING, "SM2 unsupported in current OpenSSL Version");
 		return -ENOTSUP;
-#endif
-#else
-		OPENSSL_LOG(WARNING, "SM2 unsupported for OpenSSL Version < 3.0");
-		return -ENOTSUP;
 #endif
 	}
 	case RTE_CRYPTO_ASYM_XFORM_EDDSA:
@@ -1983,12 +1794,7 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
 {
 	switch (sess->xfrm_type) {
 	case RTE_CRYPTO_ASYM_XFORM_RSA:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		EVP_PKEY_CTX_free(sess->u.r.ctx);
-#else
-		if (sess->u.r.rsa)
-			RSA_free(sess->u.r.rsa);
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_MODEX:
 		if (sess->u.e.ctx) {
@@ -2003,35 +1809,23 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
 		}
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DH:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		OSSL_PARAM_BLD_free(sess->u.dh.param_bld);
 		OSSL_PARAM_BLD_free(sess->u.dh.param_bld_peer);
 		sess->u.dh.param_bld = NULL;
 		sess->u.dh.param_bld_peer = NULL;
-#else
-		if (sess->u.dh.dh_key)
-			DH_free(sess->u.dh.dh_key);
-#endif
 		BN_clear_free(sess->u.dh.p);
 		BN_clear_free(sess->u.dh.g);
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DSA:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		OSSL_PARAM_BLD_free(sess->u.s.param_bld);
 		sess->u.s.param_bld = NULL;
 		BN_clear_free(sess->u.s.p);
 		BN_clear_free(sess->u.s.q);
 		BN_clear_free(sess->u.s.g);
 		BN_clear_free(sess->u.s.priv_key);
-#else
-		if (sess->u.s.dsa)
-			DSA_free(sess->u.s.dsa);
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_SM2:
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 		OSSL_PARAM_free(sess->u.sm2.params);
-#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_EDDSA:
 #if (OPENSSL_VERSION_NUMBER >= 0x30300000L)
-- 
2.43.0


^ permalink raw reply related

* RE: [PATCH v4 03/20] net/ngbe: add missing CDR config for YT PHY
From: Zaiyu Wang @ 2026-05-27 11:06 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517163740.52739478@phoenix.local>

> Semi-automated AI review feedback.
Thank you for the review. Based on the feedback, I have made the following adjustments:
> 
> # DPDK Patch Review - net/ngbe: add missing CDR config for YT PHY
> ## WARNINGS
> 
> ### 1. Missing error checks on PHY register writes
No code change.
In the long-term operation of the Wangxun Emerald Gigabit Ethernet controllers supported
by the ngbe driver, PHY register read/write failures are virtually never observed.
Consequently, ngbe_write_phy_reg_sds_ext_yt() effectively always returns 0.
We currently have no plan to add return value checks for PHY register access routines, and
we believe the existing approach is sufficiently robust in practice.
> ---
> 
> ## INFO
> 
> ### 1. Magic numbers in PHY register writes
No code change.
These values were provided by the PHY vendor (Motorcomm) and the bit definitions are not
documented in publicly available register description. 
Replacing them with macros such as YT_CONFIG_REG_XXX would merely introduce meaningless
names without improving understandability. Therefore we prefer to keep the raw vendor
values as they are.


^ permalink raw reply

* RE: [PATCH v4 07/20] net/txgbe: fix Tx desc free logic
From: Zaiyu Wang @ 2026-05-27 11:06 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517164444.7c0cb0e0@phoenix.local>

> Lots of AI feedback on this one.
> 
> 
> # Review of DPDK Patch: net/txgbe: fix Tx desc free logic
> 
> ## Errors
> 
> ### 1. Shared variable access without atomics (3 locations)
> 
> **Lines affected:**
> - `drivers/net/txgbe/txgbe_rxtx.c:101` (txgbe_tx_free_bufs)
> - `drivers/net/txgbe/txgbe_rxtx.c:655` (txgbe_xmit_cleanup)
> - `drivers/net/txgbe/txgbe_rxtx_vec_common.h:98` (txgbe_tx_free_bufs)
> 
> ```c
> volatile uint16_t head = (uint16_t)*txq->headwb_mem; ```
> 
> **Problem:** The code reads a hardware-updated value (`*txq->headwb_mem`)
> using a `volatile` qualifier. The `volatile` keyword does NOT provide atomicity or
> memory ordering guarantees between the hardware and CPU. On some
> architectures, reading a `uint16_t` from DMA-accessible memory without proper
> barriers or atomic operations can result in torn reads, stale cached values, or
> reordering issues.
> 
> **Fix:** Use atomic load with appropriate memory ordering:
> 
> ```c
> uint16_t head = rte_atomic_load_explicit(
>     (uint16_t *)txq->headwb_mem,
>     rte_memory_order_acquire);
> ```
> 
> The `acquire` ordering ensures that all descriptor writes by the hardware are visible
> to the CPU after reading the head pointer. This is critical for correctness in
> hardware write-back scenarios.
> 
> Note: The `headwb_mem` field type may need adjustment to be an `rte_atomic`
> type or cast appropriately.
> 
Fixed. All three reads from headwb_mem now use rte_atomic_load_explicit
with rte_memory_order_acquire, and the loaded value is declared const.
> ---
> 
> ### 2. Whitespace/indentation error in vec_common.h
> 
> **Line:** `drivers/net/txgbe/txgbe_rxtx_vec_common.h:97-98`
> 
> ```c
> 		tx_last_dd -= txq->nb_tx_desc;
> 
> 		volatile uint16_t head = (uint16_t)*txq->headwb_mem; ```
> 
> **Problem:** Inconsistent indentation. The `volatile uint16_t head` declaration is
> indented with tabs-only (correct), but it visually appears to be part of a removed
> block based on the diff context showing the previous line had different
> indentation.
> 
> **Fix:** Verify the indentation matches the surrounding code block. Based on the
> diff, this appears correct after the change, but confirm the tabs align with the
> function's indentation level.
Verified, the indentation is correct and matches the surrounding code.
> 
> ---
> 
> ## Warnings
> 
> ### 1. Logic change correctness verification needed
> 
> The patch adds three new early-return conditions checking if `head == tx_next_dd`.
> While this appears correct (hardware hasn't advanced past the point we want to
> free to), the logic for wrap-around cases should be verified:
> 
> ```c
> if (txq->tx_next_dd == head)
>     return 0;
> else if (txq->tx_next_dd > head && head > tx_last_dd)
>     return 0;
> else if (tx_last_dd > txq->tx_next_dd &&
>          (head > tx_last_dd || head < txq->tx_next_dd))
>     return 0;
> ```
> 
> **Concern:** The wrap-around logic assumes the ring wraps at `nb_tx_desc`. The
> condition `tx_last_dd > txq->tx_next_dd` handles the wrap case, but verify that:
> - `tx_last_dd` calculation correctly wraps (it does: `tx_last_dd -= txq->nb_tx_desc`)
> - The inequality checks are strict `>` not `>=` consistently
> 
> The existing code appears correct, but this is complex boundary logic that warrants
> testing, especially the second `else if` condition in wrap-around scenarios.
The logic has been carefully reviewed and tested. The extracted helper
function preserves the exact same conditions as the original code, so
no behavioural change is introduced.
> 
> ---
> 
> ### 2. Missing const qualifier on read-only atomic load result
> 
> **All three locations:** The `head` variable is read from hardware but never
> modified:
> 
> ```c
> volatile uint16_t head = (uint16_t)*txq->headwb_mem; ```
> 
> **Suggestion:** Once converted to atomic operations, declare as `const`:
> 
> ```c
> const uint16_t head = rte_atomic_load_explicit(...); ```
> 
> This documents that `head` is never modified after the initial read and prevents
> accidental writes.
Done, the loaded head value is now const.
> 
> ---
> 
> ## Info
> 
> ### 1. Consider helper function for repeated logic
> 
> The same boundary-check logic appears in three separate functions with only
> minor variations. Consider extracting it to a static inline helper:
> 
> ```c
> static inline bool
> txgbe_hw_head_in_range(uint16_t hw_head, uint16_t start,
>                        uint16_t end, uint16_t ring_size) {
>     if (start == hw_head)
>         return false;
> 
>     if (start > hw_head)
>         return hw_head <= end;
>     else /* wrap case */
>         return hw_head > end || hw_head < start; } ```
> 
> This would reduce code duplication and make the logic easier to test and maintain.
I have extracted the common boundary-check logic into a new static
inline helper, txgbe_tx_headwb_desc_done(), placed in txgbe_rxtx.h.
All three call sites now use this helper.
> 
> ---
> 
> ### 2. Comment explaining write-back head semantics
> 
> The commit message mentions "Tx head write-back mode" but the code lacks
> comments explaining the hardware behavior. Consider adding:
> 
> ```c
> /*
>  * In Amber-Lite NIC Tx head write-back mode, hardware periodically
>  * updates *headwb_mem with the index of the next descriptor to process.
>  * Descriptors before this head pointer are safe to free.
>  */
> const uint16_t head = rte_atomic_load_explicit(...); ```
Added a detailed comment for the helper function explaining the
hardware behavior and the (last, next] interval semantics.
> 
> ---
> 
> ## Summary
> 
> **Must fix (Errors):**
> 1. Replace `volatile` read with `rte_atomic_load_explicit()` with
> `rte_memory_order_acquire` ordering in all three locations
> 
> **Should fix (Warnings):**
> 1. Add `const` qualifier to the loaded `head` value after converting to atomics 2.
> Verify wrap-around boundary logic with testing (appears correct but is complex)
> 
> **Consider (Info):**
> 1. Extract repeated boundary-check logic to a helper function 2. Add comments
> documenting hardware write-back semantics
> 
> The core fix (adding the `head == tx_next_dd` check) appears correct and
> addresses the described bug. The primary issue is the use of `volatile` instead of
> proper atomic operations for accessing hardware-updated shared memory.
> 
> 


^ permalink raw reply

* RE: [PATCH v4 05/20] net/txgbe: fix inaccuracy in Tx rate limiting
From: Zaiyu Wang @ 2026-05-27 11:07 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517164018.7a58c68c@phoenix.local>

> AI feedback on this one. Looks ok as is but worth looking at.
Thank you for the review. Based on the feedback, I have made the following adjustments:
> # DPDK Patch Review: net/txgbe: fix inaccuracy in Tx rate limiting
> ### **Errors**
> 
> None found.
> 
> ### **Warnings**
> 
> **1. TDM_RL_ADJ write placement causes per-queue reconfiguration**
No code change
`txgbe_set_queue_rate_limit()` is directly exposed as the
`eth_dev_ops.set_queue_rate_limit`  to upper-layer applications. We cannot expect
applications to perform any additional setup before calling this interface, so the driver
must reconfig.
Writing the same value to this register multiple times is harmless. Therefore I prefer to
keep the current approach.

> **2. Magic number 21 lacks explanation**
> 
> The value 21 is documented in the commit message but not in the code. Future
> maintainers will not see the breakdown (7B preamble + 1B SFD + 1B EFD + 12B
> IPG).
> 
> **Suggested fix:** Add a comment or define:
> 
> ```c
> /* Ethernet framing overhead: 7B preamble + 1B SFD + 1B EFD + 12B IPG */
> #define TXGBE_TDM_RL_ADJ_OVERHEAD  21 wr32(hw, TXGBE_TDM_RL_ADJ,
> TXGBE_TDM_RL_ADJ_OVERHEAD); ```
> 
I have added a macro `TXGBE_FRAME_OVERHEAD`.

> **3. Missing release notes update**
> 
> This is a fix that changes hardware behavior and improves accuracy. Users may
> observe different TX rates after upgrading. The change should be documented in
> release notes to inform users of the accuracy improvement.
> 
> **Suggested fix:** Add an entry to `doc/guides/rel_notes/release_26_11.rst` (or
> current release):
> 
> ```rst
> * **net/txgbe: Improved TX rate limiting accuracy for Amber-lite NIC.**
> 
>   Fixed TX rate limiting accuracy for 64-byte packets from ~20% deviation
>   to within ~5% by correcting hardware framing overhead configuration.
> ```
> 
> ### **Info**
> 
> **1. Consider validating tx_rate is non-zero**
> 
> The code computes `factor_int = link_speed / tx_rate`. If `tx_rate` is somehow zero
> (due to caller error or invalid input), this would cause division by zero. The existing
> code may have validation elsewhere, but defensive programming would check
> this.
> 
> ```c
> if (tx_rate == 0) {
>     PMD_DRV_LOG(ERR, "TX rate cannot be zero");
>     return -EINVAL;
> }
> ```
No code change
In this function, `tx_rate == 0` is a valid input meaning "remove rate limiting and
restore unlimited mode". No additional check is needed.> 
> **2. Variable scope: factor_fra could be declared at initialization**
> 
> The variable `factor_fra` is declared but not initialized, then assigned in both
> branches of the conditional. C99 style would allow:
> 
> ```c
> u32 factor_fra = (frac * 16384) / 10000; if (factor_fra >= 8192)
>     factor_fra = 0;
> ```
> 
> This is stylistic only; the existing code is correct.
> 
No code change
Just leave it as is.


^ permalink raw reply

* RE: [PATCH v4 04/20] net/ngbe: fix VF promiscuous and allmulticast
From: Zaiyu Wang @ 2026-05-27 11:09 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517163901.744df0fc@phoenix.local>



> -----Original Message-----
> From: Stephen Hemminger <stephen@networkplumber.org>
> Sent: Monday, May 18, 2026 7:39 AM
> To: Zaiyu Wang <zaiyuwang@trustnetic.com>; Zaiyu Wang
> <zaiyuwang@trustnetic.com>
> Cc: dev@dpdk.org; stable@dpdk.org; Jiawen Wu <jiawenwu@trustnetic.com>;
> dev@dpdk.org; stable@dpdk.org; Jiawen Wu <jiawenwu@trustnetic.com>
> Subject: Re: [PATCH v4 04/20] net/ngbe: fix VF promiscuous and allmulticast
> 
> On Mon, 11 May 2026 18:35:46 +0800
> Zaiyu Wang <zaiyuwang@trustnetic.com> wrote:
> 
> > The configuration of allmulti and promiscuous modes conflicts
> > together. For instance, if we enable promiscuous mode, then enable and
> > disable allmulti, then the promiscuous mode is wrongly disabled.
> >
> > To resolve this, the following changes are made:
> > - do nothing when we set/unset allmulti if promiscuous mode is on
> > - restore the proper mode (none or allmulti) when we disable
> >   promiscuous mode
> >
> > Fixes: 7744e90805b5 ("net/ngbe: add promiscuous and allmulticast ops
> > for VF device")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Zaiyu Wang <zaiyuwang@trustnetic.com>
> > ---
> 
> Worth mentioning, but IMHO this is case of AI being overly pedantic.
> Patch is OK as is.
Thanks.
 


^ permalink raw reply

* RE: [PATCH v4 09/20] net/txgbe: fix link flow control config for Sapphire
From: Zaiyu Wang @ 2026-05-27 11:11 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517164612.4d1c622b@phoenix.local>



> -----Original Message-----
> From: Stephen Hemminger <stephen@networkplumber.org>
> Sent: Monday, May 18, 2026 7:46 AM
> To: Zaiyu Wang <zaiyuwang@trustnetic.com>; Zaiyu Wang
> <zaiyuwang@trustnetic.com>
> Cc: dev@dpdk.org; stable@dpdk.org; Jiawen Wu <jiawenwu@trustnetic.com>;
> Ferruh Yigit <ferruh.yigit@amd.com>; dev@dpdk.org; stable@dpdk.org; Jiawen
> Wu <jiawenwu@trustnetic.com>; Ferruh Yigit <ferruh.yigit@amd.com>
> Subject: Re: [PATCH v4 09/20] net/txgbe: fix link flow control config for Sapphire
> 
> On Mon, 11 May 2026 18:35:51 +0800
> Zaiyu Wang <zaiyuwang@trustnetic.com> wrote:
> 
> > SP chips have a hardware bug preventing XON flow control support, so
> > the driver disables it.
> >
> > Fixes: 69ce8c8a4ce3 ("net/txgbe: support flow control")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Zaiyu Wang <zaiyuwang@trustnetic.com>
> > ---
> 
> Comment vs code mismatch
> 
> 
> # Review of Patch 9/20: net/txgbe: fix link flow control config for Sapphire
> 
> ## Errors
> 
> None.
> 
> ## Warnings
> 
> ### W1: Conditional logic inverted (line 1042-1043)
Fixed.

 
> ### W2: Inconsistent capitalization in comment (line 1042)
Fixed.

 


^ permalink raw reply

* RE: [PATCH v4 18/20] net/txgbe: fix get EEPROM operation
From: Zaiyu Wang @ 2026-05-27 11:11 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517165434.5a4e3a72@phoenix.local>


> I agree with AI that u8, u16 should not be used except in base/ code.
> 
Fixed. 


^ permalink raw reply

* RE: [PATCH v4 20/20] net/txgbe: fix to enable Tx desc check
From: Zaiyu Wang @ 2026-05-27 11:14 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517165533.20cdb300@phoenix.local>


> Minor AI stuff here:
Thank you for the review. Based on the feedback, I have made the following adjustments:
> ## WARNINGS
> 
> ### 1. Bit manipulation should use RTE_BIT32() macro
Fixed.

> ### 2. Conditional compilation without corresponding documentation update
No code change
This patch does not change the intended behavior of Tx desc check. Due to hardware
limitation, IPsec and desc check cannot be enabled at the same time; the original design
was to enable desc check by default when IPsec is not in use. The previous code had a bug
that prevented this from working correctly, and this patch simply fixes that. Therefore a
separate document update is not needed.
> 
> ## INFO
> 
> ### 1. Potential logic optimization
No code change
I chose not to extract the bitmask into a separate variable to keep the change minimal and
the code concise.
> 
> ### 2. Parentheses around `using_ipsec` unnecessary
Fixed.
 


^ permalink raw reply

* Re: [RFC v2 2/3] lib: add fastmem library
From: Mattias Rönnblom @ 2026-05-27 11:17 UTC (permalink / raw)
  To: Bruce Richardson
  Cc: Stephen Hemminger, dev, Morten Brørup, Konstantin Ananyev,
	Mattias Rönnblom, Yogaraj Baskaravel
In-Reply-To: <ahbE6KvlgzG_XkSY@bricha3-mobl1.ger.corp.intel.com>

On 5/27/26 12:18, Bruce Richardson wrote:
> On Wed, May 27, 2026 at 12:12:19PM +0200, Mattias Rönnblom wrote:
>> On 5/26/26 15:23, Stephen Hemminger wrote:
>>> On Tue, 26 May 2026 10:57:42 +0200
>>> Mattias Rönnblom <hofors@lysator.liu.se> wrote:
>>>
>>>> +__rte_experimental
>>>> +void *
>>>> +rte_fastmem_alloc(size_t size, size_t align, unsigned int flags)
>>>> +	__rte_alloc_size(1) __rte_alloc_align(2);
>>>
>>> Should also add attribute __rte_malloc which tells compiler
>>> that pointer returned cannot alias other memory
>>>
>>> And add __rte_dealloc(rte_fastmem_free, 1)
>>> which tells compiler that the returned pointer should only go
>>> back to fastmem (not free, rte_free, etc).
>>
>> Done. Only works for the single-object ops (not bulk) though.
>>
>> I've had a look at how to extend fastmem to support larger allocations
>> (without suggesting this is the way to go).
>>
>> Seems to me that implementation should be something like
>> a) slab allocator for small objects.
>> b) a cache-less per-socket page run allocator for mid-sized objects.
>> c) per-object memzones for large objects.
>>
>> If one would implement that, you would essentially have a plug-in
>> replacement for rte_malloc.h (maybe minus some debug and some more esoteric
>> DPDK heap features).
>>
>> Should fastmem be an outright replacement, or something that at least
>> initially lives alongside the regular heap, maybe with a run- or
>> compile-time option to make rte_malloc.h functions delegate to fastmem? This
>> is unclear to me at this point. I fear the more ambitious, cleaner and more
>> risky DPDK heap replacement path will go they way my attempts to replace
>> rte_memcpy or rte_timer went.
>>
>> I would agree with anyone saying that we should have only one heap-like API
>> for memory allocations. rte_malloc.h obviously needs to stay, for backward
>> compatibility reason, if nothing else. I would like to add bulk alloc/free,
>> and allow for smaller alignments than 64, since slabs can do that
>> efficiently (DPDK heap per-object header is 128 bytes!). One could either go
>> about that by extending rte_malloc.h or deprecating that API and starting
>> anew. In the latter case, one could do many more minor tweaks, like removing
>> the type pointers (only a nuance), remove the validate function, change and
>> extend the stats interface, etc.
>>
> +1 for replacing rte_malloc. For a replacement, I'd tend towards aiming for
> compatibilty over trying to fix too many little things at once. While
> changing a couple of things is ok, I'd rather not force applications to
> make too many updates to their code when moving from one DPDK version to
> another.
> 

What one could attempt to do is to be fully backward compatible with 
rte_malloc.h (maybe minus some debug features that require per-object 
headers?) and then expose a new API which is functionally a superset of 
rte_malloc.h.

The new API would be something like a hybrid of rte_malloc.h, the 
mempool APIs, and the kind of API you find on an in-kernel memory 
manager (e.g., Solaris'), tuned for DPDK lcore use.

> /Bruce


^ permalink raw reply

* RE: [RFC v2 2/3] lib: add fastmem library
From: Morten Brørup @ 2026-05-27 11:17 UTC (permalink / raw)
  To: Bruce Richardson, Mattias Rönnblom
  Cc: Stephen Hemminger, dev, Konstantin Ananyev, Mattias Rönnblom,
	Yogaraj Baskaravel
In-Reply-To: <ahbE6KvlgzG_XkSY@bricha3-mobl1.ger.corp.intel.com>

> From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> Sent: Wednesday, 27 May 2026 12.18
> 
> On Wed, May 27, 2026 at 12:12:19PM +0200, Mattias Rönnblom wrote:
> > On 5/26/26 15:23, Stephen Hemminger wrote:
> > > On Tue, 26 May 2026 10:57:42 +0200
> > > Mattias Rönnblom <hofors@lysator.liu.se> wrote:
> > >
> > > > +__rte_experimental
> > > > +void *
> > > > +rte_fastmem_alloc(size_t size, size_t align, unsigned int flags)
> > > > +	__rte_alloc_size(1) __rte_alloc_align(2);
> > >
> > > Should also add attribute __rte_malloc which tells compiler
> > > that pointer returned cannot alias other memory
> > >
> > > And add __rte_dealloc(rte_fastmem_free, 1)
> > > which tells compiler that the returned pointer should only go
> > > back to fastmem (not free, rte_free, etc).
> >
> > Done. Only works for the single-object ops (not bulk) though.
> >
> > I've had a look at how to extend fastmem to support larger
> allocations
> > (without suggesting this is the way to go).
> >
> > Seems to me that implementation should be something like
> > a) slab allocator for small objects.
> > b) a cache-less per-socket page run allocator for mid-sized objects.
> > c) per-object memzones for large objects.

All allocations through the library should somehow build on memzones.
If an application wants "normal" memory, it can use libc free()/malloc().

> >
> > If one would implement that, you would essentially have a plug-in
> > replacement for rte_malloc.h (maybe minus some debug and some more
> esoteric
> > DPDK heap features).
> >
> > Should fastmem be an outright replacement, or something that at least
> > initially lives alongside the regular heap, maybe with a run- or
> > compile-time option to make rte_malloc.h functions delegate to
> fastmem? This
> > is unclear to me at this point. I fear the more ambitious, cleaner
> and more
> > risky DPDK heap replacement path will go they way my attempts to
> replace
> > rte_memcpy or rte_timer went.
> >
> > I would agree with anyone saying that we should have only one heap-
> like API
> > for memory allocations. rte_malloc.h obviously needs to stay, for
> backward
> > compatibility reason, if nothing else. I would like to add bulk
> alloc/free,
> > and allow for smaller alignments than 64, since slabs can do that
> > efficiently (DPDK heap per-object header is 128 bytes!). One could
> either go
> > about that by extending rte_malloc.h or deprecating that API and
> starting
> > anew. In the latter case, one could do many more minor tweaks, like
> removing
> > the type pointers (only a nuance), remove the validate function,
> change and
> > extend the stats interface, etc.
> >
> +1 for replacing rte_malloc. For a replacement, I'd tend towards aiming
> for
> compatibilty over trying to fix too many little things at once. While
> changing a couple of things is ok, I'd rather not force applications to
> make too many updates to their code when moving from one DPDK version
> to
> another.
> 
> /Bruce

+1 for taking the path that begins with starting anew.
The new heap library can be designed specifically for the fast path, based on years of DPDK experience with what the fast path really needs.
It will allow much broader experimentation along the way.
We can easily get rid of all slow path legacy stuff in rte_malloc, like the "type" parameter.

I think we all agree that replacing rte_malloc should be the end game.
But IMO, it very important that the properties of rte_malloc do not impose any limits on the new heap library.

Someday, when the new library has sufficiently matured, we can discuss how it can replace the rte_malloc library.
Maybe some parts of rte_malloc are not replaceable, and need to be deprecated and removed.
Maybe we all have switched to using the new heap, and nobody is using rte_malloc anymore, so it can simply be removed. ;-)

Suggestion regarding naming:
The prefix could be "rte_mem_" instead of "rte_fastmem_" - it is shorter, and most libraries are "fast".
And then it could live in /lib/memory instead of /lib/fastmem.


^ permalink raw reply

* RE: [PATCH v4 17/20] net/txgbe: fix get module info operation
From: Zaiyu Wang @ 2026-05-27 11:18 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517165307.6249117a@phoenix.local>

> ## ERRORS
> 
> ### 1. Resource leak on error path after lock acquisition
The AI review suggested moving the module presence checks inside the lock, which I believe
is not necessary. The presence checks occur before acquiring the semaphore, so returning
early cannot leak the lock. All error paths after lock acquisition do properly go through
the ERROR_IO label and release the semaphore.

I've changed the pre-lock error from -EIO to - EINVAL to better distinguish "module not
present" from actual I/O failures.

> ---
> 
> ## WARNINGS
> 
> ### 1. Implicit comparison with zero
Fixed.

> ### 2. Mixed type usage: `u8` vs `uint8_t`
Fixed.
 
> ### 3. Unnecessary variable initialization
Fixed.

> ## INFO
> 
> ### 2. Error message clarity
> The error messages "I2C IO ERROR" and "SFF Module Type not recognized" are
> informative. Consider whether these should include additional context (e.g., the
> identifier value for unrecognized types) to aid debugging.
Added identifier value in error message.
 


^ permalink raw reply

* RE: [PATCH v4 16/20] net/txgbe: fix SFP module identification
From: Zaiyu Wang @ 2026-05-27 11:21 UTC (permalink / raw)
  To: 'Stephen Hemminger'; +Cc: dev
In-Reply-To: <20260517165225.6ba8b774@phoenix.local>

> ## Errors
> 
> ### 1. Resource leak in `txgbe_identify_sfp_module()` - multiple error paths
> missing unlock
No code change
The review is incorrect — all error paths after acquiring the lock do properly release it. There is no lock leak.

> ### 2. `txgbe_write_i2c_byte()` removes STOP condition - probable hardware
No code change
This change was ported from our out‑of‑tree Linux kernel driver. It was found that the previous write_i2c interface had problems, which caused ethtool -m to read some 40G optical module information incorrectly. Removing the intermediate STOP is intentional and fixes that issue.

> ### 3. Removed validation logic without replacement - SFP vendor checking
No code change
The old code was inherited from the Intel driver. The restriction has been removed intentionally: the driver now supports all optical modules that comply with the relevant standards, without limiting to a specific vendor.

> ## Warnings
> 
> ### 1. `txgbe_identify_qsfp_module()` GPIO config runs unconditionally
No code change.
The function txgbe_identify_qsfp_module is only called for the Amber‑Lite 40G NIC. Among the three NIC types supported by txgbe (Sapphire 10G, Amber‑Lite 25G, Amber‑Lite 40G), only the 40G variant uses QSFP; the other two use SFP. Based on the aml40 hardware design, we need to configure the GPIO before using I2C.

> ### 2. Missing error propagation - `txgbe_read_i2c_sff8636()` page select failure
> ignored
Fixed.

> ### 3. Implicit comparison on pointer
Fixed.
 
> ### 5. Function pointer assignments removed but functions still defined
Already verified.
 


^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox