diff --git a/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch b/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch
new file mode 100644
index 0000000..4631ff2
--- /dev/null
+++ b/SOURCES/0001-vhost-discard-too-small-descriptor-chains.patch
@@ -0,0 +1,98 @@
+From bec1c5fe59fd82a1d932aece65c919cd46325d89 Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Thu, 16 Jun 2022 11:35:56 +0200
+Subject: [PATCH v2 1/2] vhost: discard too small descriptor chains
+
+This patch discards descriptor chains which are smaller
+than the Virtio-net header size, and ones that are equal.
+
+Indeed, such descriptor chains sizes mean there is no
+packet data.
+
+This patch also has the advantage of requesting the exact
+packets sizes for the mbufs.
+
+CVE-2022-2132
+Fixes: 62250c1d0978 ("vhost: extract split ring handling from Rx and Tx functions")
+Cc: stable@dpdk.org
+
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+---
+ lib/librte_vhost/virtio_net.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
+index ebeec8fd18..7da440de28 100644
+--- a/lib/librte_vhost/virtio_net.c
++++ b/lib/librte_vhost/virtio_net.c
+@@ -1112,10 +1112,10 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ buf_iova = buf_vec[vec_idx].buf_iova;
+ buf_len = buf_vec[vec_idx].buf_len;
+
+- if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) {
+- error = -1;
+- goto out;
+- }
++ /*
++ * The caller has checked the descriptors chain is larger than the
++ * header size.
++ */
+
+ if (virtio_net_with_host_offload(dev)) {
+ if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
+@@ -1350,20 +1350,23 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ for (i = 0; i < count; i++) {
+ struct buf_vector buf_vec[BUF_VECTOR_MAX];
+ uint16_t head_idx;
+- uint32_t dummy_len;
++ uint32_t buf_len;
+ uint16_t nr_vec = 0;
+ int err;
+
+ if (unlikely(fill_vec_buf_split(dev, vq,
+ vq->last_avail_idx + i,
+ &nr_vec, buf_vec,
+- &head_idx, &dummy_len,
++ &head_idx, &buf_len,
+ VHOST_ACCESS_RO) < 0))
+ break;
+
+ if (likely(dev->dequeue_zero_copy == 0))
+ update_shadow_used_ring_split(vq, head_idx, 0);
+
++ if (unlikely(buf_len <= dev->vhost_hlen))
++ break;
++
+ pkts[i] = rte_pktmbuf_alloc(mbuf_pool);
+ if (unlikely(pkts[i] == NULL)) {
+ RTE_LOG(ERR, VHOST_DATA,
+@@ -1460,14 +1463,14 @@ virtio_dev_tx_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ for (i = 0; i < count; i++) {
+ struct buf_vector buf_vec[BUF_VECTOR_MAX];
+ uint16_t buf_id;
+- uint32_t dummy_len;
++ uint32_t buf_len;
+ uint16_t desc_count, nr_vec = 0;
+ int err;
+
+ if (unlikely(fill_vec_buf_packed(dev, vq,
+ vq->last_avail_idx, &desc_count,
+ buf_vec, &nr_vec,
+- &buf_id, &dummy_len,
++ &buf_id, &buf_len,
+ VHOST_ACCESS_RO) < 0))
+ break;
+
+@@ -1475,6 +1478,9 @@ virtio_dev_tx_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ update_shadow_used_ring_packed(vq, buf_id, 0,
+ desc_count);
+
++ if (unlikely(buf_len <= dev->vhost_hlen))
++ break;
++
+ pkts[i] = rte_pktmbuf_alloc(mbuf_pool);
+ if (unlikely(pkts[i] == NULL)) {
+ RTE_LOG(ERR, VHOST_DATA,
+--
+2.37.1
+
diff --git a/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch b/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch
new file mode 100644
index 0000000..fe2fea9
--- /dev/null
+++ b/SOURCES/0002-vhost-fix-header-spanned-across-more-than-two-descri.patch
@@ -0,0 +1,104 @@
+From 735c29eebe2a0757f19bf8b3ba67977e9320c24a Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Thu, 16 Jun 2022 14:25:07 +0200
+Subject: [PATCH v2 2/2] vhost: fix header spanned across more than two
+ descriptors
+
+This patch aims at supporting the unlikely case where a
+Virtio-net header is spanned across more than two
+descriptors.
+
+CVE-2022-2132
+Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
+Cc: stable@dpdk.org
+
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+---
+ lib/librte_vhost/virtio_net.c | 45 +++++++++++------------------------
+ 1 file changed, 14 insertions(+), 31 deletions(-)
+
+diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
+index 7da440de28..bd664c88c1 100644
+--- a/lib/librte_vhost/virtio_net.c
++++ b/lib/librte_vhost/virtio_net.c
+@@ -1099,26 +1099,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ uint32_t buf_avail, buf_offset;
+ uint64_t buf_addr, buf_iova, buf_len;
+ uint32_t mbuf_avail, mbuf_offset;
++ uint32_t hdr_remain = dev->vhost_hlen;
+ uint32_t cpy_len;
+ struct rte_mbuf *cur = m, *prev = m;
+ struct virtio_net_hdr tmp_hdr;
+ struct virtio_net_hdr *hdr = NULL;
+- /* A counter to avoid desc dead loop chain */
+- uint16_t vec_idx = 0;
++ uint16_t vec_idx;
+ struct batch_copy_elem *batch_copy = vq->batch_copy_elems;
+ int error = 0;
+
+- buf_addr = buf_vec[vec_idx].buf_addr;
+- buf_iova = buf_vec[vec_idx].buf_iova;
+- buf_len = buf_vec[vec_idx].buf_len;
+-
+ /*
+ * The caller has checked the descriptors chain is larger than the
+ * header size.
+ */
+
+ if (virtio_net_with_host_offload(dev)) {
+- if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
++ if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
+ /*
+ * No luck, the virtio-net header doesn't fit
+ * in a contiguous virtual area.
+@@ -1126,36 +1122,23 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec);
+ hdr = &tmp_hdr;
+ } else {
+- hdr = (struct virtio_net_hdr *)((uintptr_t)buf_addr);
++ hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr);
+ }
+ }
+
+- /*
+- * A virtio driver normally uses at least 2 desc buffers
+- * for Tx: the first for storing the header, and others
+- * for storing the data.
+- */
+- if (unlikely(buf_len < dev->vhost_hlen)) {
+- buf_offset = dev->vhost_hlen - buf_len;
+- vec_idx++;
+- buf_addr = buf_vec[vec_idx].buf_addr;
+- buf_iova = buf_vec[vec_idx].buf_iova;
+- buf_len = buf_vec[vec_idx].buf_len;
+- buf_avail = buf_len - buf_offset;
+- } else if (buf_len == dev->vhost_hlen) {
+- if (unlikely(++vec_idx >= nr_vec))
+- goto out;
+- buf_addr = buf_vec[vec_idx].buf_addr;
+- buf_iova = buf_vec[vec_idx].buf_iova;
+- buf_len = buf_vec[vec_idx].buf_len;
++ for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) {
++ if (buf_vec[vec_idx].buf_len > hdr_remain)
++ break;
+
+- buf_offset = 0;
+- buf_avail = buf_len;
+- } else {
+- buf_offset = dev->vhost_hlen;
+- buf_avail = buf_vec[vec_idx].buf_len - dev->vhost_hlen;
++ hdr_remain -= buf_vec[vec_idx].buf_len;
+ }
+
++ buf_addr = buf_vec[vec_idx].buf_addr;
++ buf_iova = buf_vec[vec_idx].buf_iova;
++ buf_len = buf_vec[vec_idx].buf_len;
++ buf_offset = hdr_remain;
++ buf_avail = buf_vec[vec_idx].buf_len - hdr_remain;
++
+ PRINT_PACKET(dev,
+ (uintptr_t)(buf_addr + buf_offset),
+ (uint32_t)buf_avail, 0);
+--
+2.37.1
+
diff --git a/SPECS/dpdk.spec b/SPECS/dpdk.spec
index df2ebc9..7504a7a 100644
--- a/SPECS/dpdk.spec
+++ b/SPECS/dpdk.spec
@@ -9,7 +9,7 @@
#% define shortcommit0 %(c=%{commit0}; echo ${c:0:7})
%define ver 18.11.8
-%define rel 1
+%define rel 2
%define srcname dpdk-stable
@@ -48,6 +48,10 @@ Patch1031: 0001-net-i40e-re-program-promiscuous-mode-on-VF-interface.patch
# Bug #1726579
Patch1040: 0001-vhost-add-device-op-when-notification-to-guest-is-se.patch
+# CVE-2022-2132
+Patch50: 0001-vhost-discard-too-small-descriptor-chains.patch
+Patch51: 0002-vhost-fix-header-spanned-across-more-than-two-descri.patch
+
Summary: Set of libraries and drivers for fast packet processing
#
@@ -287,6 +291,9 @@ sed -i -e 's:-%{machine_tmpl}-:-%{machine}-:g' %{buildroot}/%{_sysconfdir}/profi
%endif
%changelog
+* Wed Oct 26 2022 Timothy Redaelli <tredaelli@redhat.com> - 18.11.8-2
+- Backport fixes for CVE-2022-2132 (#2107166)
+
* Wed May 20 2020 Timothy Redaelli <tredaelli@redhat.com> - 18.11.8-1
- Updated to DPDK 18.11.8 (#1836829, #1837025)