From 2cf788bdd3586a3d3947cd8f2d98f7d328b95a67 Mon Sep 17 00:00:00 2001 From: Open vSwitch CI Date: Apr 28 2022 14:36:51 +0000 Subject: Import openvswitch2.13-2.13.0-180 from Fast DataPath --- diff --git a/SOURCES/openvswitch-2.13.0.patch b/SOURCES/openvswitch-2.13.0.patch index 90b45d1..24daaec 100644 --- a/SOURCES/openvswitch-2.13.0.patch +++ b/SOURCES/openvswitch-2.13.0.patch @@ -79457,7 +79457,7 @@ index 684fddc30b..e08f9c6d75 100644 } diff --git a/dpdk/lib/librte_vhost/vhost_user.c b/dpdk/lib/librte_vhost/vhost_user.c -index 0cfb8b792b..dc1e312d84 100644 +index 0cfb8b792b..e94fdc70e8 100644 --- a/dpdk/lib/librte_vhost/vhost_user.c +++ b/dpdk/lib/librte_vhost/vhost_user.c @@ -97,8 +97,15 @@ close_msg_fds(struct VhostUserMsg *msg) @@ -79756,7 +79756,17 @@ index 0cfb8b792b..dc1e312d84 100644 else rings_ok = vq->desc && vq->avail && vq->used; -@@ -1415,6 +1426,7 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, +@@ -1400,6 +1411,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, + int fd, i, j; + void *addr; + ++ if (validate_msg_fds(msg, 0) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + if (msg->size != sizeof(msg->payload.inflight)) { + RTE_LOG(ERR, VHOST_CONFIG, + "invalid get_inflight_fd message size is %d\n", +@@ -1415,6 +1429,7 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, "failed to alloc dev inflight area\n"); return RTE_VHOST_MSG_RESULT_ERR; } @@ -79764,7 +79774,7 @@ index 0cfb8b792b..dc1e312d84 100644 } num_queues = msg->payload.inflight.num_queues; -@@ -1440,6 +1452,16 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, +@@ -1440,6 +1455,16 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, } memset(addr, 0, mmap_size); @@ -79781,7 +79791,17 @@ index 0cfb8b792b..dc1e312d84 100644 dev->inflight_info->addr = addr; dev->inflight_info->size = msg->payload.inflight.mmap_size = mmap_size; dev->inflight_info->fd = msg->fds[0] = fd; -@@ -1522,10 +1544,13 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, +@@ -1482,6 +1507,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, + void *addr; + int fd, i; + ++ if (validate_msg_fds(msg, 1) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + fd = msg->fds[0]; + if (msg->size != sizeof(msg->payload.inflight) || fd < 0) { + RTE_LOG(ERR, VHOST_CONFIG, +@@ -1522,10 +1550,13 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, "failed to alloc dev inflight area\n"); return RTE_VHOST_MSG_RESULT_ERR; } @@ -79796,7 +79816,7 @@ index 0cfb8b792b..dc1e312d84 100644 addr = mmap(0, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, mmap_offset); -@@ -1534,8 +1559,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, +@@ -1534,8 +1565,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, return RTE_VHOST_MSG_RESULT_ERR; } @@ -79808,7 +79828,7 @@ index 0cfb8b792b..dc1e312d84 100644 dev->inflight_info->fd = fd; dev->inflight_info->addr = addr; -@@ -1629,8 +1656,11 @@ vhost_check_queue_inflights_split(struct virtio_net *dev, +@@ -1629,8 +1662,11 @@ vhost_check_queue_inflights_split(struct virtio_net *dev, (1ULL << VHOST_USER_PROTOCOL_F_INFLIGHT_SHMFD))) return RTE_VHOST_MSG_RESULT_OK; @@ -79821,7 +79841,7 @@ index 0cfb8b792b..dc1e312d84 100644 if (!vq->inflight_split->version) { vq->inflight_split->version = INFLIGHT_VERSION; -@@ -1710,8 +1740,11 @@ vhost_check_queue_inflights_packed(struct virtio_net *dev, +@@ -1710,8 +1746,11 @@ vhost_check_queue_inflights_packed(struct virtio_net *dev, (1ULL << VHOST_USER_PROTOCOL_F_INFLIGHT_SHMFD))) return RTE_VHOST_MSG_RESULT_OK; @@ -79834,7 +79854,7 @@ index 0cfb8b792b..dc1e312d84 100644 if (!vq->inflight_packed->version) { vq->inflight_packed->version = INFLIGHT_VERSION; -@@ -1811,8 +1844,12 @@ vhost_user_set_vring_kick(struct virtio_net **pdev, struct VhostUserMsg *msg, +@@ -1811,8 +1850,12 @@ vhost_user_set_vring_kick(struct virtio_net **pdev, struct VhostUserMsg *msg, /* Interpret ring addresses only when ring is started. */ dev = translate_ring_addresses(dev, file.index); @@ -79848,7 +79868,7 @@ index 0cfb8b792b..dc1e312d84 100644 *pdev = dev; -@@ -1857,6 +1894,7 @@ free_zmbufs(struct vhost_virtqueue *vq) +@@ -1857,6 +1900,7 @@ free_zmbufs(struct vhost_virtqueue *vq) drain_zmbuf_list(vq); rte_free(vq->zmbufs); @@ -79856,7 +79876,7 @@ index 0cfb8b792b..dc1e312d84 100644 } /* -@@ -2054,18 +2092,18 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg, +@@ -2054,18 +2098,18 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg, RTE_LOG(ERR, VHOST_CONFIG, "invalid log base msg size: %"PRId32" != %d\n", msg->size, (int)sizeof(VhostUserLog)); @@ -79880,7 +79900,7 @@ index 0cfb8b792b..dc1e312d84 100644 } RTE_LOG(INFO, VHOST_CONFIG, -@@ -2102,6 +2140,10 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg, +@@ -2102,6 +2146,10 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg, msg->fd_num = 0; return RTE_VHOST_MSG_RESULT_REPLY; @@ -79891,7 +79911,7 @@ index 0cfb8b792b..dc1e312d84 100644 } static int vhost_user_set_log_fd(struct virtio_net **pdev __rte_unused, -@@ -2229,6 +2271,13 @@ is_vring_iotlb_split(struct vhost_virtqueue *vq, struct vhost_iotlb_msg *imsg) +@@ -2229,6 +2277,13 @@ is_vring_iotlb_split(struct vhost_virtqueue *vq, struct vhost_iotlb_msg *imsg) if (ra->used_user_addr < end && (ra->used_user_addr + len) > start) return 1; @@ -79905,7 +79925,7 @@ index 0cfb8b792b..dc1e312d84 100644 return 0; } -@@ -2254,6 +2303,13 @@ is_vring_iotlb_packed(struct vhost_virtqueue *vq, struct vhost_iotlb_msg *imsg) +@@ -2254,6 +2309,13 @@ is_vring_iotlb_packed(struct vhost_virtqueue *vq, struct vhost_iotlb_msg *imsg) if (ra->used_user_addr < end && (ra->used_user_addr + len) > start) return 1; @@ -79919,7 +79939,7 @@ index 0cfb8b792b..dc1e312d84 100644 return 0; } -@@ -2440,8 +2496,13 @@ read_vhost_message(int sockfd, struct VhostUserMsg *msg) +@@ -2440,8 +2502,13 @@ read_vhost_message(int sockfd, struct VhostUserMsg *msg) ret = read_fd_message(sockfd, (char *)msg, VHOST_USER_HDR_SIZE, msg->fds, VHOST_MEMORY_MAX_NREGIONS, &msg->fd_num); @@ -79934,7 +79954,7 @@ index 0cfb8b792b..dc1e312d84 100644 if (msg->size) { if (msg->size > sizeof(msg->payload)) { -@@ -2508,7 +2569,7 @@ static int +@@ -2508,7 +2575,7 @@ static int vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, struct VhostUserMsg *msg) { @@ -79943,7 +79963,17 @@ index 0cfb8b792b..dc1e312d84 100644 switch (msg->request.master) { case VHOST_USER_SET_VRING_KICK: -@@ -2758,7 +2819,7 @@ vhost_user_msg_handler(int vid, int fd) +@@ -2524,6 +2591,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, + case VHOST_USER_SET_VRING_ADDR: + vring_idx = msg->payload.addr.index; + break; ++ case VHOST_USER_SET_INFLIGHT_FD: ++ vring_idx = msg->payload.inflight.num_queues - 1; ++ break; + default: + return 0; + } +@@ -2758,7 +2828,7 @@ vhost_user_msg_handler(int vid, int fd) return -1; } @@ -79952,7 +79982,7 @@ index 0cfb8b792b..dc1e312d84 100644 dev->flags |= VIRTIO_DEV_READY; if (!(dev->flags & VIRTIO_DEV_RUNNING)) { -@@ -2794,11 +2855,19 @@ static int process_slave_message_reply(struct virtio_net *dev, +@@ -2794,11 +2864,19 @@ static int process_slave_message_reply(struct virtio_net *dev, if ((msg->flags & VHOST_USER_NEED_REPLY) == 0) return 0; diff --git a/SPECS/openvswitch2.13.spec b/SPECS/openvswitch2.13.spec index 20706e3..c09e4af 100644 --- a/SPECS/openvswitch2.13.spec +++ b/SPECS/openvswitch2.13.spec @@ -59,7 +59,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.13.0 -Release: 178%{?commit0:.%{date}git%{shortcommit0}}%{?commit1:dpdk%{shortcommit1}}%{?dist} +Release: 180%{?commit0:.%{date}git%{shortcommit0}}%{?commit1:dpdk%{shortcommit1}}%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -715,6 +715,36 @@ exit 0 %endif %changelog +* Thu Apr 28 2022 Timothy Redaelli - 2.13.0-180 +- vhost: fix queue number check when setting inflight FD [RH git: 727183c8a9] + [ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ] + + In function vhost_user_set_inflight_fd, queue number in inflight + message is used to access virtqueue. However, queue number could + be larger than VHOST_MAX_VRING and cause write OOB as this number + will be used to write inflight info in virtqueue structure. This + patch checks the queue number to avoid the issue and also make + sure virtqueues are allocated before setting inflight information. + + Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") + Cc: stable@dpdk.org + + Reported-by: Wenxiang Qian + Signed-off-by: Chenbo Xia + Reviewed-by: Maxime Coquelin + + +* Thu Apr 28 2022 Timothy Redaelli - 2.13.0-179 +- vhost: fix FD leak with inflight messages [RH git: b953f26898] + [ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ] + + Even if unlikely, a buggy vhost-user master might attach fds to inflight + messages. Add checks like for other types of vhost-user messages. + + Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") + Cc: stable@dpdk.org + + * Wed Apr 27 2022 Open vSwitch CI - 2.13.0-178 - Merging upstream branch-2.13 [RH git: f370310000] Commit list: