From 386f277085a9de34c8a66527663af328740bd544 Mon Sep 17 00:00:00 2001 From: Open vSwitch CI Date: Apr 28 2022 15:45:21 +0000 Subject: Import openvswitch2.16-2.16.0-74 from Fast DataPath --- diff --git a/SOURCES/openvswitch-2.16.0.patch b/SOURCES/openvswitch-2.16.0.patch index a4e81cc..7e738f9 100644 --- a/SOURCES/openvswitch-2.16.0.patch +++ b/SOURCES/openvswitch-2.16.0.patch @@ -688,6 +688,40 @@ index 239d210b96..4d23dbc4ec 100644 openvswitch (2.16.0-1) unstable; urgency=low * New upstream version +diff --git a/dpdk/lib/librte_vhost/vhost_user.c b/dpdk/lib/librte_vhost/vhost_user.c +index 45c8ac09da..70d206dcf8 100644 +--- a/dpdk/lib/librte_vhost/vhost_user.c ++++ b/dpdk/lib/librte_vhost/vhost_user.c +@@ -1416,6 +1416,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, + int fd, i, j; + void *addr; + ++ if (validate_msg_fds(msg, 0) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + if (msg->size != sizeof(msg->payload.inflight)) { + VHOST_LOG_CONFIG(ERR, + "invalid get_inflight_fd message size is %d\n", +@@ -1509,6 +1512,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, + void *addr; + int fd, i; + ++ if (validate_msg_fds(msg, 1) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + fd = msg->fds[0]; + if (msg->size != sizeof(msg->payload.inflight) || fd < 0) { + VHOST_LOG_CONFIG(ERR, +@@ -2652,6 +2658,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, + case VHOST_USER_SET_VRING_ADDR: + vring_idx = msg->payload.addr.index; + break; ++ case VHOST_USER_SET_INFLIGHT_FD: ++ vring_idx = msg->payload.inflight.num_queues - 1; ++ break; + default: + return 0; + } diff --git a/include/linux/automake.mk b/include/linux/automake.mk index 8f063f482e..f857c7e088 100644 --- a/include/linux/automake.mk diff --git a/SPECS/openvswitch2.16.spec b/SPECS/openvswitch2.16.spec index bc763ac..e8f61aa 100644 --- a/SPECS/openvswitch2.16.spec +++ b/SPECS/openvswitch2.16.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.16.0 -Release: 72%{?dist} +Release: 74%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -699,6 +699,37 @@ exit 0 %endif %changelog +* Thu Apr 28 2022 Timothy Redaelli - 2.16.0-74 +- vhost: fix queue number check when setting inflight FD [RH git: d084ce15a7] + [ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ] + + In function vhost_user_set_inflight_fd, queue number in inflight + message is used to access virtqueue. However, queue number could + be larger than VHOST_MAX_VRING and cause write OOB as this number + will be used to write inflight info in virtqueue structure. This + patch checks the queue number to avoid the issue and also make + sure virtqueues are allocated before setting inflight information. + + Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") + + Reported-by: Wenxiang Qian + Signed-off-by: Chenbo Xia + Reviewed-by: Maxime Coquelin + + +* Thu Apr 28 2022 Timothy Redaelli - 2.16.0-73 +- vhost: fix FD leak with inflight messages [RH git: fafbd8f642] + [ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ] + + Even if unlikely, a buggy vhost-user master might attach fds to inflight + messages. Add checks like for other types of vhost-user messages. + + Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") + + Signed-off-by: David Marchand + Reviewed-by: Maxime Coquelin + + * Wed Apr 27 2022 Open vSwitch CI - 2.16.0-72 - Merging upstream branch-2.16 [RH git: 1c2e3ff275] Commit list: