From c18ae098cad922b9335c47089babdeaa9e7e5a43 Mon Sep 17 00:00:00 2001 From: Open vSwitch CI Date: Apr 28 2022 16:53:45 +0000 Subject: Import openvswitch2.15-2.15.0-99 from Fast DataPath --- diff --git a/SOURCES/openvswitch-2.15.0.patch b/SOURCES/openvswitch-2.15.0.patch index 2eec824..05dd81a 100644 --- a/SOURCES/openvswitch-2.15.0.patch +++ b/SOURCES/openvswitch-2.15.0.patch @@ -19083,6 +19083,40 @@ index b83cf639eb..4de588d752 100644 dev->vid = i; dev->flags = VIRTIO_DEV_BUILTIN_VIRTIO_NET; dev->slave_req_fd = -1; +diff --git a/dpdk/lib/librte_vhost/vhost_user.c b/dpdk/lib/librte_vhost/vhost_user.c +index 45c8ac09da..70d206dcf8 100644 +--- a/dpdk/lib/librte_vhost/vhost_user.c ++++ b/dpdk/lib/librte_vhost/vhost_user.c +@@ -1416,6 +1416,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, + int fd, i, j; + void *addr; + ++ if (validate_msg_fds(msg, 0) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + if (msg->size != sizeof(msg->payload.inflight)) { + VHOST_LOG_CONFIG(ERR, + "invalid get_inflight_fd message size is %d\n", +@@ -1509,6 +1512,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, + void *addr; + int fd, i; + ++ if (validate_msg_fds(msg, 1) != 0) ++ return RTE_VHOST_MSG_RESULT_ERR; ++ + fd = msg->fds[0]; + if (msg->size != sizeof(msg->payload.inflight) || fd < 0) { + VHOST_LOG_CONFIG(ERR, +@@ -2652,6 +2658,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, + case VHOST_USER_SET_VRING_ADDR: + vring_idx = msg->payload.addr.index; + break; ++ case VHOST_USER_SET_INFLIGHT_FD: ++ vring_idx = msg->payload.inflight.num_queues - 1; ++ break; + default: + return 0; + } diff --git a/dpdk/lib/librte_vhost/virtio_net.c b/dpdk/lib/librte_vhost/virtio_net.c index 6c5128665e..55bfc161b5 100644 --- a/dpdk/lib/librte_vhost/virtio_net.c diff --git a/SPECS/openvswitch2.15.spec b/SPECS/openvswitch2.15.spec index 2999e77..be9e2b8 100644 --- a/SPECS/openvswitch2.15.spec +++ b/SPECS/openvswitch2.15.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.15.0 -Release: 97%{?dist} +Release: 99%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -702,6 +702,37 @@ exit 0 %endif %changelog +* Thu Apr 28 2022 Timothy Redaelli - 2.15.0-99 +- vhost: fix queue number check when setting inflight FD [RH git: ba1bcead43] + [ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ] + + In function vhost_user_set_inflight_fd, queue number in inflight + message is used to access virtqueue. However, queue number could + be larger than VHOST_MAX_VRING and cause write OOB as this number + will be used to write inflight info in virtqueue structure. This + patch checks the queue number to avoid the issue and also make + sure virtqueues are allocated before setting inflight information. + + Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") + + Reported-by: Wenxiang Qian + Signed-off-by: Chenbo Xia + Reviewed-by: Maxime Coquelin + + +* Thu Apr 28 2022 Timothy Redaelli - 2.15.0-98 +- vhost: fix FD leak with inflight messages [RH git: 9d20e2fe62] + [ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ] + + Even if unlikely, a buggy vhost-user master might attach fds to inflight + messages. Add checks like for other types of vhost-user messages. + + Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") + + Signed-off-by: David Marchand + Reviewed-by: Maxime Coquelin + + * Wed Apr 27 2022 Open vSwitch CI - 2.15.0-97 - Merging upstream branch-2.15 [RH git: 885e0d0ad5] Commit list: