diff --git a/SOURCES/openvswitch-2.15.0.patch b/SOURCES/openvswitch-2.15.0.patch index 511ecd9..e9d4b1b 100644 --- a/SOURCES/openvswitch-2.15.0.patch +++ b/SOURCES/openvswitch-2.15.0.patch @@ -18708,7 +18708,7 @@ index b7d577870d..fe24f9abdf 100644 return false; } diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c -index 4381c618f1..3026a0619f 100644 +index 4381c618f1..a07a34b89a 100644 --- a/lib/dpif-netdev.c +++ b/lib/dpif-netdev.c @@ -279,8 +279,9 @@ static bool dpcls_lookup(struct dpcls *cls, @@ -18955,22 +18955,32 @@ index 4381c618f1..3026a0619f 100644 dp_netdev_execute_actions(pmd, &pp, false, execute->flow, execute->actions, execute->actions_len); dp_netdev_pmd_flush_output_packets(pmd, true); -@@ -4169,6 +4152,14 @@ dpif_netdev_execute(struct dpif *dpif, struct dpif_execute *execute) +@@ -4169,6 +4152,24 @@ dpif_netdev_execute(struct dpif *dpif, struct dpif_execute *execute) dp_netdev_pmd_unref(pmd); } -+ if (dp_packet_batch_size(&pp)) { ++ if (dp_packet_batch_size(&pp) == 1) { + /* Packet wasn't dropped during the execution. Swapping content with + * the original packet, because the caller might expect actions to -+ * modify it. */ -+ dp_packet_swap(execute->packet, packet_clone); ++ * modify it. Uisng the packet from a batch instead of 'packet_clone' ++ * because it maybe stolen and replaced by other packet, e.g. by ++ * the fragmentation engine. */ ++ dp_packet_swap(execute->packet, pp.packets[0]); ++ dp_packet_delete_batch(&pp, true); ++ } else if (dp_packet_batch_size(&pp)) { ++ /* FIXME: We have more packets than expected. Likely, we got IP ++ * fragments of the reassembled packet. Dropping them here as we have ++ * no way to get them to the caller. It might be that all the required ++ * actions with them are already executed, but it also might not be a ++ * case, e.g. if dpif_netdev_execute() called to execute a single ++ * tunnel push. */ + dp_packet_delete_batch(&pp, true); + } + return 0; } -@@ -4878,6 +4869,12 @@ struct rr_numa { +@@ -4878,6 +4879,12 @@ struct rr_numa { bool idx_inc; }; @@ -18983,7 +18993,7 @@ index 4381c618f1..3026a0619f 100644 static struct rr_numa * rr_numa_list_lookup(struct rr_numa_list *rr, int numa_id) { -@@ -5149,7 +5146,6 @@ reload_affected_pmds(struct dp_netdev *dp) +@@ -5149,7 +5156,6 @@ reload_affected_pmds(struct dp_netdev *dp) CMAP_FOR_EACH (pmd, node, &dp->poll_threads) { if (pmd->need_reload) { @@ -18991,7 +19001,7 @@ index 4381c618f1..3026a0619f 100644 dp_netdev_reload_pmd__(pmd); } } -@@ -5590,10 +5586,17 @@ get_dry_run_variance(struct dp_netdev *dp, uint32_t *core_list, +@@ -5590,10 +5596,17 @@ get_dry_run_variance(struct dp_netdev *dp, uint32_t *core_list, for (int i = 0; i < n_rxqs; i++) { int numa_id = netdev_get_numa_id(rxqs[i]->port->netdev); numa = rr_numa_list_lookup(&rr, numa_id); @@ -19012,7 +19022,7 @@ index 4381c618f1..3026a0619f 100644 goto cleanup; } -@@ -6203,12 +6206,14 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_, +@@ -6203,12 +6216,14 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_, /* Update all bands and find the one hit with the highest rate for each * packet (if any). */ for (int m = 0; m < meter->n_bands; ++m) { @@ -19031,7 +19041,7 @@ index 4381c618f1..3026a0619f 100644 } /* Drain the bucket for all the packets, if possible. */ -@@ -6226,8 +6231,8 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_, +@@ -6226,8 +6241,8 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_, * (Only one band will be fired by a packet, and that * can be different for each packet.) */ for (int i = band_exceeded_pkt; i < cnt; i++) { @@ -19042,7 +19052,7 @@ index 4381c618f1..3026a0619f 100644 exceeded_band[i] = m; } } -@@ -6246,8 +6251,8 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_, +@@ -6246,8 +6261,8 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_, /* Update the exceeding band for the exceeding packet. * (Only one band will be fired by a packet, and that * can be different for each packet.) */ @@ -19053,7 +19063,7 @@ index 4381c618f1..3026a0619f 100644 exceeded_band[i] = m; } } -@@ -6329,16 +6334,14 @@ dpif_netdev_meter_set(struct dpif *dpif, ofproto_meter_id meter_id, +@@ -6329,16 +6344,14 @@ dpif_netdev_meter_set(struct dpif *dpif, ofproto_meter_id meter_id, config->bands[i].burst_size = config->bands[i].rate; } @@ -19075,7 +19085,7 @@ index 4381c618f1..3026a0619f 100644 if (band_max_delta_t > meter->max_delta_t) { meter->max_delta_t = band_max_delta_t; } -@@ -8493,6 +8496,7 @@ const struct dpif_class dpif_netdev_class = { +@@ -8493,6 +8506,7 @@ const struct dpif_class dpif_netdev_class = { NULL, /* ct_timeout_policy_dump_next */ NULL, /* ct_timeout_policy_dump_done */ dpif_netdev_ct_get_timeout_policy_name, @@ -24318,10 +24328,10 @@ index f0ad9f9793..cea48eb527 100644 import sys diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at -index 48c5de9d19..12fc1ef910 100644 +index 48c5de9d19..6364653975 100644 --- a/tests/tunnel-push-pop.at +++ b/tests/tunnel-push-pop.at -@@ -595,6 +595,62 @@ OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep 50540000000a5054000000091235 | wc +@@ -595,6 +595,64 @@ OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep 50540000000a5054000000091235 | wc OVS_VSWITCHD_STOP AT_CLEANUP @@ -24358,20 +24368,22 @@ index 48c5de9d19..12fc1ef910 100644 +AT_CHECK([ovs-vsctl -- set Interface p0 options:tx_pcap=p0.pcap]) + +packet=50540000000a505400000009123 -+encap=f8bc124434b6aa55aa5500000800450000320000400040113406010102580101025c83a917c1001e00000000655800007b00 ++dnl Source port is based on a packet hash, so it may differ depending on the ++dnl compiler flags and CPU type. Masked with '....'. ++encap=f8bc124434b6aa55aa5500000800450000320000400040113406010102580101025c....17c1001e00000000655800007b00 + +dnl Output to tunnel from a int-br internal port. +dnl Checking that the packet arrived and it was correctly encapsulated. +AT_CHECK([ovs-ofctl add-flow int-br "in_port=LOCAL,actions=debug_slow,output:2"]) +AT_CHECK([ovs-appctl netdev-dummy/receive int-br "${packet}4"]) -+OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep "${encap}${packet}4" | wc -l` -ge 1]) ++OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | egrep "${encap}${packet}4" | wc -l` -ge 1]) +dnl Sending again to exercise the non-miss upcall path. +AT_CHECK([ovs-appctl netdev-dummy/receive int-br "${packet}4"]) -+OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep "${encap}${packet}4" | wc -l` -ge 2]) ++OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | egrep "${encap}${packet}4" | wc -l` -ge 2]) + +dnl Output to tunnel from the controller. +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out int-br CONTROLLER "debug_slow,output:2" "${packet}5"]) -+OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep "${encap}${packet}5" | wc -l` -ge 1]) ++OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | egrep "${encap}${packet}5" | wc -l` -ge 1]) + +dnl Datapath actions should not have tunnel push action. +AT_CHECK([ovs-appctl dpctl/dump-flows | grep -q tnl_push], [1]) diff --git a/SPECS/openvswitch2.15.spec b/SPECS/openvswitch2.15.spec index 15e3057..7f4805f 100644 --- a/SPECS/openvswitch2.15.spec +++ b/SPECS/openvswitch2.15.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.15.0 -Release: 44%{?dist} +Release: 45%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -699,6 +699,13 @@ exit 0 %endif %changelog +* Wed Oct 13 2021 Open vSwitch CI - 2.15.0-45 +- Merging upstream branch-2.15 [RH git: e273e307d1] + Commit list: + ea2ca0af16 dpif-netdev: Fix use-after-free on PACKET_OUT of IP fragments. + 9f964354e3 tunnel-push-pop.at: Mask source port in tunnel header. + + * Tue Oct 12 2021 Open vSwitch CI - 2.15.0-44 - Merging upstream branch-2.15 [RH git: 3050e5222d] Commit list: