diff --git a/SOURCES/openvswitch-2.15.0.patch b/SOURCES/openvswitch-2.15.0.patch
index 5a3e1af..f1bae5a 100644
--- a/SOURCES/openvswitch-2.15.0.patch
+++ b/SOURCES/openvswitch-2.15.0.patch
@@ -19201,7 +19201,7 @@ index 6f7b610a99..fd0127ed17 100644
      dst->allocated = dst->length;
      dst->string = xmalloc(dst->allocated + 1);
 diff --git a/lib/ipf.c b/lib/ipf.c
-index c20bcc0b33..9c83f1913a 100644
+index c20bcc0b33..24325a638d 100644
 --- a/lib/ipf.c
 +++ b/lib/ipf.c
 @@ -93,7 +93,6 @@ struct ipf_frag {
@@ -19263,7 +19263,102 @@ index c20bcc0b33..9c83f1913a 100644
                  dp_packet_batch_refill(pb, pkt, pb_idx);
              }
              ovs_mutex_unlock(&ipf->ipf_lock);
-@@ -1338,9 +1333,7 @@ ipf_destroy(struct ipf *ipf)
+@@ -1154,52 +1149,56 @@ ipf_post_execute_reass_pkts(struct ipf *ipf,
+          * NETDEV_MAX_BURST. */
+         DP_PACKET_BATCH_REFILL_FOR_EACH (pb_idx, pb_cnt, pkt, pb) {
+             if (rp && pkt == rp->list->reass_execute_ctx) {
++                const struct ipf_frag *frag_0 = &rp->list->frag_list[0];
++                void *l4_frag = dp_packet_l4(frag_0->pkt);
++                void *l4_reass = dp_packet_l4(pkt);
++                memcpy(l4_frag, l4_reass, dp_packet_l4_size(frag_0->pkt));
++
+                 for (int i = 0; i <= rp->list->last_inuse_idx; i++) {
+-                    rp->list->frag_list[i].pkt->md.ct_label = pkt->md.ct_label;
+-                    rp->list->frag_list[i].pkt->md.ct_mark = pkt->md.ct_mark;
+-                    rp->list->frag_list[i].pkt->md.ct_state = pkt->md.ct_state;
+-                    rp->list->frag_list[i].pkt->md.ct_zone = pkt->md.ct_zone;
+-                    rp->list->frag_list[i].pkt->md.ct_orig_tuple_ipv6 =
++                    const struct ipf_frag *frag_i = &rp->list->frag_list[i];
++
++                    frag_i->pkt->md.ct_label = pkt->md.ct_label;
++                    frag_i->pkt->md.ct_mark = pkt->md.ct_mark;
++                    frag_i->pkt->md.ct_state = pkt->md.ct_state;
++                    frag_i->pkt->md.ct_zone = pkt->md.ct_zone;
++                    frag_i->pkt->md.ct_orig_tuple_ipv6 =
+                         pkt->md.ct_orig_tuple_ipv6;
+                     if (pkt->md.ct_orig_tuple_ipv6) {
+-                        rp->list->frag_list[i].pkt->md.ct_orig_tuple.ipv6 =
++                        frag_i->pkt->md.ct_orig_tuple.ipv6 =
+                             pkt->md.ct_orig_tuple.ipv6;
+                     } else {
+-                        rp->list->frag_list[i].pkt->md.ct_orig_tuple.ipv4  =
++                        frag_i->pkt->md.ct_orig_tuple.ipv4 =
+                             pkt->md.ct_orig_tuple.ipv4;
+                     }
+-                }
+-
+-                const struct ipf_frag *frag_0 = &rp->list->frag_list[0];
+-                void *l4_frag = dp_packet_l4(frag_0->pkt);
+-                void *l4_reass = dp_packet_l4(pkt);
+-                memcpy(l4_frag, l4_reass, dp_packet_l4_size(frag_0->pkt));
+-
+-                if (v6) {
+-                    struct ovs_16aligned_ip6_hdr *l3_frag
+-                        = dp_packet_l3(frag_0->pkt);
+-                    struct ovs_16aligned_ip6_hdr *l3_reass = dp_packet_l3(pkt);
+-                    l3_frag->ip6_src = l3_reass->ip6_src;
+-                    l3_frag->ip6_dst = l3_reass->ip6_dst;
+-                } else {
+-                    struct ip_header *l3_frag = dp_packet_l3(frag_0->pkt);
+-                    struct ip_header *l3_reass = dp_packet_l3(pkt);
+-                    if (!dp_packet_hwol_is_ipv4(frag_0->pkt)) {
+-                        ovs_be32 reass_ip =
+-                            get_16aligned_be32(&l3_reass->ip_src);
+-                        ovs_be32 frag_ip =
+-                            get_16aligned_be32(&l3_frag->ip_src);
+-
+-                        l3_frag->ip_csum = recalc_csum32(l3_frag->ip_csum,
+-                                                         frag_ip, reass_ip);
+-                        reass_ip = get_16aligned_be32(&l3_reass->ip_dst);
+-                        frag_ip = get_16aligned_be32(&l3_frag->ip_dst);
+-                        l3_frag->ip_csum = recalc_csum32(l3_frag->ip_csum,
+-                                                         frag_ip, reass_ip);
++                    if (v6) {
++                        struct ovs_16aligned_ip6_hdr *l3_frag
++                            = dp_packet_l3(frag_i->pkt);
++                        struct ovs_16aligned_ip6_hdr *l3_reass
++                            = dp_packet_l3(pkt);
++                        l3_frag->ip6_src = l3_reass->ip6_src;
++                        l3_frag->ip6_dst = l3_reass->ip6_dst;
++                    } else {
++                        struct ip_header *l3_frag = dp_packet_l3(frag_i->pkt);
++                        struct ip_header *l3_reass = dp_packet_l3(pkt);
++                        if (!dp_packet_hwol_is_ipv4(frag_i->pkt)) {
++                            ovs_be32 reass_ip =
++                                get_16aligned_be32(&l3_reass->ip_src);
++                            ovs_be32 frag_ip =
++                                get_16aligned_be32(&l3_frag->ip_src);
++
++                            l3_frag->ip_csum = recalc_csum32(l3_frag->ip_csum,
++                                                             frag_ip,
++                                                             reass_ip);
++                            reass_ip = get_16aligned_be32(&l3_reass->ip_dst);
++                            frag_ip = get_16aligned_be32(&l3_frag->ip_dst);
++                            l3_frag->ip_csum = recalc_csum32(l3_frag->ip_csum,
++                                                             frag_ip,
++                                                             reass_ip);
++                        }
++
++                        l3_frag->ip_src = l3_reass->ip_src;
++                        l3_frag->ip_dst = l3_reass->ip_dst;
+                     }
+-
+-                    l3_frag->ip_src = l3_reass->ip_src;
+-                    l3_frag->ip_dst = l3_reass->ip_dst;
+                 }
+ 
+                 ipf_completed_list_add(&ipf->frag_complete_list, rp->list);
+@@ -1338,9 +1337,7 @@ ipf_destroy(struct ipf *ipf)
          while (ipf_list->last_sent_idx < ipf_list->last_inuse_idx) {
              struct dp_packet *pkt
                  = ipf_list->frag_list[ipf_list->last_sent_idx + 1].pkt;
@@ -19315,10 +19410,57 @@ index d75d66b863..ba096dd0c8 100644
  
  void jsonrpc_session_set_max_backoff(struct jsonrpc_session *,
                                       int max_backoff);
+diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c
+index 9d8096668e..6699c383e6 100644
+--- a/lib/netdev-dpdk.c
++++ b/lib/netdev-dpdk.c
+@@ -961,14 +961,6 @@ dpdk_eth_dev_port_config(struct netdev_dpdk *dev, int n_rxq, int n_txq)
+ 
+     rte_eth_dev_info_get(dev->port_id, &info);
+ 
+-    /* As of DPDK 19.11, it is not allowed to set a mq_mode for
+-     * virtio PMD driver. */
+-    if (!strcmp(info.driver_name, "net_virtio")) {
+-        conf.rxmode.mq_mode = ETH_MQ_RX_NONE;
+-    } else {
+-        conf.rxmode.mq_mode = ETH_MQ_RX_RSS;
+-    }
+-
+     /* As of DPDK 17.11.1 a few PMDs require to explicitly enable
+      * scatter to support jumbo RX.
+      * Setting scatter for the device is done after checking for
+@@ -1000,6 +992,11 @@ dpdk_eth_dev_port_config(struct netdev_dpdk *dev, int n_rxq, int n_txq)
+     /* Limit configured rss hash functions to only those supported
+      * by the eth device. */
+     conf.rx_adv_conf.rss_conf.rss_hf &= info.flow_type_rss_offloads;
++    if (conf.rx_adv_conf.rss_conf.rss_hf == 0) {
++        conf.rxmode.mq_mode = ETH_MQ_RX_NONE;
++    } else {
++        conf.rxmode.mq_mode = ETH_MQ_RX_RSS;
++    }
+ 
+     /* A device may report more queues than it makes available (this has
+      * been observed for Intel xl710, which reserves some of them for
 diff --git a/lib/netdev-linux.c b/lib/netdev-linux.c
-index 6be23dbeed..0ab511b60d 100644
+index 6be23dbeed..97b0d18781 100644
 --- a/lib/netdev-linux.c
 +++ b/lib/netdev-linux.c
+@@ -625,6 +625,7 @@ netdev_linux_notify_sock(void)
+         if (!error) {
+             size_t i;
+ 
++            nl_sock_listen_all_nsid(sock, true);
+             for (i = 0; i < ARRAY_SIZE(mcgroups); i++) {
+                 error = nl_sock_join_mcgroup(sock, mcgroups[i]);
+                 if (error) {
+@@ -634,7 +635,6 @@ netdev_linux_notify_sock(void)
+                 }
+             }
+         }
+-        nl_sock_listen_all_nsid(sock, true);
+         ovsthread_once_done(&once);
+     }
+ 
 @@ -672,7 +672,9 @@ netdev_linux_update_lag(struct rtnetlink_change *change)
              uint32_t block_id;
              int error = 0;
@@ -19751,9 +19893,18 @@ index 47077e9478..5cb96fa6ec 100644
          } else {
              txn->error = 0;
 diff --git a/lib/odp-util.c b/lib/odp-util.c
-index a8598d52af..e1199d1da6 100644
+index a8598d52af..ec25976d67 100644
 --- a/lib/odp-util.c
 +++ b/lib/odp-util.c
+@@ -2937,7 +2937,7 @@ odp_nsh_key_from_attr__(const struct nlattr *attr, bool is_mask,
+             const struct ovs_nsh_key_md1 *md1 = nl_attr_get(a);
+             has_md1 = true;
+             memcpy(nsh->context, md1->context, sizeof md1->context);
+-            if (len == 2 * sizeof(*md1)) {
++            if (nsh_mask && (len == 2 * sizeof *md1)) {
+                 const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+                 memcpy(nsh_mask->context, md1_mask->context,
+                        sizeof(*md1_mask));
 @@ -3189,17 +3189,17 @@ tun_key_to_attr(struct ofpbuf *a, const struct flow_tnl *tun_key,
      if ((!tnl_type || !strcmp(tnl_type, "erspan") ||
          !strcmp(tnl_type, "ip6erspan")) &&
@@ -19780,6 +19931,15 @@ index a8598d52af..e1199d1da6 100644
      }
  
      if ((!tnl_type || !strcmp(tnl_type, "gtpu")) &&
+@@ -4614,7 +4614,7 @@ odp_flow_format(const struct nlattr *key, size_t key_len,
+             }
+             ds_put_char(ds, ')');
+         }
+-        if (!has_ethtype_key) {
++        if (!has_ethtype_key && mask) {
+             const struct nlattr *ma = nl_attr_find__(mask, mask_len,
+                                                      OVS_KEY_ATTR_ETHERTYPE);
+             if (ma) {
 diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
 index e2e829772a..6fb3da5074 100644
 --- a/lib/ofp-actions.c
@@ -20304,6 +20464,18 @@ index 05bb48d66c..d93483245e 100644
  const struct ovsdb_idl_row *ovsdb_idl_track_get_first(
      const struct ovsdb_idl *, const struct ovsdb_idl_table_class *);
  const struct ovsdb_idl_row *ovsdb_idl_track_get_next(const struct ovsdb_idl_row *);
+diff --git a/lib/pcap-file.c b/lib/pcap-file.c
+index f0cac8e0fa..7f5561f827 100644
+--- a/lib/pcap-file.c
++++ b/lib/pcap-file.c
+@@ -89,6 +89,7 @@ ovs_pcap_open(const char *file_name, const char *mode)
+                    : mode[0] == 'w' ? "writing"
+                    : "appending"),
+                   ovs_strerror(errno));
++        free(p_file);
+         return NULL;
+     }
+ 
 diff --git a/lib/tc.c b/lib/tc.c
 index 3192207984..2eb271d621 100644
 --- a/lib/tc.c
@@ -23214,7 +23386,7 @@ index 4f601ef939..c8e4c68fae 100644
 +OVS_TRAFFIC_VSWITCHD_STOP
 +AT_CLEANUP
 diff --git a/tests/system-traffic.at b/tests/system-traffic.at
-index fb5b9a36d2..ef0c199155 100644
+index fb5b9a36d2..bc203c1cce 100644
 --- a/tests/system-traffic.at
 +++ b/tests/system-traffic.at
 @@ -574,6 +574,60 @@ NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PI
@@ -23278,7 +23450,54 @@ index fb5b9a36d2..ef0c199155 100644
  AT_SETUP([datapath - flow resume with geneve tun_metadata])
  OVS_CHECK_GENEVE()
  
-@@ -4433,6 +4487,52 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
+@@ -3251,6 +3305,46 @@ NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING
+ OVS_TRAFFIC_VSWITCHD_STOP
+ AT_CLEANUP
+ 
++AT_SETUP([conntrack - IPv4 Fragmentation + NAT])
++AT_SKIP_IF([test $HAVE_TCPDUMP = no])
++CHECK_CONNTRACK()
++
++OVS_TRAFFIC_VSWITCHD_START(
++   [set-fail-mode br0 secure -- ])
++
++ADD_NAMESPACES(at_ns0, at_ns1)
++
++ADD_VETH(p0, at_ns0, br0, "10.2.1.1/24")
++ADD_VETH(p1, at_ns1, br0, "10.2.1.2/24")
++
++dnl Create a dummy route for NAT
++NS_CHECK_EXEC([at_ns1], [ip addr add 10.1.1.2/32 dev lo])
++NS_CHECK_EXEC([at_ns0], [ip route add 10.1.1.0/24 via 10.2.1.2])
++NS_CHECK_EXEC([at_ns1], [ip route add 10.1.1.0/24 via 10.2.1.1])
++
++dnl Solely for debugging when things go wrong
++NS_EXEC([at_ns0], [tcpdump -l -n -xx -U -i p0 -w p0.pcap >tcpdump.out 2>/dev/null &])
++NS_EXEC([at_ns1], [tcpdump -l -n -xx -U -i p1 -w p1.pcap >tcpdump.out 2>/dev/null &])
++
++AT_DATA([flows.txt], [dnl
++table=0,arp,actions=normal
++table=0,ct_state=-trk,ip,in_port=ovs-p0, actions=ct(table=1, nat)
++table=0,ct_state=-trk,ip,in_port=ovs-p1, actions=ct(table=1, nat)
++table=1,ct_state=+trk+new,ip,in_port=ovs-p0, actions=ct(commit, nat(src=10.1.1.1)),ovs-p1
++table=1,ct_state=+trk+est,ip,in_port=ovs-p0, actions=ovs-p1
++table=1,ct_state=+trk+est,ip,in_port=ovs-p1, actions=ovs-p0
++])
++
++AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
++
++dnl Check connectivity
++NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 -M dont -s 4500 | FORMAT_PING], [0], [dnl
++1 packets transmitted, 1 received, 0% packet loss, time 0ms
++])
++
++OVS_TRAFFIC_VSWITCHD_STOP
++AT_CLEANUP
++
+ AT_SETUP([conntrack - resubmit to ct multiple times])
+ CHECK_CONNTRACK()
+ 
+@@ -4433,6 +4527,52 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
  OVS_TRAFFIC_VSWITCHD_STOP
  AT_CLEANUP
  
@@ -23331,7 +23550,7 @@ index fb5b9a36d2..ef0c199155 100644
  AT_SETUP([conntrack - simple DNAT])
  CHECK_CONNTRACK()
  CHECK_CONNTRACK_NAT()
-@@ -4488,6 +4588,41 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
+@@ -4488,6 +4628,41 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
  OVS_TRAFFIC_VSWITCHD_STOP
  AT_CLEANUP
  
diff --git a/SPECS/openvswitch2.15.spec b/SPECS/openvswitch2.15.spec
index 61379b9..93bce86 100644
--- a/SPECS/openvswitch2.15.spec
+++ b/SPECS/openvswitch2.15.spec
@@ -57,7 +57,7 @@ Summary: Open vSwitch
 Group: System Environment/Daemons daemon/database/utilities
 URL: http://www.openvswitch.org/
 Version: 2.15.0
-Release: 38%{?dist}
+Release: 39%{?dist}
 
 # Nearly all of openvswitch is ASL 2.0.  The bugtool is LGPLv2+, and the
 # lib/sflow*.[ch] files are SISSL
@@ -697,6 +697,17 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 16 2021 Open vSwitch CI <ovs-ci@redhat.com> - 2.15.0-39
+- Merging upstream branch-2.15 [RH git: c6bdfa8cc1]
+    Commit list:
+    7788f15798 netdev-linux: Fix a null pointer dereference in netdev_linux_notify_sock().
+    dd32deba6e pcap-file: Fix memory leak in ovs_pcap_open().
+    9f2f66c8ea odp-util: Fix a null pointer dereference in odp_flow_format().
+    02b0c265c4 odp-util: Fix a null pointer dereference in odp_nsh_key_from_attr__().
+    031eff4563 netdev-dpdk: Fix RSS configuration for virtio.
+    09cd9570d2 ipf: Fix only nat the first fragment in the reass process.
+
+
 * Wed Sep 15 2021 Timothy Redaelli <tredaelli@redhat.com> - 2.15.0-38
 - ofproto-dpif-xlate: Avoid successive ct_clear datapath actions. [RH git: f9a9ac7608] (#1941027)
     Due to flow lookup optimizations, especially in the resubmit/clone cases,