diff --git a/SOURCES/openvswitch-2.13.0.patch b/SOURCES/openvswitch-2.13.0.patch
index 323bfd3..b2dffa5 100644
--- a/SOURCES/openvswitch-2.13.0.patch
+++ b/SOURCES/openvswitch-2.13.0.patch
@@ -80892,7 +80892,7 @@ index 68c33a0f96..9b251f81fa 100644
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
-index d393aab5e3..2fb0d418b1 100644
+index d393aab5e3..a73102ea98 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -83,9 +83,9 @@
@@ -81201,22 +81201,32 @@ index d393aab5e3..2fb0d418b1 100644
dp_netdev_execute_actions(pmd, &pp, false, execute->flow,
execute->actions, execute->actions_len);
dp_netdev_pmd_flush_output_packets(pmd, true);
-@@ -3841,6 +3944,14 @@ dpif_netdev_execute(struct dpif *dpif, struct dpif_execute *execute)
+@@ -3841,6 +3944,24 @@ dpif_netdev_execute(struct dpif *dpif, struct dpif_execute *execute)
dp_netdev_pmd_unref(pmd);
}
-+ if (dp_packet_batch_size(&pp)) {
++ if (dp_packet_batch_size(&pp) == 1) {
+ /* Packet wasn't dropped during the execution. Swapping content with
+ * the original packet, because the caller might expect actions to
-+ * modify it. */
-+ dp_packet_swap(execute->packet, packet_clone);
++ * modify it. Uisng the packet from a batch instead of 'packet_clone'
++ * because it maybe stolen and replaced by other packet, e.g. by
++ * the fragmentation engine. */
++ dp_packet_swap(execute->packet, pp.packets[0]);
++ dp_packet_delete_batch(&pp, true);
++ } else if (dp_packet_batch_size(&pp)) {
++ /* FIXME: We have more packets than expected. Likely, we got IP
++ * fragments of the reassembled packet. Dropping them here as we have
++ * no way to get them to the caller. It might be that all the required
++ * actions with them are already executed, but it also might not be a
++ * case, e.g. if dpif_netdev_execute() called to execute a single
++ * tunnel push. */
+ dp_packet_delete_batch(&pp, true);
+ }
+
return 0;
}
-@@ -3875,11 +3986,12 @@ dpif_netdev_operate(struct dpif *dpif, struct dpif_op **ops, size_t n_ops,
+@@ -3875,11 +3996,12 @@ dpif_netdev_operate(struct dpif *dpif, struct dpif_op **ops, size_t n_ops,
/* Enable or Disable PMD auto load balancing. */
static void
@@ -81230,7 +81240,7 @@ index d393aab5e3..2fb0d418b1 100644
bool enable_alb = false;
bool multi_rxq = false;
-@@ -3906,18 +4018,24 @@ set_pmd_auto_lb(struct dp_netdev *dp)
+@@ -3906,18 +4028,24 @@ set_pmd_auto_lb(struct dp_netdev *dp)
enable_alb = enable_alb && pmd_rxq_assign_cyc &&
pmd_alb->auto_lb_requested;
@@ -81259,7 +81269,7 @@ index d393aab5e3..2fb0d418b1 100644
}
/* Applies datapath configuration from the database. Some of the changes are
-@@ -3935,6 +4053,9 @@ dpif_netdev_set_config(struct dpif *dpif, const struct smap *other_config)
+@@ -3935,6 +4063,9 @@ dpif_netdev_set_config(struct dpif *dpif, const struct smap *other_config)
uint32_t insert_min, cur_min;
uint32_t tx_flush_interval, cur_tx_flush_interval;
uint64_t rebalance_intvl;
@@ -81269,7 +81279,7 @@ index d393aab5e3..2fb0d418b1 100644
tx_flush_interval = smap_get_int(other_config, "tx-flush-interval",
DEFAULT_TX_FLUSH_INTERVAL);
-@@ -4012,7 +4133,7 @@ dpif_netdev_set_config(struct dpif *dpif, const struct smap *other_config)
+@@ -4012,7 +4143,7 @@ dpif_netdev_set_config(struct dpif *dpif, const struct smap *other_config)
false);
rebalance_intvl = smap_get_int(other_config, "pmd-auto-lb-rebal-interval",
@@ -81278,7 +81288,7 @@ index d393aab5e3..2fb0d418b1 100644
/* Input is in min, convert it to msec. */
rebalance_intvl =
-@@ -4020,9 +4141,38 @@ dpif_netdev_set_config(struct dpif *dpif, const struct smap *other_config)
+@@ -4020,9 +4151,38 @@ dpif_netdev_set_config(struct dpif *dpif, const struct smap *other_config)
if (pmd_alb->rebalance_intvl != rebalance_intvl) {
pmd_alb->rebalance_intvl = rebalance_intvl;
@@ -81320,7 +81330,7 @@ index d393aab5e3..2fb0d418b1 100644
return 0;
}
-@@ -4493,6 +4643,12 @@ struct rr_numa {
+@@ -4493,6 +4653,12 @@ struct rr_numa {
bool idx_inc;
};
@@ -81333,7 +81343,7 @@ index d393aab5e3..2fb0d418b1 100644
static struct rr_numa *
rr_numa_list_lookup(struct rr_numa_list *rr, int numa_id)
{
-@@ -4940,9 +5096,17 @@ reconfigure_datapath(struct dp_netdev *dp)
+@@ -4940,9 +5106,17 @@ reconfigure_datapath(struct dp_netdev *dp)
/* Check for all the ports that need reconfiguration. We cache this in
* 'port->need_reconfigure', because netdev_is_reconf_required() can
@@ -81353,7 +81363,7 @@ index d393aab5e3..2fb0d418b1 100644
port->need_reconfigure = true;
}
}
-@@ -5076,7 +5240,7 @@ reconfigure_datapath(struct dp_netdev *dp)
+@@ -5076,7 +5250,7 @@ reconfigure_datapath(struct dp_netdev *dp)
reload_affected_pmds(dp);
/* Check if PMD Auto LB is to be enabled */
@@ -81362,7 +81372,7 @@ index d393aab5e3..2fb0d418b1 100644
}
/* Returns true if one of the netdevs in 'dp' requires a reconfiguration */
-@@ -5189,10 +5353,17 @@ get_dry_run_variance(struct dp_netdev *dp, uint32_t *core_list,
+@@ -5189,10 +5363,17 @@ get_dry_run_variance(struct dp_netdev *dp, uint32_t *core_list,
for (int i = 0; i < n_rxqs; i++) {
int numa_id = netdev_get_numa_id(rxqs[i]->port->netdev);
numa = rr_numa_list_lookup(&rr, numa_id);
@@ -81383,7 +81393,7 @@ index d393aab5e3..2fb0d418b1 100644
goto cleanup;
}
-@@ -5320,7 +5491,7 @@ pmd_rebalance_dry_run(struct dp_netdev *dp)
+@@ -5320,7 +5501,7 @@ pmd_rebalance_dry_run(struct dp_netdev *dp)
improvement =
((curr_variance - new_variance) * 100) / curr_variance;
}
@@ -81392,7 +81402,7 @@ index d393aab5e3..2fb0d418b1 100644
ret = false;
}
}
-@@ -5787,12 +5958,14 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_,
+@@ -5787,12 +5968,14 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_,
/* Update all bands and find the one hit with the highest rate for each
* packet (if any). */
for (int m = 0; m < meter->n_bands; ++m) {
@@ -81411,7 +81421,7 @@ index d393aab5e3..2fb0d418b1 100644
}
/* Drain the bucket for all the packets, if possible. */
-@@ -5810,8 +5983,8 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_,
+@@ -5810,8 +5993,8 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_,
* (Only one band will be fired by a packet, and that
* can be different for each packet.) */
for (int i = band_exceeded_pkt; i < cnt; i++) {
@@ -81422,7 +81432,7 @@ index d393aab5e3..2fb0d418b1 100644
exceeded_band[i] = m;
}
}
-@@ -5830,8 +6003,8 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_,
+@@ -5830,8 +6013,8 @@ dp_netdev_run_meter(struct dp_netdev *dp, struct dp_packet_batch *packets_,
/* Update the exceeding band for the exceeding packet.
* (Only one band will be fired by a packet, and that
* can be different for each packet.) */
@@ -81433,7 +81443,7 @@ index d393aab5e3..2fb0d418b1 100644
exceeded_band[i] = m;
}
}
-@@ -5913,16 +6086,14 @@ dpif_netdev_meter_set(struct dpif *dpif, ofproto_meter_id meter_id,
+@@ -5913,16 +6096,14 @@ dpif_netdev_meter_set(struct dpif *dpif, ofproto_meter_id meter_id,
config->bands[i].burst_size = config->bands[i].rate;
}
@@ -81455,7 +81465,7 @@ index d393aab5e3..2fb0d418b1 100644
if (band_max_delta_t > meter->max_delta_t) {
meter->max_delta_t = band_max_delta_t;
}
-@@ -7800,6 +7971,7 @@ const struct dpif_class dpif_netdev_class = {
+@@ -7800,6 +7981,7 @@ const struct dpif_class dpif_netdev_class = {
NULL, /* ct_timeout_policy_dump_next */
NULL, /* ct_timeout_policy_dump_done */
NULL, /* ct_get_timeout_policy_name */
@@ -81463,7 +81473,7 @@ index d393aab5e3..2fb0d418b1 100644
dpif_netdev_ipf_set_enabled,
dpif_netdev_ipf_set_min_frag,
dpif_netdev_ipf_set_max_nfrags,
-@@ -8040,6 +8212,7 @@ dp_netdev_pmd_try_optimize(struct dp_netdev_pmd_thread *pmd,
+@@ -8040,6 +8222,7 @@ dp_netdev_pmd_try_optimize(struct dp_netdev_pmd_thread *pmd,
if (pmd->ctx.now > pmd->rxq_next_cycle_store) {
uint64_t curr_tsc;
@@ -81471,7 +81481,7 @@ index d393aab5e3..2fb0d418b1 100644
struct pmd_auto_lb *pmd_alb = &pmd->dp->pmd_alb;
if (pmd_alb->is_enabled && !pmd->isolated
&& (pmd->perf_stats.counters.n[PMD_CYCLES_ITER_IDLE] >=
-@@ -8056,7 +8229,9 @@ dp_netdev_pmd_try_optimize(struct dp_netdev_pmd_thread *pmd,
+@@ -8056,7 +8239,9 @@ dp_netdev_pmd_try_optimize(struct dp_netdev_pmd_thread *pmd,
pmd_load = ((tot_proc * 100) / (tot_idle + tot_proc));
}
@@ -91139,10 +91149,10 @@ index 4af44200e8..68ce2c5442 100644
return (error || !stream) ? 1 : 0;
}
diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at
-index b92c23fde8..9feb1c5fec 100644
+index b92c23fde8..320ae5c9c2 100644
--- a/tests/tunnel-push-pop.at
+++ b/tests/tunnel-push-pop.at
-@@ -573,6 +573,62 @@ OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep 50540000000a5054000000091235 | wc
+@@ -573,6 +573,64 @@ OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep 50540000000a5054000000091235 | wc
OVS_VSWITCHD_STOP
AT_CLEANUP
@@ -91179,20 +91189,22 @@ index b92c23fde8..9feb1c5fec 100644
+AT_CHECK([ovs-vsctl -- set Interface p0 options:tx_pcap=p0.pcap])
+
+packet=50540000000a505400000009123
-+encap=f8bc124434b6aa55aa5500000800450000320000400040113406010102580101025c83a917c1001e00000000655800007b00
++dnl Source port is based on a packet hash, so it may differ depending on the
++dnl compiler flags and CPU type. Masked with '....'.
++encap=f8bc124434b6aa55aa5500000800450000320000400040113406010102580101025c....17c1001e00000000655800007b00
+
+dnl Output to tunnel from a int-br internal port.
+dnl Checking that the packet arrived and it was correctly encapsulated.
+AT_CHECK([ovs-ofctl add-flow int-br "in_port=LOCAL,actions=debug_slow,output:2"])
+AT_CHECK([ovs-appctl netdev-dummy/receive int-br "${packet}4"])
-+OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep "${encap}${packet}4" | wc -l` -ge 1])
++OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | egrep "${encap}${packet}4" | wc -l` -ge 1])
+dnl Sending again to exercise the non-miss upcall path.
+AT_CHECK([ovs-appctl netdev-dummy/receive int-br "${packet}4"])
-+OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep "${encap}${packet}4" | wc -l` -ge 2])
++OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | egrep "${encap}${packet}4" | wc -l` -ge 2])
+
+dnl Output to tunnel from the controller.
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out int-br CONTROLLER "debug_slow,output:2" "${packet}5"])
-+OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep "${encap}${packet}5" | wc -l` -ge 1])
++OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | egrep "${encap}${packet}5" | wc -l` -ge 1])
+
+dnl Datapath actions should not have tunnel push action.
+AT_CHECK([ovs-appctl dpctl/dump-flows | grep -q tnl_push], [1])
diff --git a/SPECS/openvswitch2.13.spec b/SPECS/openvswitch2.13.spec
index e1d1384..b1fad2f 100644
--- a/SPECS/openvswitch2.13.spec
+++ b/SPECS/openvswitch2.13.spec
@@ -59,7 +59,7 @@ Summary: Open vSwitch
Group: System Environment/Daemons daemon/database/utilities
URL: http://www.openvswitch.org/
Version: 2.13.0
-Release: 129%{?commit0:.%{date}git%{shortcommit0}}%{?commit1:dpdk%{shortcommit1}}%{?dist}
+Release: 130%{?commit0:.%{date}git%{shortcommit0}}%{?commit1:dpdk%{shortcommit1}}%{?dist}
# Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the
# lib/sflow*.[ch] files are SISSL
@@ -712,6 +712,13 @@ exit 0
%endif
%changelog
+* Wed Oct 13 2021 Open vSwitch CI <ovs-ci@redhat.com> - 2.13.0-130
+- Merging upstream branch-2.13 [RH git: beb8cdaec6]
+ Commit list:
+ ceb395773d dpif-netdev: Fix use-after-free on PACKET_OUT of IP fragments.
+ fed4df9bb7 tunnel-push-pop.at: Mask source port in tunnel header.
+
+
* Tue Oct 12 2021 Open vSwitch CI <ovs-ci@redhat.com> - 2.13.0-129
- Merging upstream branch-2.13 [RH git: fc819dabd3]
Commit list: