diff --git a/SOURCES/openvswitch-2.16.0.patch b/SOURCES/openvswitch-2.16.0.patch index b623fd2..90a8946 100644 --- a/SOURCES/openvswitch-2.16.0.patch +++ b/SOURCES/openvswitch-2.16.0.patch @@ -87438,10 +87438,18 @@ index 114aff8ea3..0fc6d2ea60 100644 enum xc_type type; union { diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c -index a426fcfeb6..e44e25e590 100644 +index a426fcfeb6..50cb204050 100644 --- a/ofproto/ofproto-dpif-xlate.c +++ b/ofproto/ofproto-dpif-xlate.c -@@ -460,7 +460,7 @@ static void xlate_commit_actions(struct xlate_ctx *ctx); +@@ -66,6 +66,7 @@ + #include "tunnel.h" + #include "util.h" + #include "uuid.h" ++#include "vlan-bitmap.h" + + COVERAGE_DEFINE(xlate_actions); + COVERAGE_DEFINE(xlate_actions_oversize); +@@ -460,7 +461,7 @@ static void xlate_commit_actions(struct xlate_ctx *ctx); static void patch_port_output(struct xlate_ctx *ctx, const struct xport *in_dev, @@ -87450,7 +87458,7 @@ index a426fcfeb6..e44e25e590 100644 static void ctx_trigger_freeze(struct xlate_ctx *ctx) -@@ -865,7 +865,7 @@ xlate_xbridge_init(struct xlate_cfg *xcfg, struct xbridge *xbridge) +@@ -865,7 +866,7 @@ xlate_xbridge_init(struct xlate_cfg *xcfg, struct xbridge *xbridge) ovs_list_init(&xbridge->xbundles); hmap_init(&xbridge->xports); hmap_insert(&xcfg->xbridges, &xbridge->hmap_node, @@ -87459,7 +87467,27 @@ index a426fcfeb6..e44e25e590 100644 } static void -@@ -1639,7 +1639,7 @@ xbridge_lookup(struct xlate_cfg *xcfg, const struct ofproto_dpif *ofproto) +@@ -1017,7 +1018,10 @@ xlate_xbundle_set(struct xbundle *xbundle, + xbundle->qinq_ethtype = qinq_ethtype; + xbundle->vlan = vlan; + xbundle->trunks = trunks; +- xbundle->cvlans = cvlans; ++ if (!vlan_bitmap_equal(xbundle->cvlans, cvlans)) { ++ free(xbundle->cvlans); ++ xbundle->cvlans = vlan_bitmap_clone(cvlans); ++ } + xbundle->use_priority_tags = use_priority_tags; + xbundle->floodable = floodable; + xbundle->protected = protected; +@@ -1369,6 +1373,7 @@ xlate_xbundle_remove(struct xlate_cfg *xcfg, struct xbundle *xbundle) + ovs_list_remove(&xbundle->list_node); + bond_unref(xbundle->bond); + lacp_unref(xbundle->lacp); ++ free(xbundle->cvlans); + free(xbundle->name); + free(xbundle); + } +@@ -1639,7 +1644,7 @@ xbridge_lookup(struct xlate_cfg *xcfg, const struct ofproto_dpif *ofproto) xbridges = &xcfg->xbridges; @@ -87468,7 +87496,7 @@ index a426fcfeb6..e44e25e590 100644 xbridges) { if (xbridge->ofproto == ofproto) { return xbridge; -@@ -1661,6 +1661,23 @@ xbridge_lookup_by_uuid(struct xlate_cfg *xcfg, const struct uuid *uuid) +@@ -1661,6 +1666,23 @@ xbridge_lookup_by_uuid(struct xlate_cfg *xcfg, const struct uuid *uuid) return NULL; } @@ -87492,7 +87520,7 @@ index a426fcfeb6..e44e25e590 100644 static struct xbundle * xbundle_lookup(struct xlate_cfg *xcfg, const struct ofbundle *ofbundle) { -@@ -2125,9 +2142,14 @@ mirror_packet(struct xlate_ctx *ctx, struct xbundle *xbundle, +@@ -2125,9 +2147,14 @@ mirror_packet(struct xlate_ctx *ctx, struct xbundle *xbundle, int snaplen; /* Get the details of the mirror represented by the rightmost 1-bit. */ @@ -87510,7 +87538,7 @@ index a426fcfeb6..e44e25e590 100644 /* If this mirror selects on the basis of VLAN, and it does not select -@@ -2444,9 +2466,18 @@ output_normal(struct xlate_ctx *ctx, const struct xbundle *out_xbundle, +@@ -2444,9 +2471,18 @@ output_normal(struct xlate_ctx *ctx, const struct xbundle *out_xbundle, /* In case recirculation is not actually in use, 'xr.recirc_id' * will be set to '0', since a valid 'recirc_id' can * not be zero. */ @@ -87532,7 +87560,7 @@ index a426fcfeb6..e44e25e590 100644 if (xr.recirc_id) { /* Use recirculation instead of output. */ use_recirc = true; -@@ -3015,7 +3046,7 @@ xlate_normal(struct xlate_ctx *ctx) +@@ -3015,7 +3051,7 @@ xlate_normal(struct xlate_ctx *ctx) bool is_grat_arp = is_gratuitous_arp(flow, wc); if (ctx->xin->allow_side_effects && flow->packet_type == htonl(PT_ETH) @@ -87541,7 +87569,7 @@ index a426fcfeb6..e44e25e590 100644 ) { update_learning_table(ctx, in_xbundle, flow->dl_src, vlan, is_grat_arp); -@@ -3024,12 +3055,14 @@ xlate_normal(struct xlate_ctx *ctx) +@@ -3024,12 +3060,14 @@ xlate_normal(struct xlate_ctx *ctx) struct xc_entry *entry; /* Save just enough info to update mac learning table later. */ @@ -87562,7 +87590,7 @@ index a426fcfeb6..e44e25e590 100644 } /* Determine output bundle. */ -@@ -3048,7 +3081,6 @@ xlate_normal(struct xlate_ctx *ctx) +@@ -3048,7 +3086,6 @@ xlate_normal(struct xlate_ctx *ctx) */ ctx->xout->slow |= SLOW_ACTION; @@ -87570,7 +87598,7 @@ index a426fcfeb6..e44e25e590 100644 if (mcast_snooping_is_membership(flow->tp_src) || mcast_snooping_is_query(flow->tp_src)) { if (ctx->xin->allow_side_effects && ctx->xin->packet) { -@@ -3272,7 +3304,9 @@ compose_ipfix_action(struct xlate_ctx *ctx, odp_port_t output_odp_port) +@@ -3272,7 +3309,9 @@ compose_ipfix_action(struct xlate_ctx *ctx, odp_port_t output_odp_port) struct dpif_ipfix *ipfix = ctx->xbridge->ipfix; odp_port_t tunnel_out_port = ODPP_NONE; @@ -87581,7 +87609,7 @@ index a426fcfeb6..e44e25e590 100644 return; } -@@ -3521,6 +3555,9 @@ propagate_tunnel_data_to_flow__(struct flow *dst_flow, +@@ -3521,6 +3560,9 @@ propagate_tunnel_data_to_flow__(struct flow *dst_flow, dst_flow->dl_dst = dmac; dst_flow->dl_src = smac; @@ -87591,7 +87619,7 @@ index a426fcfeb6..e44e25e590 100644 dst_flow->packet_type = htonl(PT_ETH); dst_flow->nw_dst = src_flow->tunnel.ip_dst; dst_flow->nw_src = src_flow->tunnel.ip_src; -@@ -3598,7 +3635,7 @@ propagate_tunnel_data_to_flow(struct xlate_ctx *ctx, struct eth_addr dmac, +@@ -3598,7 +3640,7 @@ propagate_tunnel_data_to_flow(struct xlate_ctx *ctx, struct eth_addr dmac, static int native_tunnel_output(struct xlate_ctx *ctx, const struct xport *xport, const struct flow *flow, odp_port_t tunnel_odp_port, @@ -87600,7 +87628,7 @@ index a426fcfeb6..e44e25e590 100644 { struct netdev_tnl_build_header_params tnl_params; struct ovs_action_push_tnl tnl_push_data; -@@ -3728,7 +3765,7 @@ native_tunnel_output(struct xlate_ctx *ctx, const struct xport *xport, +@@ -3728,7 +3770,7 @@ native_tunnel_output(struct xlate_ctx *ctx, const struct xport *xport, entry->tunnel_hdr.hdr_size = tnl_push_data.header_len; entry->tunnel_hdr.operation = ADD; @@ -87609,7 +87637,7 @@ index a426fcfeb6..e44e25e590 100644 /* Similar to the stats update in revalidation, the x_cache entries * are populated by the previous translation are used to update the -@@ -3822,7 +3859,7 @@ xlate_flow_is_protected(const struct xlate_ctx *ctx, const struct flow *flow, co +@@ -3822,7 +3864,7 @@ xlate_flow_is_protected(const struct xlate_ctx *ctx, const struct flow *flow, co */ static void patch_port_output(struct xlate_ctx *ctx, const struct xport *in_dev, @@ -87618,7 +87646,7 @@ index a426fcfeb6..e44e25e590 100644 { struct flow *flow = &ctx->xin->flow; struct flow old_flow = ctx->xin->flow; -@@ -3864,8 +3901,9 @@ patch_port_output(struct xlate_ctx *ctx, const struct xport *in_dev, +@@ -3864,8 +3906,9 @@ patch_port_output(struct xlate_ctx *ctx, const struct xport *in_dev, if (!process_special(ctx, out_dev) && may_receive(out_dev, ctx)) { if (xport_stp_forward_state(out_dev) && xport_rstp_forward_state(out_dev)) { @@ -87629,7 +87657,7 @@ index a426fcfeb6..e44e25e590 100644 if (!ctx->freezing) { xlate_action_set(ctx); } -@@ -3880,7 +3918,7 @@ patch_port_output(struct xlate_ctx *ctx, const struct xport *in_dev, +@@ -3880,7 +3923,7 @@ patch_port_output(struct xlate_ctx *ctx, const struct xport *in_dev, mirror_mask_t old_mirrors2 = ctx->mirrors; xlate_table_action(ctx, flow->in_port.ofp_port, 0, true, true, @@ -87638,7 +87666,7 @@ index a426fcfeb6..e44e25e590 100644 ctx->mirrors = old_mirrors2; ctx->base_flow = old_base_flow; ctx->odp_actions->size = old_size; -@@ -4097,7 +4135,21 @@ terminate_native_tunnel(struct xlate_ctx *ctx, struct flow *flow, +@@ -4097,7 +4140,21 @@ terminate_native_tunnel(struct xlate_ctx *ctx, struct flow *flow, (flow->dl_type == htons(ETH_TYPE_ARP) || flow->nw_proto == IPPROTO_ICMPV6) && is_neighbor_reply_correct(ctx, flow)) { @@ -87661,7 +87689,7 @@ index a426fcfeb6..e44e25e590 100644 } } -@@ -4107,7 +4159,7 @@ terminate_native_tunnel(struct xlate_ctx *ctx, struct flow *flow, +@@ -4107,7 +4164,7 @@ terminate_native_tunnel(struct xlate_ctx *ctx, struct flow *flow, static void compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port, const struct xlate_bond_recirc *xr, bool check_stp, @@ -87670,7 +87698,7 @@ index a426fcfeb6..e44e25e590 100644 { const struct xport *xport = get_ofp_port(ctx->xbridge, ofp_port); struct flow_wildcards *wc = ctx->wc; -@@ -4137,6 +4189,10 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port, +@@ -4137,6 +4194,10 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port, if (xport->pt_mode == NETDEV_PT_LEGACY_L3) { flow->packet_type = PACKET_TYPE_BE(OFPHTN_ETHERTYPE, ntohs(flow->dl_type)); @@ -87681,7 +87709,7 @@ index a426fcfeb6..e44e25e590 100644 } } -@@ -4144,7 +4200,7 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port, +@@ -4144,7 +4205,7 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port, if (truncate) { xlate_report_error(ctx, "Cannot truncate output to patch port"); } @@ -87690,7 +87718,7 @@ index a426fcfeb6..e44e25e590 100644 return; } -@@ -4239,7 +4295,8 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port, +@@ -4239,7 +4300,8 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port, xr->recirc_id); } else if (is_native_tunnel) { /* Output to native tunnel port. */ @@ -87700,7 +87728,7 @@ index a426fcfeb6..e44e25e590 100644 flow->tunnel = flow_tnl; /* Restore tunnel metadata */ } else if (terminate_native_tunnel(ctx, flow, wc, -@@ -5080,6 +5137,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids) +@@ -5080,6 +5142,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids) } ctx->wc->masks.nw_ttl = 0xff; @@ -87708,7 +87736,7 @@ index a426fcfeb6..e44e25e590 100644 if (flow->nw_ttl > 1) { flow->nw_ttl--; return false; -@@ -6177,11 +6235,32 @@ static void +@@ -6177,11 +6240,32 @@ static void compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc, bool is_last_action) { @@ -87744,7 +87772,7 @@ index a426fcfeb6..e44e25e590 100644 /* Ensure that any prior actions are applied before composing the new * conntrack action. */ xlate_commit_actions(ctx); -@@ -6193,11 +6272,6 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc, +@@ -6193,11 +6277,6 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc, do_xlate_actions(ofc->actions, ofpact_ct_get_action_len(ofc), ctx, is_last_action, false); @@ -87756,7 +87784,7 @@ index a426fcfeb6..e44e25e590 100644 ct_offset = nl_msg_start_nested(ctx->odp_actions, OVS_ACTION_ATTR_CT); if (ofc->flags & NX_CT_F_COMMIT) { -@@ -6333,6 +6407,7 @@ xlate_check_pkt_larger(struct xlate_ctx *ctx, +@@ -6333,6 +6412,7 @@ xlate_check_pkt_larger(struct xlate_ctx *ctx, * then ctx->exit would be true. Reset to false so that we can * do flow translation for 'IF_LESS_EQUAL' case. finish_freezing() * would have taken care of Undoing the changes done for freeze. */ @@ -87764,7 +87792,7 @@ index a426fcfeb6..e44e25e590 100644 ctx->exit = false; offset_attr = nl_msg_start_nested( -@@ -6357,7 +6432,7 @@ xlate_check_pkt_larger(struct xlate_ctx *ctx, +@@ -6357,7 +6437,7 @@ xlate_check_pkt_larger(struct xlate_ctx *ctx, ctx->was_mpls = old_was_mpls; ctx->conntracked = old_conntracked; ctx->xin->flow = old_flow; @@ -87773,7 +87801,7 @@ index a426fcfeb6..e44e25e590 100644 } static void -@@ -6738,13 +6813,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -6738,13 +6818,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, return; } @@ -87789,7 +87817,7 @@ index a426fcfeb6..e44e25e590 100644 if (ctx->error) { break; -@@ -6752,7 +6828,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -6752,7 +6833,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, recirc_for_mpls(a, ctx); @@ -87798,7 +87826,7 @@ index a426fcfeb6..e44e25e590 100644 /* Check if need to store the remaining actions for later * execution. */ if (ctx->freezing) { -@@ -6861,6 +6937,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -6861,6 +6942,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, case OFPACT_SET_IPV4_SRC: if (flow->dl_type == htons(ETH_TYPE_IP)) { memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src); @@ -87806,7 +87834,7 @@ index a426fcfeb6..e44e25e590 100644 flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4; } break; -@@ -6868,12 +6945,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -6868,12 +6950,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, case OFPACT_SET_IPV4_DST: if (flow->dl_type == htons(ETH_TYPE_IP)) { memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst); @@ -87821,7 +87849,7 @@ index a426fcfeb6..e44e25e590 100644 wc->masks.nw_tos |= IP_DSCP_MASK; flow->nw_tos &= ~IP_DSCP_MASK; flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp; -@@ -6882,6 +6961,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -6882,6 +6966,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, case OFPACT_SET_IP_ECN: if (is_ip_any(flow)) { @@ -87829,7 +87857,7 @@ index a426fcfeb6..e44e25e590 100644 wc->masks.nw_tos |= IP_ECN_MASK; flow->nw_tos &= ~IP_ECN_MASK; flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn; -@@ -6890,6 +6970,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -6890,6 +6975,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, case OFPACT_SET_IP_TTL: if (is_ip_any(flow)) { @@ -87837,7 +87865,7 @@ index a426fcfeb6..e44e25e590 100644 wc->masks.nw_ttl = 0xff; flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl; } -@@ -6952,6 +7033,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -6952,6 +7038,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, /* Set the field only if the packet actually has it. */ if (mf_are_prereqs_ok(mf, flow, wc)) { @@ -87845,7 +87873,7 @@ index a426fcfeb6..e44e25e590 100644 mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), wc); mf_set_flow_value_masked(mf, set_field->value, ofpact_set_field_mask(set_field), -@@ -7008,6 +7090,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -7008,6 +7095,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, case OFPACT_DEC_TTL: wc->masks.nw_ttl = 0xff; @@ -87853,7 +87881,7 @@ index a426fcfeb6..e44e25e590 100644 if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) { return; } -@@ -7149,17 +7232,18 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, +@@ -7149,17 +7237,18 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, break; case OFPACT_CHECK_PKT_LARGER: { @@ -87877,7 +87905,7 @@ index a426fcfeb6..e44e25e590 100644 break; } } -@@ -7623,6 +7707,12 @@ xlate_actions(struct xlate_in *xin, struct xlate_out *xout) +@@ -7623,6 +7712,12 @@ xlate_actions(struct xlate_in *xin, struct xlate_out *xout) goto exit; } diff --git a/SPECS/openvswitch2.16.spec b/SPECS/openvswitch2.16.spec index 1435dea..986a8d6 100644 --- a/SPECS/openvswitch2.16.spec +++ b/SPECS/openvswitch2.16.spec @@ -63,7 +63,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.16.0 -Release: 116%{?dist} +Release: 117%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -705,6 +705,12 @@ exit 0 %endif %changelog +* Wed May 10 2023 Open vSwitch CI - 2.16.0-117 +- Merging upstream branch-2.16 [RH git: 7d001a92de] + Commit list: + 2a0dbd5a59 ofproto-dpif-xlate: Fix use-after-free when xlate_actions(). + + * Tue Apr 25 2023 Open vSwitch CI - 2.16.0-116 - Merging upstream branch-2.16 [RH git: a2bfddc4f9] Commit list: