commit d084ce15a7da6e61b91f4e3302235d97b87437ce Author: Chenbo Xia <chenbo.xia> Date: Mon Feb 14 16:32:37 2022 +0800 vhost: fix queue number check when setting inflight FD [ upstream commit 6442c329b9d2ded0f44b27d2016aaba8ba5844c5 ] In function vhost_user_set_inflight_fd, queue number in inflight message is used to access virtqueue. However, queue number could be larger than VHOST_MAX_VRING and cause write OOB as this number will be used to write inflight info in virtqueue structure. This patch checks the queue number to avoid the issue and also make sure virtqueues are allocated before setting inflight information. Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") Reported-by: Wenxiang Qian <leonwxqian> Signed-off-by: Chenbo Xia <chenbo.xia> Reviewed-by: Maxime Coquelin <maxime.coquelin> commit fafbd8f6428dc5f41a810870b05dd8deb05aa7df Author: David Marchand <david.marchand> Date: Tue Jan 18 15:53:30 2022 +0100 vhost: fix FD leak with inflight messages [ upstream commit af74f7db384ed149fe42b21dbd7975f8a54ef227 ] Even if unlikely, a buggy vhost-user master might attach fds to inflight messages. Add checks like for other types of vhost-user messages. Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") Signed-off-by: David Marchand <david.marchand> Reviewed-by: Maxime Coquelin <maxime.coquelin> commit 1c2e3ff27515ba947cb8004f6a00160a82549f8e Merge: a0490a292 a51dd4685 Author: Open vSwitch CI <ovs-ci> Date: Wed Apr 27 17:49:02 2022 -0400 Merging upstream branch-2.16 Commit list: a51dd4685d ofproto-dpif-xlate: Clear out vlan flow fields while processing native tunnel. (#393566 2060552) commit a0490a292cb8a1dbf8aabf6d7799566b5a1cc8c5 Merge: 104da44ad 271bea0ee Author: Open vSwitch CI <ovs-ci> Date: Tue Apr 26 18:49:44 2022 -0400 Merging upstream branch-2.16 Commit list: 271bea0ee0 ofproto-xlate: Fix crash when forwarding packet between legacy_l3 tunnels. 9f9d59aeae system-traffic: Fix fragment reassembly with L3 L4 protocol information. commit 104da44ad6bfa9e29225d00347e575a266160f14 Author: Timothy Redaelli <tredaelli> Date: Thu Apr 21 14:20:01 2022 +0200 Really set RTE_ETH_MAXPORTS to 1024 Fixes: 81ff7c5a60f0 ("Change RTE_ETH_MAXPORTS to 1024") commit c9969bac2f49b139e4211849f364a2042455e76b Merge: 2ee98fa0f 2afa9d228 Author: Open vSwitch CI <ovs-ci> Date: Mon Apr 18 13:52:20 2022 -0400 Merging upstream branch-2.16 Commit list: 2afa9d2285 cirrus: Update FreeBSD versions. commit 2ee98fa0fff12045f2447975dbb75fb9433db869 Merge: 4936a7194 be8b35fdd Author: Open vSwitch CI <ovs-ci> Date: Fri Apr 8 19:25:50 2022 -0400 Merging upstream branch-2.16 Commit list: be8b35fddf Prepare for 2.16.4. d8639f81c1 Set release date for 2.16.3. 71a5a38c83 NEWS: Highlight libopenvswitch API change caused by UB fixes. commit 4936a7194b63bb9d95b0e39a2c763af05d2ee0bb Merge: 1418edaf1 2c666b979 Author: Open vSwitch CI <ovs-ci> Date: Wed Apr 6 10:05:22 2022 -0400 Merging upstream branch-2.16 Commit list: 2c666b9791 netdev-offload-tc: Check for ct_state flag combinations that are not offloadable. commit 1418edaf18385fc1482f490d6d5d21785fc14349 Merge: b4c45acc4 26189fd26 Author: Open vSwitch CI <ovs-ci> Date: Mon Apr 4 19:50:16 2022 -0400 Merging upstream branch-2.16 Commit list: 26189fd264 dpif-netdev: Fix dp_netdev_get_pmd() function getting correct core_id. a5af081bc6 alb.at: Add tests for cross-numa polling. 78c8f8a7f6 dpif-netdev: Fix PMD auto load balance with pmd-rxq-isolate. 6731e581c4 pmd.at: Add tests for multi non-local numa pmds. 60652bb3eb dpif-netdev: Fix non-local numa selection for more than two numas. c113039503 ofproto-dpif-xlate: Fix NULL pointer dereference in xlate_normal(). commit b4c45acc47c87a4970162a9e9e7b850a8e248f76 Merge: 32008eb00 7644c924e Author: Open vSwitch CI <ovs-ci> Date: Wed Mar 30 19:51:52 2022 -0400 Merging upstream branch-2.16 Commit list: 7644c924e8 sparse: bump recommended version and include headers. 20b87feba9 rculist: use multi-variable helpers for loop macros. 05a440fafb hindex: use multi-variable iterators. 04dca15004 cmap: use multi-variable iterators. 80e64f712d hmap: implement UB-safe hmap pop iterator. 3b4b0af690 hmap: use multi-variable helpers for hmap loops. 05e899ea8f list: use multi-variable helpers for list loops. d2406399ae util: add helpers to overload SAFE macro. f22f9d947a util: add safe multi-variable iterators. 72c3e8627c util: add multi-variable loop iterator macros. commit 32008eb0080a53a8760576bc8503091b0009cf71 Merge: a3c48a5ae 1570924c3 Author: Open vSwitch CI <ovs-ci> Date: Wed Mar 30 14:05:12 2022 -0400 Merging upstream branch-2.16 Commit list: 1570924c3f ovsdb: raft: Fix inability to read the database with DNS host names. (#2055097)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: openvswitch2.16 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4788