diff --git a/backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch b/backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch deleted file mode 100644 index f5e4e81e0102c9e1f9351bd3103cdc3eca049914..0000000000000000000000000000000000000000 --- a/backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch +++ /dev/null @@ -1,159 +0,0 @@ -From patchwork Sat Mar 21 06:54:21 2020 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: wenxu -X-Patchwork-Id: 1259295 -Return-Path: -X-Original-To: incoming@patchwork.ozlabs.org -Delivered-To: patchwork-incoming@bilbo.ozlabs.org -Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) - smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; - helo=hemlock.osuosl.org; - envelope-from=ovs-dev-bounces@openvswitch.org; - receiver=) -Authentication-Results: ozlabs.org; - dmarc=fail (p=none dis=none) header.from=ucloud.cn -Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) - (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 - bits)) (No client certificate requested) - by ozlabs.org (Postfix) with ESMTPS id 48krwp45Rqz9sPR - for ; - Sat, 21 Mar 2020 17:54:34 +1100 (AEDT) -Received: from localhost (localhost [127.0.0.1]) - by hemlock.osuosl.org (Postfix) with ESMTP id 1829489424; - Sat, 21 Mar 2020 06:54:33 +0000 (UTC) -X-Virus-Scanned: amavisd-new at osuosl.org -Received: from hemlock.osuosl.org ([127.0.0.1]) - by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) - with ESMTP id 3JodhcswCEYy; Sat, 21 Mar 2020 06:54:31 +0000 (UTC) -Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) - by hemlock.osuosl.org (Postfix) with ESMTP id 9C17E89383; - Sat, 21 Mar 2020 06:54:31 +0000 (UTC) -Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) - by lists.linuxfoundation.org (Postfix) with ESMTP id 8470EC089F; - Sat, 21 Mar 2020 06:54:31 +0000 (UTC) -X-Original-To: dev@openvswitch.org -Delivered-To: ovs-dev@lists.linuxfoundation.org -Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) - by lists.linuxfoundation.org (Postfix) with ESMTP id E1868C07FF - for ; Sat, 21 Mar 2020 06:54:29 +0000 (UTC) -Received: from localhost (localhost [127.0.0.1]) - by fraxinus.osuosl.org (Postfix) with ESMTP id DEBC286813 - for ; Sat, 21 Mar 2020 06:54:29 +0000 (UTC) -X-Virus-Scanned: amavisd-new at osuosl.org -Received: from fraxinus.osuosl.org ([127.0.0.1]) - by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) - with ESMTP id vvlN2NAtNL6N for ; - Sat, 21 Mar 2020 06:54:28 +0000 (UTC) -X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 -Received: from m9784.mail.qiye.163.com (m9784.mail.qiye.163.com - [220.181.97.84]) - by fraxinus.osuosl.org (Postfix) with ESMTPS id 5B60C8679E - for ; Sat, 21 Mar 2020 06:54:28 +0000 (UTC) -Received: from localhost.localdomain (unknown [123.59.132.129]) - by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 9C56941610; - Sat, 21 Mar 2020 14:54:21 +0800 (CST) -From: wenxu@ucloud.cn -To: simon.horman@netronome.com -Date: Sat, 21 Mar 2020 14:54:21 +0800 -Message-Id: <1584773661-6886-1-git-send-email-wenxu@ucloud.cn> -X-Mailer: git-send-email 1.8.3.1 -X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZSFVPSU1CQkJDS0xITkxMQllXWShZQU - lCN1dZLVlBSVdZCQ4XHghZQVk1NCk2OjckKS43PlkG -X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6PAg6Ixw4KTgxQxM0EzoKHBQX - EDwKCiNVSlVKTkNPTExITU1KTUNDVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO - QlVKSElVSklCWVdZCAFZQUhNQk03Bg++ -X-HM-Tid: 0a70fbdf03d02086kuqy9c56941610 -Cc: dev@openvswitch.org -Subject: [ovs-dev] [PATCH branch-2.12] dpif-netlink: avoid netlink modify - flow put op failed after tc modify flow put op failed. -X-BeenThere: ovs-dev@openvswitch.org -X-Mailman-Version: 2.1.15 -Precedence: list -List-Id: -List-Unsubscribe: , - -List-Archive: -List-Post: -List-Help: -List-Subscribe: , - -MIME-Version: 1.0 -Errors-To: ovs-dev-bounces@openvswitch.org -Sender: "dev" - -From: wenxu - -The tc modify flow put always delete the original flow first and -then add the new flow. If the modfiy flow put operation failed, -the flow put operation will change from modify to create if success -to delete the original flow in tc (which will be always failed with -ENOENT, the flow is already be deleted before add the new flow in tc). -Finally, the modify flow put will failed to add in kernel datapath. - -Signed-off-by: wenxu ---- - lib/dpif-netlink.c | 7 ++++++- - lib/netdev-offload-tc.c | 7 +++++-- - lib/netdev-offload.h | 3 +++ - 3 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c -index 7bc71d6..7e088c0 100644 ---- a/lib/dpif-netlink.c -+++ b/lib/dpif-netlink.c -@@ -2038,6 +2038,7 @@ parse_flow_put(struct dpif_netlink *dpif, struct dpif_flow_put *put) - info.dpif_class = dpif_class; - info.tp_dst_port = dst_port; - info.tunnel_csum_on = csum_on; -+ info.tc_modify_flow_deleted = false; - err = netdev_flow_put(dev, &match, - CONST_CAST(struct nlattr *, put->actions), - put->actions_len, -@@ -2088,7 +2089,11 @@ parse_flow_put(struct dpif_netlink *dpif, struct dpif_flow_put *put) - out: - if (err && err != EEXIST && (put->flags & DPIF_FP_MODIFY)) { - /* Modified rule can't be offloaded, try and delete from HW */ -- int del_err = netdev_flow_del(dev, put->ufid, put->stats); -+ int del_err = 0; -+ -+ if (!info.tc_modify_flow_deleted) { -+ del_err = netdev_flow_del(dev, put->ufid, put->stats); -+ } - - if (!del_err) { - /* Delete from hw success, so old flow was offloaded. -diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c -index 4cc044b..c95de1e 100644 ---- a/lib/netdev-offload-tc.c -+++ b/lib/netdev-offload-tc.c -@@ -1359,9 +1359,12 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, - block_id = get_block_id_from_netdev(netdev); - handle = get_ufid_tc_mapping(ufid, &prio, NULL); - if (handle && prio) { -+ bool flow_deleted; -+ - VLOG_DBG_RL(&rl, "updating old handle: %d prio: %d", handle, prio); -- del_filter_and_ufid_mapping(ifindex, prio, handle, block_id, ufid, -- hook); -+ flow_deleted = !del_filter_and_ufid_mapping(ifindex, prio, handle, -+ block_id, ufid, hook); -+ info->tc_modify_flow_deleted = flow_deleted; - } - - if (!prio) { -diff --git a/lib/netdev-offload.h b/lib/netdev-offload.h -index 97a5006..34721ef 100644 ---- a/lib/netdev-offload.h -+++ b/lib/netdev-offload.h -@@ -71,6 +71,9 @@ struct offload_info { - * it will be in the pkt meta data. - */ - uint32_t flow_mark; -+ -+ bool tc_modify_flow_deleted; /* Indicate the tc modify flow put success -+ * to delete the original flow. */ - }; - - int netdev_flow_flush(struct netdev *); diff --git a/fix-selinux-err.patch b/fix-selinux-err.patch new file mode 100644 index 0000000000000000000000000000000000000000..c51c91cfc6a2464ae8bd6bfcadf7b98e39261a1e --- /dev/null +++ b/fix-selinux-err.patch @@ -0,0 +1,41 @@ +From 3b35964c7da2a4000486c57e2c347c8cc67ac393 Mon Sep 17 00:00:00 2001 +Date: Wed, 1 Sep 2021 16:54:34 +0800 +Subject: [PATCH] openvswitch-2 + +--- + selinux/openvswitch-custom.te.in | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in +index b2c63ab..8f76c14 100644 +--- a/selinux/openvswitch-custom.te.in ++++ b/selinux/openvswitch-custom.te.in +@@ -15,10 +15,12 @@ require { + type ifconfig_exec_t; + type init_t; + type init_var_run_t; ++ type initrc_t; + type insmod_exec_t; + type kernel_t; + type hostname_exec_t; + type modules_conf_t; ++ type modules_dep_t; + type modules_object_t; + type passwd_file_t; + type plymouth_exec_t; +@@ -117,10 +119,12 @@ allow openvswitch_t openvswitch_load_module_t:process transition; + allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; + allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; + allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; ++allow openvswitch_load_module_t initrc_t:fifo_file ioctl; + allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; + allow openvswitch_load_module_t kernel_t:system module_request; + allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; + allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; ++allow openvswitch_load_module_t modules_dep_t:file open; + allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; + allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; + allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; +-- +2.27.0 + diff --git a/openvswitch.spec b/openvswitch.spec index 32d3f3282ce45bb650879fdcc7cf1aa6458b188e..426a91acfa33ef2c1779036cfcc1d69ce095c436 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.0 License: ASL 2.0 and ISC -Release: 21 +Release: 22 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch @@ -18,10 +18,11 @@ Patch0005: CVE-2020-35498.patch Patch0006: CVE-2020-27827.patch Patch0007: CVE-2015-8011.patch Patch0008: backport-CVE-2021-36980.patch -Patch0009: backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch -Patch0010: CVE-2021-3905.patch +Patch0009: CVE-2021-3905.patch -Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted libsepol >= 3.1 +Patch9000: fix-selinux-err.patch + +Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel BuildRequires: python3-devel Provides: openvswitch-selinux-policy = %{version}-%{release} @@ -290,20 +291,17 @@ exit 0 %doc README.rst NEWS rhel/README.RHEL.rst %changelog -* Fri Jul 8 2022 qz_cx - 2.12.0-21 -- Type:cve -- ID:CVE-2021-3905 -- SUG:NA -- DESC: fix CVE-2021-3905 +* Mon Jul 25 2022 zhouwenpei - 2.12.0-22 +- revent "Add ovn-central ovn-central and ovn-host subpackage" -* Wed Apr 06 2022 chenjian - 2.12.0-20 -- add backport-dpif-netlink-avoid-netlink-modify-flow-put-op-failed-after-tc-modify-flow-put-op-failed.patch +* Wed Jul 13 2022 zhouwenpei - 2.12.0-21 +- fix CVE-2021-3905 -* Mon Oct 18 2021 yangcheng - 2.12.0-19 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC: fix the error of opevswitch installation and upgrade +* Wed May 18 2022 jiangxinyu - 2.12.0-20 +- Add ovn-central ovn-central and ovn-host subpackage + +* Thu Sep 2 2021 hanhui - 2.12.0-19 +- Fix selinux preventing ovs-kmod-ctl err * Wed Sep 1 2021 hanhui - 2.12.0-18 - Change the OVS startup mode to service startup.