diff --git a/CVE-2021-3905.patch b/CVE-2021-3905.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c3db7ae4cdfde7f38420311d87aa4e8d8dc53238
--- /dev/null
+++ b/CVE-2021-3905.patch
@@ -0,0 +1,63 @@
+From a5e7296363137b4d77d1ae1ffb7bc2be5980bd9c Mon Sep 17 00:00:00 2001
+From: qz_cx <wangqingzheng@kylinos.cn>
+Date: Fri, 8 Jul 2022 13:59:53 +0800
+Subject: [PATCH] ipf: release unhandled packets from the batch Since 640d4db
+ ("ipf: Fix a use-after-free error, ...") the ipf framework unconditionally
+ allocates a new dp_packet to track individual fragments.  This prevents a
+ use-after-free.  However, an additional issue was present - even when the
+ packet buffer is cloned, if the ip fragment handling code keeps it, the
+ original buffer is leaked during the refill loop.  Even in the original
+ processing code, the hardcoded dnsteal branches would always leak a packet
+ buffer from the refill loop.
+
+This can be confirmed with valgrind:
+
+==717566== 16,672 (4,480 direct, 12,192 indirect) bytes in 8 blocks are definitely lost in loss record 390 of 390
+==717566==    at 0x484086F: malloc (vg_replace_malloc.c:380)
+==717566==    by 0x537BFD: xmalloc__ (util.c:137)
+==717566==    by 0x537BFD: xmalloc (util.c:172)
+==717566==    by 0x46DDD4: dp_packet_new (dp-packet.c:153)
+==717566==    by 0x46DDD4: dp_packet_new_with_headroom (dp-packet.c:163)
+==717566==    by 0x550AA6: netdev_linux_batch_rxq_recv_sock.constprop.0 (netdev-linux.c:1262)
+==717566==    by 0x5512AF: netdev_linux_rxq_recv (netdev-linux.c:1511)
+==717566==    by 0x4AB7E0: netdev_rxq_recv (netdev.c:727)
+==717566==    by 0x47F00D: dp_netdev_process_rxq_port (dpif-netdev.c:4699)
+==717566==    by 0x47FD13: dpif_netdev_run (dpif-netdev.c:5957)
+==717566==    by 0x4331D2: type_run (ofproto-dpif.c:370)
+==717566==    by 0x41DFD8: ofproto_type_run (ofproto.c:1768)
+==717566==    by 0x40A7FB: bridge_run__ (bridge.c:3245)
+==717566==    by 0x411269: bridge_run (bridge.c:3310)
+==717566==    by 0x406E6C: main (ovs-vswitchd.c:127)
+
+The fix is to delete the original packet when it isn't able to be
+reinserted into the packet batch.  Subsequent valgrind runs show that
+the packets are not leaked from the batch any longer.
+
+Fixes: 640d4db ("ipf: Fix a use-after-free error, and remove the 'do_not_steal' flag.")
+Fixes: 4ea9669 ("Userspace datapath: Add fragmentation handling.")
+Reported-by: Wan Junjie <wanjunjie@bytedance.com>
+Reported-at: openvswitch/ovs-issues#226
+Signed-off-by: Aaron Conole <aconole@redhat.com>
+Reviewed-by: David Marchand <david.marchand@redhat.com>
+Tested-by: Wan Junjie <wanjunjie@bytedance.com>
+Signed-off-by: Alin-Gabriel Serdean <aserdean@ovn.org>
+---
+ lib/ipf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/ipf.c b/lib/ipf.c
+index 4cc0f2d..e8858d2 100644
+--- a/lib/ipf.c
++++ b/lib/ipf.c
+@@ -941,6 +941,8 @@ ipf_extract_frags_from_batch(struct ipf *ipf, struct dp_packet_batch *pb,
+             if (!ipf_handle_frag(ipf, pkt, dl_type, zone, now, hash_basis,
+                                  pb->do_not_steal)) {
+                 dp_packet_batch_refill(pb, pkt, pb_idx);
++	    } else {
++		dp_packet_delete(pkt);
+             }
+             ovs_mutex_unlock(&ipf->ipf_lock);
+         } else {
+-- 
+2.33.0
+
diff --git a/openvswitch.spec b/openvswitch.spec
index 8342976c0330cdd65a73d0f0f0186f7bd264f67c..588411c3775dc0e7b32df39f47d81eea700488ec 100644
--- a/openvswitch.spec
+++ b/openvswitch.spec
@@ -3,7 +3,7 @@ Summary:        Production Quality, Multilayer Open Virtual Switch
 URL:            http://www.openvswitch.org/
 Version:        2.12.0
 License:        ASL 2.0 and ISC
-Release:        16
+Release:        17
 Source:         https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz
 Buildroot:      /tmp/openvswitch-rpm
 Patch0000:      0000-openvswitch-add-stack-protector-strong.patch
@@ -16,6 +16,7 @@ Patch0006:      backport-CVE-2021-36980.patch
 Patch0007:      0002-fix-DPDK-compiling-error.patch
 Patch0008:      specifies-the-ovs-module-path.patch
 Patch0009:      change-the-name-of-the-ipsec-configuration-file.patch
+Patch0010:	CVE-2021-3905.patch
 
 Requires:       %{name}-help
 Requires:       logrotate hostname python >= 2.7 python2-six selinux-policy-targeted libsepol >= 3.1
@@ -528,6 +529,12 @@ exit 0
 %{_unitdir}/ovn-controller-vtep.service
 
 %changelog
+* Wed Jul 13 2022 zhouwenpei <zhouwenpei1@h-pattners.com> - 2.12.0-17
+- Type:cve
+- ID:CVE-2021-3905
+- SUG:NA
+- DESC:fix CVE-2021-3905
+
 * Wed Dec 15 2021 wulei <wulei80@huawei.com> - 2.12.0-16
 - Fix the problem that openvswitch-ipsec.service causes ipsec.service to fail to start