import UBI passt-0^20250217.ga1e48a0-7.el10_0
This commit is contained in:
parent
3e8af058ba
commit
2fd6c54517
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/passt-a1e48a02ff3550eb7875a7df6726086e9b3a1213.tar.xz
|
||||
passt-a1e48a02ff3550eb7875a7df6726086e9b3a1213.tar.xz
|
||||
|
||||
@ -1 +0,0 @@
|
||||
6561fdc75b29dc6566bc1fb30b88d6846ef5e23b SOURCES/passt-a1e48a02ff3550eb7875a7df6726086e9b3a1213.tar.xz
|
||||
@ -0,0 +1,48 @@
|
||||
From 189671a22a6c9422ef43dc91014e1c0c05389ff3 Mon Sep 17 00:00:00 2001
|
||||
From: Stefano Brivio <sbrivio@redhat.com>
|
||||
Date: Fri, 29 Aug 2025 22:11:31 +0200
|
||||
Subject: [PATCH 25/26] tcp: Cast operands of sequence comparison macros to
|
||||
uint32_t before using them
|
||||
|
||||
Otherwise, passing signed types causes automatic promotion of the
|
||||
result of the subtractions as well, which is not what we want, as
|
||||
these macros rely on unsigned 32-bit arithmetic.
|
||||
|
||||
The next patch introduces a ssize_t operand for SEQ_LE, illustrating
|
||||
the issue.
|
||||
|
||||
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
||||
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
Tested-by: Paul Holzinger <pholzing@redhat.com>
|
||||
Reviewed-by: Jon Maloy <jmaloy@redhat.com>
|
||||
(cherry picked from commit 660cd6907e14a41ad9bc77d317140c70ab416fce)
|
||||
---
|
||||
tcp_internal.h | 12 ++++++++----
|
||||
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tcp_internal.h b/tcp_internal.h
|
||||
index 9cf31f5..cd9668a 100644
|
||||
--- a/tcp_internal.h
|
||||
+++ b/tcp_internal.h
|
||||
@@ -18,10 +18,14 @@
|
||||
sizeof(struct ipv6hdr), \
|
||||
sizeof(uint32_t))
|
||||
|
||||
-#define SEQ_LE(a, b) ((b) - (a) < MAX_WINDOW)
|
||||
-#define SEQ_LT(a, b) ((b) - (a) - 1 < MAX_WINDOW)
|
||||
-#define SEQ_GE(a, b) ((a) - (b) < MAX_WINDOW)
|
||||
-#define SEQ_GT(a, b) ((a) - (b) - 1 < MAX_WINDOW)
|
||||
+#define SEQ_LE(a, b) \
|
||||
+ ((uint32_t)(b) - (uint32_t)(a) < MAX_WINDOW)
|
||||
+#define SEQ_LT(a, b) \
|
||||
+ ((uint32_t)(b) - (uint32_t)(a) - 1 < MAX_WINDOW)
|
||||
+#define SEQ_GE(a, b) \
|
||||
+ ((uint32_t)(a) - (uint32_t)(b) < MAX_WINDOW)
|
||||
+#define SEQ_GT(a, b) \
|
||||
+ ((uint32_t)(a) - (uint32_t)(b) - 1 < MAX_WINDOW)
|
||||
|
||||
#define FIN (1 << 0)
|
||||
#define SYN (1 << 1)
|
||||
--
|
||||
2.47.1
|
||||
|
||||
@ -0,0 +1,76 @@
|
||||
From b50b2f2f89e07187fc8f6e933aa6730d51ea90d1 Mon Sep 17 00:00:00 2001
|
||||
From: Stefano Brivio <sbrivio@redhat.com>
|
||||
Date: Thu, 2 Oct 2025 00:41:54 +0200
|
||||
Subject: [PATCH 26/26] tcp: Don't consider FIN flags with mismatching sequence
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If a guest or container sends us a FIN segment but its sequence number
|
||||
doesn't match the highest sequence of data we *accepted* (not
|
||||
necessarily the highest sequence we received), that is,
|
||||
conn->seq_from_tap, plus any data we're accepting in the current
|
||||
batch, we should discard the flag (not necessarily the segment),
|
||||
because there's still data we need to receive (again) before the end
|
||||
of the stream.
|
||||
|
||||
If we consider those FIN flags as such, we'll end up in the
|
||||
situation described below.
|
||||
|
||||
Here, 192.168.10.102 is a HTTP server in a Podman container, and
|
||||
192.168.10.44 is a client fetching approximately 121 KB of data from
|
||||
it:
|
||||
|
||||
82 2.026811 192.168.10.102 → 192.168.10.44 54 TCP 55414 → 44992 [FIN, ACK] Seq=121441 Ack=143 Win=65536 Len=0
|
||||
|
||||
the server is done sending
|
||||
|
||||
83 2.026898 192.168.10.44 → 192.168.10.102 54 TCP 44992 → 55414 [ACK] Seq=143 Ack=114394 Win=216192 Len=0
|
||||
|
||||
pasta (client) acknowledges a previous sequence, because of
|
||||
a short sendmsg()
|
||||
|
||||
84 2.027324 192.168.10.44 → 192.168.10.102 54 TCP 44992 → 55414 [FIN, ACK] Seq=143 Ack=114394 Win=216192 Len=0
|
||||
|
||||
pasta (client) sends FIN, ACK as the client has no more data to
|
||||
send (a single GET request), while still acknowledging a previous
|
||||
sequence, because the retransmission didn't happen yet
|
||||
|
||||
85 2.027349 192.168.10.102 → 192.168.10.44 54 TCP 55414 → 44992 [ACK] Seq=121442 Ack=144 Win=65536 Len=0
|
||||
|
||||
the server acknowledges the FIN, ACK
|
||||
|
||||
86 2.224125 192.168.10.102 → 192.168.10.44 4150 TCP [TCP Retransmission] 55414 → 44992 [ACK] Seq=114394 Ack=144 Win=65536 Len=4096 [TCP segment of a reassembled PDU]
|
||||
|
||||
and finally a retransmission comes, but as we wrongly switched to
|
||||
the CLOSE-WAIT state,
|
||||
|
||||
87 2.224202 192.168.10.44 → 192.168.10.102 54 TCP 44992 → 55414 [RST] Seq=144 Win=0 Len=0
|
||||
|
||||
we consider frame #86 as an acknowledgement for the FIN segment we
|
||||
sent, and close the connection, while we still had to re-receive
|
||||
(and finally send) the missing data segment, instead.
|
||||
|
||||
Link: https://github.com/containers/podman/issues/27179
|
||||
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
||||
(cherry picked from commit b145441913eef6f8885b6b84531e944ff593790c)
|
||||
---
|
||||
tcp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tcp.c b/tcp.c
|
||||
index 98e1c6a..731eaba 100644
|
||||
--- a/tcp.c
|
||||
+++ b/tcp.c
|
||||
@@ -1699,7 +1699,7 @@ static int tcp_data_from_tap(const struct ctx *c, struct tcp_tap_conn *conn,
|
||||
}
|
||||
}
|
||||
|
||||
- if (th->fin)
|
||||
+ if (th->fin && seq == seq_from_tap)
|
||||
fin = 1;
|
||||
|
||||
if (!len)
|
||||
--
|
||||
2.47.1
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
|
||||
Name: passt
|
||||
Version: 0^20250217.ga1e48a0
|
||||
Release: 5%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: User-mode networking daemons for virtual machines and namespaces
|
||||
License: GPL-2.0-or-later AND BSD-3-Clause
|
||||
Group: System Environment/Daemons
|
||||
@ -42,6 +42,8 @@ Patch21: 0021-passt-repair-Correct-off-by-one-error-verifying-name.patch
|
||||
Patch22: 0022-passt-repair-Ensure-that-read-buffer-is-NULL-termina.patch
|
||||
Patch23: 0023-tcp_splice-Don-t-double-count-bytes-read-on-EINTR.patch
|
||||
Patch24: 0024-tcp_splice-Don-t-clobber-errno-before-checking-for-E.patch
|
||||
Patch25: 0025-tcp-Cast-operands-of-sequence-comparison-macros-to-u.patch
|
||||
Patch26: 0026-tcp-Don-t-consider-FIN-flags-with-mismatching-sequen.patch
|
||||
|
||||
BuildRequires: gcc, make, git, checkpolicy, selinux-policy-devel
|
||||
Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
|
||||
@ -154,9 +156,19 @@ fi
|
||||
%{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
|
||||
|
||||
%changelog
|
||||
* Thu Jul 03 2025 Mark Will <mark.will@oracle.com> - 0^20250217.ga1e48a0-5
|
||||
* Thu Oct 23 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250217.ga1e48a0-7
|
||||
- Resolves: RHEL-123414 RHEL-123421
|
||||
|
||||
* Thu Apr 10 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250217.ga1e48a0-5
|
||||
- Resolves: RHEL-83979 RHEL-84157 RHEL-86761
|
||||
|
||||
* Thu Mar 20 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250217.ga1e48a0-4
|
||||
- Resolves: RHEL-84249 RHEL-83979 RHEL-84157 RHEL-84248
|
||||
|
||||
* Fri Feb 28 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250217.ga1e48a0-3
|
||||
- Resolves: RHEL-80297
|
||||
|
||||
* Wed Feb 26 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250217.ga1e48a0-2
|
||||
- Resolves: RHEL-80297
|
||||
|
||||
* Mon Feb 17 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250217.ga1e48a0-1
|
||||
Loading…
Reference in New Issue
Block a user