import UBI passt-0^20250512.g8ec1341-4.el9_7

SOURCES/0003-tcp-Cast-operands-of-sequence-comparison-macros-to-u.patch

@@ -0,0 +1,48 @@
+From bd90a820852ff8966aeb83231c29e48849db3493 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Fri, 29 Aug 2025 22:11:31 +0200
+Subject: [PATCH 3/4] tcp: Cast operands of sequence comparison macros to
+ uint32_t before using them
+
+Otherwise, passing signed types causes automatic promotion of the
+result of the subtractions as well, which is not what we want, as
+these macros rely on unsigned 32-bit arithmetic.
+
+The next patch introduces a ssize_t operand for SEQ_LE, illustrating
+the issue.
+
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Tested-by: Paul Holzinger <pholzing@redhat.com>
+Reviewed-by: Jon Maloy <jmaloy@redhat.com>
+(cherry picked from commit 660cd6907e14a41ad9bc77d317140c70ab416fce)
+---
+ tcp_internal.h | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/tcp_internal.h b/tcp_internal.h
+index 36c6533..c80ba40 100644
+--- a/tcp_internal.h
++++ b/tcp_internal.h
+@@ -18,10 +18,14 @@
+ 						   sizeof(struct ipv6hdr), \
+ 						   sizeof(uint32_t))
+ 
+-#define SEQ_LE(a, b)			((b) - (a) < MAX_WINDOW)
+-#define SEQ_LT(a, b)			((b) - (a) - 1 < MAX_WINDOW)
+-#define SEQ_GE(a, b)			((a) - (b) < MAX_WINDOW)
+-#define SEQ_GT(a, b)			((a) - (b) - 1 < MAX_WINDOW)
++#define SEQ_LE(a, b)			\
++	((uint32_t)(b) - (uint32_t)(a) < MAX_WINDOW)
++#define SEQ_LT(a, b)			\
++	((uint32_t)(b) - (uint32_t)(a) - 1 < MAX_WINDOW)
++#define SEQ_GE(a, b)			\
++	((uint32_t)(a) - (uint32_t)(b) < MAX_WINDOW)
++#define SEQ_GT(a, b)			\
++	((uint32_t)(a) - (uint32_t)(b) - 1 < MAX_WINDOW)
+ 
+ #define FIN		(1 << 0)
+ #define SYN		(1 << 1)
+-- 
+2.47.1
+

SOURCES/0004-tcp-Don-t-consider-FIN-flags-with-mismatching-sequen.patch

@@ -0,0 +1,76 @@
+From f9278aab878ef58cf8502ea8f904dbb40fbbb16a Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Thu, 2 Oct 2025 00:41:54 +0200
+Subject: [PATCH 4/4] tcp: Don't consider FIN flags with mismatching sequence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a guest or container sends us a FIN segment but its sequence number
+doesn't match the highest sequence of data we *accepted* (not
+necessarily the highest sequence we received), that is,
+conn->seq_from_tap, plus any data we're accepting in the current
+batch, we should discard the flag (not necessarily the segment),
+because there's still data we need to receive (again) before the end
+of the stream.
+
+If we consider those FIN flags as such, we'll end up in the
+situation described below.
+
+Here, 192.168.10.102 is a HTTP server in a Podman container, and
+192.168.10.44 is a client fetching approximately 121 KB of data from
+it:
+
+   82   2.026811 192.168.10.102 → 192.168.10.44 54 TCP 55414 → 44992 [FIN, ACK] Seq=121441 Ack=143 Win=65536 Len=0
+
+the server is done sending
+
+   83   2.026898 192.168.10.44 → 192.168.10.102 54 TCP 44992 → 55414 [ACK] Seq=143 Ack=114394 Win=216192 Len=0
+
+pasta (client) acknowledges a previous sequence, because of
+a short sendmsg()
+
+   84   2.027324 192.168.10.44 → 192.168.10.102 54 TCP 44992 → 55414 [FIN, ACK] Seq=143 Ack=114394 Win=216192 Len=0
+
+pasta (client) sends FIN, ACK as the client has no more data to
+send (a single GET request), while still acknowledging a previous
+sequence, because the retransmission didn't happen yet
+
+   85   2.027349 192.168.10.102 → 192.168.10.44 54 TCP 55414 → 44992 [ACK] Seq=121442 Ack=144 Win=65536 Len=0
+
+the server acknowledges the FIN, ACK
+
+   86   2.224125 192.168.10.102 → 192.168.10.44 4150 TCP [TCP Retransmission] 55414 → 44992 [ACK] Seq=114394 Ack=144 Win=65536 Len=4096 [TCP segment of a reassembled PDU]
+
+and finally a retransmission comes, but as we wrongly switched to
+the CLOSE-WAIT state,
+
+   87   2.224202 192.168.10.44 → 192.168.10.102 54 TCP 44992 → 55414 [RST] Seq=144 Win=0 Len=0
+
+we consider frame #86 as an acknowledgement for the FIN segment we
+sent, and close the connection, while we still had to re-receive
+(and finally send) the missing data segment, instead.
+
+Link: https://github.com/containers/podman/issues/27179
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+(cherry picked from commit b145441913eef6f8885b6b84531e944ff593790c)
+---
+ tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tcp.c b/tcp.c
+index 0ac298a..4428305 100644
+--- a/tcp.c
++++ b/tcp.c
+@@ -1696,7 +1696,7 @@ static int tcp_data_from_tap(const struct ctx *c, struct tcp_tap_conn *conn,
+ 			}
+ 		}
+ 
+-		if (th->fin)
++		if (th->fin && seq == seq_from_tap)
+ 			fin = 1;
+ 
+ 		if (!len)
+-- 
+2.47.1
+

SPECS/passt.spec

@@ -12,7 +12,7 @@
 
 Name:		passt
 Version:	0^20250512.g8ec1341
-Release:	2%{?dist}
+Release:	4%{?dist}
 Summary:	User-mode networking daemons for virtual machines and namespaces
 License:	GPL-2.0-or-later AND BSD-3-Clause
 Group:		System Environment/Daemons
@@ -21,6 +21,8 @@ Source:		https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz
 
 Patch1:		0001-selinux-Drop-user_namespace-create-allow-rules.patch
 Patch2:		0002-treewide-By-default-don-t-quit-source-after-migratio.patch
+Patch3:		0003-tcp-Cast-operands-of-sequence-comparison-macros-to-u.patch
+Patch4:		0004-tcp-Don-t-consider-FIN-flags-with-mismatching-sequen.patch
 
 BuildRequires:	gcc, make, git, checkpolicy, selinux-policy-devel
 Requires:	(%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
@@ -133,6 +135,9 @@ fi
 %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
 
 %changelog
+* Thu Oct 23 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250512.g8ec1341-4
+- Resolves: RHEL-123413 RHEL-123419
+
 * Tue Jul 29 2025 Stefano Brivio <sbrivio@redhat.com> - 0^20250512.g8ec1341-2
 - Resolves: RHEL-106326