Re: [ovs-dev] [v2] dpdk: Use DPDK 21.11.2 release.

[Maxime Coquelin]

On 9/20/22 11:28, Phelan, Michael wrote:

-----Original Message-----
From: Maxime Coquelin <maxime.coque...@redhat.com>
Sent: Monday 19 September 2022 12:39
To: Phelan, Michael <michael.phe...@intel.com>; d...@openvswitch.org
Cc: i.maxim...@ovn.org
Subject: Re: [ovs-dev] [v2] dpdk: Use DPDK 21.11.2 release.



On 9/16/22 16:23, Michael Phelan wrote:

Update OVS CLI and relevant documentation to use DPDK 21.11.2.

DPDK 21.11.2 contains fixes for the CVEs listed below:
CVE-2022-28199 [1]
CVE-2022-2132 [2]

A bug was introduced in DPDK 21.11.1 by the commit 01e3dee29c02 ("vhost:

fix unsafe vring addresses modifications").

This bug can cause a deadlock when vIOMMU is enabled and NUMA

reallocation of the virtqueues happen.

A fix [3] has been posted and is due to be included in the 21.11.3 release in

December 2022.

If a user wishes to avoid the issue then it is recommended to use DPDK 21.11.0

until the release of DPDK 21.11.3.

It should be noted that DPDK 21.11.0 does not benefit from the numerous bug

and CVE fixes addressed since its release.

If a user wishes to benefit from these fixes it is recommended to use DPDK

21.11.2.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28199
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2132
[3]
https://patches.dpdk.org/project/dpdk/patch/20220725203206.427083-2-da
vid.march...@redhat.com/
Signed-off-by: Michael Phelan <michael.phe...@intel.com>

---
v2:
    - Update recommended DPDK version for older OvS versions in

Documentation.

---
---
   .ci/linux-build.sh                   |  2 +-
   Documentation/faq/releases.rst       | 12 ++++++------
   Documentation/intro/install/dpdk.rst |  8 ++++----
   NEWS                                 | 20 ++++++++++++++++++++
   4 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/.ci/linux-build.sh b/.ci/linux-build.sh index
509314a07..23c8bbb7a 100755
--- a/.ci/linux-build.sh
+++ b/.ci/linux-build.sh
@@ -228,7 +228,7 @@ fi

   if [ "$DPDK" ] || [ "$DPDK_SHARED" ]; then
       if [ -z "$DPDK_VER" ]; then
-        DPDK_VER="21.11.1"
+        DPDK_VER="21.11.2"
       fi
       install_dpdk $DPDK_VER
   fi
diff --git a/Documentation/faq/releases.rst
b/Documentation/faq/releases.rst index 1bc22a6ba..6ce0b4cd5 100644
--- a/Documentation/faq/releases.rst
+++ b/Documentation/faq/releases.rst
@@ -210,12 +210,12 @@ Q: What DPDK version does each Open vSwitch

release work with?

       2.10.x       17.11.10
       2.11.x       18.11.9
       2.12.x       18.11.9
-    2.13.x       19.11.10
-    2.14.x       19.11.10
-    2.15.x       20.11.4
-    2.16.x       20.11.4
-    2.17.x       21.11.1
-    3.0.x        21.11.1
+    2.13.x       19.11.13
+    2.14.x       19.11.13
+    2.15.x       20.11.6
+    2.16.x       20.11.6
+    2.17.x       21.11.2
+    3.0.x        21.11.2
       ============ ========

   Q: Are all the DPDK releases that OVS versions work with maintained?
diff --git a/Documentation/intro/install/dpdk.rst
b/Documentation/intro/install/dpdk.rst
index 0f3712c79..a284e6851 100644
--- a/Documentation/intro/install/dpdk.rst
+++ b/Documentation/intro/install/dpdk.rst
@@ -42,7 +42,7 @@ Build requirements
   In addition to the requirements described in :doc:`general`, building Open
   vSwitch with DPDK will require the following:

-- DPDK 21.11.1
+- DPDK 21.11.2

   - A `DPDK supported NIC`_

@@ -73,9 +73,9 @@ Install DPDK
   #. Download the `DPDK sources`_, extract the file and set ``DPDK_DIR``::

          $ cd /usr/src/
-       $ wget https://fast.dpdk.org/rel/dpdk-21.11.1.tar.xz
-       $ tar xf dpdk-21.11.1.tar.xz
-       $ export DPDK_DIR=/usr/src/dpdk-stable-21.11.1
+       $ wget https://fast.dpdk.org/rel/dpdk-21.11.2.tar.xz
+       $ tar xf dpdk-21.11.2.tar.xz
+       $ export DPDK_DIR=/usr/src/dpdk-stable-21.11.2
          $ cd $DPDK_DIR

   #. Configure and install DPDK using Meson diff --git a/NEWS b/NEWS
index 843abc7ac..f4e9ad0a2 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,26 @@ Post-v3.0.0
      - ovs-appctl:
        * "ovs-appctl ofproto/trace" command can now display port names with

the

          "--names" option.
+- DPDK:
+     * OVS validated with DPDK 21.11.2. It is recommended to use this version
+       until further releases.
+       DPDK 21.11.2 contains fixes for the following CVEs:
+       CVE-2022-28199 cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-

28199

+       CVE-2022-2132 cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-

2132

+       A bug was introduced in DPDK 21.11.1 by the commit
+       01e3dee29c02 ("vhost: fix unsafe vring addresses modifications").
+       This bug can cause a deadlock when vIOMMU is enabled and NUMA
+       reallocation of the virtqueues happen.
+       A fix has been posted and is due to be included in the DPDK 21.11.3
+       release.
+       It can be found here:
+       https://patches.dpdk.org/project/dpdk/patch/20220725203206.427083-

2-david.march...@redhat.com/.

+       If a user wishes to avoid the issue then it is recommended to use
+       DPDK 21.11.0 until the release of DPDK 21.11.3.
+       It should be noted that DPDK 21.11.0 does not benefit from the numerous
+       bug and CVE fixes addressed since its release.
+       If a user wishes to benefit from these fixes it is recommended to use
+       DPDK 21.11.2.


   v3.0.0 - 15 Aug 2022

Reviewed-by: Maxime Coquelin <maxime.coque...@redhat.com>

Thanks for having added the discovered issue, Maxime

Thanks for the review Maxime.

Kevin/Ilya do you have any other feedback before I begin generating the patches 
for the other branches?

Kevin suggested the fix to be backported early to the DPDK stable
branches, I just sent a mail to the LTS maintainers requesting so.

If they agree, it might be a good idea to mention it in the paragraph
you added documenting the issue?

Thanks,
Maxime


_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev