From dad77109510ee9206f65be408636ccd4a814fe83 Mon Sep 17 00:00:00 2001
From: holyfei <yangfeiyu20092010@163.com>
Date: Mon, 17 Jan 2022 20:15:29 +0800
Subject: [PATCH] kata-containers: fix route add failed problem

reason: when kata-network update-iface is called to clean NIC ip info,
the guest os will clean the related routes with NIC, however the routes
info in the persisit.json file is still left. So the followed add-route
command add the same route will cause the problem.

Signed-off-by: holyfei <yangfeiyu20092010@163.com>
---
 kata-containers.spec                          |   8 +-
 ...6-kata-runtime-fix-route-add-problem.patch | 110 ++++++++++++++++++
 runtime/series.conf                           |   3 +
 3 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 runtime/patches/0066-kata-runtime-fix-route-add-problem.patch

diff --git a/kata-containers.spec b/kata-containers.spec
index d4294e8..f563560 100644
--- a/kata-containers.spec
+++ b/kata-containers.spec
@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 
 %define VERSION v1.11.1
-%define RELEASE 8
+%define RELEASE 9
 
 Name:           kata-containers
 Version:        %{VERSION}
@@ -90,6 +90,12 @@ install -p -m 640 -D ./runtime/cli/config/configuration-qemu.toml %{buildroot}/u
 
 
 %changelog
+* Mon Jan 17 2022 yangfeiyu<yangfeiyu2@huawei.com> - 1.11.1-9
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix route add failed problem
+
 * Tue Feb 23 2021 xinghe <xinghe1@huawei.com> - 1.11.1-8
 - Type:CVE
 - ID:NA
diff --git a/runtime/patches/0066-kata-runtime-fix-route-add-problem.patch b/runtime/patches/0066-kata-runtime-fix-route-add-problem.patch
new file mode 100644
index 0000000..389efe7
--- /dev/null
+++ b/runtime/patches/0066-kata-runtime-fix-route-add-problem.patch
@@ -0,0 +1,110 @@
+From 7a3578da1182222090200d99663d1741d2d77d64 Mon Sep 17 00:00:00 2001
+From: holyfei <yangfeiyu20092010@163.com>
+Date: Mon, 17 Jan 2022 20:06:29 +0800
+Subject: [PATCH] kata-runtime: fix route add problem
+
+reason: when kata-network update-iface is called to clean NIC ip info,
+the guest os will clean the related routes with NIC, however the routes
+info in the persisit.json file is still left. So the followed add-route
+command add the same route will cause the problem.
+
+Signed-off-by: holyfei <yangfeiyu20092010@163.com>
+---
+ virtcontainers/network.go | 70 ++++---------------------------
+ 1 file changed, 7 insertions(+), 63 deletions(-)
+
+diff --git a/virtcontainers/network.go b/virtcontainers/network.go
+index 15eb790..a15a6d5 100644
+--- a/virtcontainers/network.go
++++ b/virtcontainers/network.go
+@@ -1643,45 +1643,16 @@ func isSameRoute(existing, r *netlink.Route, fuzzy bool) bool {
+ }
+ 
+ func addOneRoute(ns *NetworkNamespace, route *vcTypes.Route) (added *vcTypes.Route, err error) {
+-	add, err := generateAddRoute(route)
++	_, err = generateAddRoute(route)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 
+-	// add the route for "lo" loopback device
+-	if route.Device == localHostDeviceName {
+-		added = &vcTypes.Route{
+-			Dest:    route.Dest,
+-			Gateway: route.Gateway,
+-			Device:  route.Device,
+-		}
+-		return added, nil
+-	}
+-
+-	// add the route for exist network enpoints
+-	for _, ep := range ns.Endpoints {
+-		if ep.Name() != route.Device {
+-			continue
+-		}
+-
+-		netInfo := ep.Properties()
+-		for _, exist := range ep.Properties().Routes {
+-			if isSameRoute(&exist, add, false) {
+-				return nil, fmt.Errorf("route rule %v already exits", add)
+-			}
+-		}
+-		// flush the netInfo.Routes with new added route
+-		netInfo.Routes = append(netInfo.Routes, *add)
+-		ep.SetProperties(netInfo)
+-		added = &vcTypes.Route{
+-			Dest:    route.Dest,
+-			Gateway: route.Gateway,
+-			Device:  route.Device,
+-		}
+-		break
+-	}
+-
+-	return added, nil
++	return &vcTypes.Route{
++		Dest:    route.Dest,
++		Gateway: route.Gateway,
++		Device:  route.Device,
++	}, nil
+ }
+ 
+ func generateRmRoute(route *vcTypes.Route) (r *netlink.Route, err error) {
+@@ -1757,34 +1728,7 @@ func removeRoutes(ns *NetworkNamespace, route *vcTypes.Route) (removed []*vcType
+ 		return nil, err
+ 	}
+ 
+-	// remove the lo device related routes
+-	if route.Device == localHostDeviceName {
+-		removed = append(removed, parseToGrpcRoute(localHostDeviceName, del, false))
+-
+-		return removed, nil
+-	}
+-
+-	for _, ep := range ns.Endpoints {
+-		// if device is empty, means search every device
+-		if route.Device != "" && ep.Name() != route.Device {
+-			continue
+-		}
+-
+-		netInfo := ep.Properties()
+-		for i, exist := range ep.Properties().Routes {
+-			if isSameRoute(&exist, del, true) {
+-				// need remove
+-				netInfo.Routes = append(netInfo.Routes[:i], netInfo.Routes[i+1:]...)
+-				ep.SetProperties(netInfo)
+-				dev := route.Device
+-				if route.Device == "" {
+-					dev = netInfo.Iface.Name
+-				}
+-				removed = append(removed, parseToGrpcRoute(dev, del, false))
+-			}
+-		}
+-	}
+-
++	removed = append(removed, parseToGrpcRoute(route.Device, del, false))
+ 	return removed, nil
+ }
+ 
+-- 
+2.27.0
+
diff --git a/runtime/series.conf b/runtime/series.conf
index 37b1b5f..cb0d265 100644
--- a/runtime/series.conf
+++ b/runtime/series.conf
@@ -61,3 +61,6 @@
 0061-kata-runtime-retry-inserting-of-CNI-interface.patch
 0062-kata-runtime-support-using-CNI-plugin-to-insert-muti.patch
 0063-kata-runtime-fix-get-sandbox-cpu-resources-problem.patch
+0064-CVE-2020-28914-1.patch
+0065-CVE-2020-28914-2.patch
+0066-kata-runtime-fix-route-add-problem.patch
-- 
Gitee