6.6-stable patches

added patches:
	libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch

diff --git a/queue-6.6/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch b/queue-6.6/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch
new file mode 100644 (file)
index 0000000..6efd18c
--- /dev/null
+++ b/queue-6.6/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch
@@ -0,0 +1,56 @@
+From cdbc9836c7afadad68f374791738f118263c5371 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Thu, 3 Jul 2025 12:10:50 +0200
+Subject: libceph: fix invalid accesses to ceph_connection_v1_info
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit cdbc9836c7afadad68f374791738f118263c5371 upstream.
+
+There is a place where generic code in messenger.c is reading and
+another place where it is writing to con->v1 union member without
+checking that the union member is active (i.e. msgr1 is in use).
+
+On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,
+so such a read is almost guaranteed to return a bogus value instead of
+0 when msgr2 is in use.  This ends up being fairly benign because the
+side effect is just the invalidation of the authorizer and successive
+fetching of new tickets.
+
+con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that
+it's being written to can cause more serious consequences, but luckily
+it's not something that happens often.
+
+Cc: stable@vger.kernel.org
+Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -1524,7 +1524,7 @@ static void con_fault_finish(struct ceph
+        * in case we faulted due to authentication, invalidate our
+        * current tickets so that we can get new ones.
+        */
+-      if (con->v1.auth_retry) {
++      if (!ceph_msgr2(from_msgr(con->msgr)) && con->v1.auth_retry) {
+               dout("auth_retry %d, invalidating\n", con->v1.auth_retry);
+               if (con->ops->invalidate_authorizer)
+                       con->ops->invalidate_authorizer(con);
+@@ -1714,9 +1714,10 @@ static void clear_standby(struct ceph_co
+ {
+       /* come back from STANDBY? */
+       if (con->state == CEPH_CON_S_STANDBY) {
+-              dout("clear_standby %p and ++connect_seq\n", con);
++              dout("clear_standby %p\n", con);
+               con->state = CEPH_CON_S_PREOPEN;
+-              con->v1.connect_seq++;
++              if (!ceph_msgr2(from_msgr(con->msgr)))
++                      con->v1.connect_seq++;
+               WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_WRITE_PENDING));
+               WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_KEEPALIVE_PENDING));
+       }

diff --git a/queue-6.6/series b/queue-6.6/series
index 16662b0cba01b8431370312acce946337155740c..8f52b757643e4e325fe35c75e044e9bed6d1ffbc 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -46,3 +46,4 @@ drm-amdgpu-vcn-allow-limiting-ctx-to-instance-0-for-av1-at-any-time.patch
 drm-amdgpu-vcn4-fix-ib-parsing-with-multiple-engine-info-packages.patch
 mtd-nand-raw-atmel-fix-comment-in-timings-preparation.patch
 mtd-nand-raw-atmel-respect-tar-tclr-in-read-setup-timing.patch
+libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch