5.15-stable patches

added patches:
	libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch

diff --git a/queue-5.15/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch b/queue-5.15/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch
new file mode 100644 (file)
index 0000000..8c582d5
--- /dev/null
+++ b/queue-5.15/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch
@@ -0,0 +1,56 @@
+From cdbc9836c7afadad68f374791738f118263c5371 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Thu, 3 Jul 2025 12:10:50 +0200
+Subject: libceph: fix invalid accesses to ceph_connection_v1_info
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit cdbc9836c7afadad68f374791738f118263c5371 upstream.
+
+There is a place where generic code in messenger.c is reading and
+another place where it is writing to con->v1 union member without
+checking that the union member is active (i.e. msgr1 is in use).
+
+On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,
+so such a read is almost guaranteed to return a bogus value instead of
+0 when msgr2 is in use.  This ends up being fairly benign because the
+side effect is just the invalidation of the authorizer and successive
+fetching of new tickets.
+
+con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that
+it's being written to can cause more serious consequences, but luckily
+it's not something that happens often.
+
+Cc: stable@vger.kernel.org
+Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/messenger.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -1478,7 +1478,7 @@ static void con_fault_finish(struct ceph
+        * in case we faulted due to authentication, invalidate our
+        * current tickets so that we can get new ones.
+        */
+-      if (con->v1.auth_retry) {
++      if (!ceph_msgr2(from_msgr(con->msgr)) && con->v1.auth_retry) {
+               dout("auth_retry %d, invalidating\n", con->v1.auth_retry);
+               if (con->ops->invalidate_authorizer)
+                       con->ops->invalidate_authorizer(con);
+@@ -1668,9 +1668,10 @@ static void clear_standby(struct ceph_co
+ {
+       /* come back from STANDBY? */
+       if (con->state == CEPH_CON_S_STANDBY) {
+-              dout("clear_standby %p and ++connect_seq\n", con);
++              dout("clear_standby %p\n", con);
+               con->state = CEPH_CON_S_PREOPEN;
+-              con->v1.connect_seq++;
++              if (!ceph_msgr2(from_msgr(con->msgr)))
++                      con->v1.connect_seq++;
+               WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_WRITE_PENDING));
+               WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_KEEPALIVE_PENDING));
+       }

diff --git a/queue-5.15/series b/queue-5.15/series
index 4eea8d8cbc3f23d7eb6b128d0f08d6b5ed7e23f1..b97556779344fe5a30bf001b7323cb546d6ffbac 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -25,3 +25,4 @@ ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch
 mtd-rawnand-stm32_fmc2-fix-ecc-overwrite.patch
 fuse-check-if-copy_file_range-returns-larger-than-requested-size.patch
 fuse-prevent-overflow-in-copy_file_range-return-value.patch
+libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch