From: Greg Kroah-Hartman Date: Sun, 14 Sep 2025 07:48:34 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.1.153~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bf51b37fa0f97bd1cb58ff31903899ec65602bc9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch --- diff --git a/queue-5.15/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch b/queue-5.15/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch new file mode 100644 index 0000000000..8c582d5e9e --- /dev/null +++ b/queue-5.15/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch @@ -0,0 +1,56 @@ +From cdbc9836c7afadad68f374791738f118263c5371 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 3 Jul 2025 12:10:50 +0200 +Subject: libceph: fix invalid accesses to ceph_connection_v1_info + +From: Ilya Dryomov + +commit cdbc9836c7afadad68f374791738f118263c5371 upstream. + +There is a place where generic code in messenger.c is reading and +another place where it is writing to con->v1 union member without +checking that the union member is active (i.e. msgr1 is in use). + +On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter, +so such a read is almost guaranteed to return a bogus value instead of +0 when msgr2 is in use. This ends up being fairly benign because the +side effect is just the invalidation of the authorizer and successive +fetching of new tickets. + +con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that +it's being written to can cause more serious consequences, but luckily +it's not something that happens often. + +Cc: stable@vger.kernel.org +Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)") +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/messenger.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -1478,7 +1478,7 @@ static void con_fault_finish(struct ceph + * in case we faulted due to authentication, invalidate our + * current tickets so that we can get new ones. + */ +- if (con->v1.auth_retry) { ++ if (!ceph_msgr2(from_msgr(con->msgr)) && con->v1.auth_retry) { + dout("auth_retry %d, invalidating\n", con->v1.auth_retry); + if (con->ops->invalidate_authorizer) + con->ops->invalidate_authorizer(con); +@@ -1668,9 +1668,10 @@ static void clear_standby(struct ceph_co + { + /* come back from STANDBY? */ + if (con->state == CEPH_CON_S_STANDBY) { +- dout("clear_standby %p and ++connect_seq\n", con); ++ dout("clear_standby %p\n", con); + con->state = CEPH_CON_S_PREOPEN; +- con->v1.connect_seq++; ++ if (!ceph_msgr2(from_msgr(con->msgr))) ++ con->v1.connect_seq++; + WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_WRITE_PENDING)); + WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_KEEPALIVE_PENDING)); + } diff --git a/queue-5.15/series b/queue-5.15/series index 4eea8d8cbc..b975567793 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -25,3 +25,4 @@ ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch mtd-rawnand-stm32_fmc2-fix-ecc-overwrite.patch fuse-check-if-copy_file_range-returns-larger-than-requested-size.patch fuse-prevent-overflow-in-copy_file_range-return-value.patch +libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch