From 4e57ebfa5047f946891e0f1a84c81b8eadb22b42 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 14 Sep 2025 09:48:48 +0200 Subject: [PATCH] 6.6-stable patches added patches: libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch --- ...-accesses-to-ceph_connection_v1_info.patch | 56 +++++++++++++++++++ queue-6.6/series | 1 + 2 files changed, 57 insertions(+) create mode 100644 queue-6.6/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch diff --git a/queue-6.6/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch b/queue-6.6/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch new file mode 100644 index 0000000000..6efd18c1c0 --- /dev/null +++ b/queue-6.6/libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch @@ -0,0 +1,56 @@ +From cdbc9836c7afadad68f374791738f118263c5371 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 3 Jul 2025 12:10:50 +0200 +Subject: libceph: fix invalid accesses to ceph_connection_v1_info + +From: Ilya Dryomov + +commit cdbc9836c7afadad68f374791738f118263c5371 upstream. + +There is a place where generic code in messenger.c is reading and +another place where it is writing to con->v1 union member without +checking that the union member is active (i.e. msgr1 is in use). + +On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter, +so such a read is almost guaranteed to return a bogus value instead of +0 when msgr2 is in use. This ends up being fairly benign because the +side effect is just the invalidation of the authorizer and successive +fetching of new tickets. + +con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that +it's being written to can cause more serious consequences, but luckily +it's not something that happens often. + +Cc: stable@vger.kernel.org +Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)") +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/messenger.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -1524,7 +1524,7 @@ static void con_fault_finish(struct ceph + * in case we faulted due to authentication, invalidate our + * current tickets so that we can get new ones. + */ +- if (con->v1.auth_retry) { ++ if (!ceph_msgr2(from_msgr(con->msgr)) && con->v1.auth_retry) { + dout("auth_retry %d, invalidating\n", con->v1.auth_retry); + if (con->ops->invalidate_authorizer) + con->ops->invalidate_authorizer(con); +@@ -1714,9 +1714,10 @@ static void clear_standby(struct ceph_co + { + /* come back from STANDBY? */ + if (con->state == CEPH_CON_S_STANDBY) { +- dout("clear_standby %p and ++connect_seq\n", con); ++ dout("clear_standby %p\n", con); + con->state = CEPH_CON_S_PREOPEN; +- con->v1.connect_seq++; ++ if (!ceph_msgr2(from_msgr(con->msgr))) ++ con->v1.connect_seq++; + WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_WRITE_PENDING)); + WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_KEEPALIVE_PENDING)); + } diff --git a/queue-6.6/series b/queue-6.6/series index 16662b0cba..8f52b75764 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -46,3 +46,4 @@ drm-amdgpu-vcn-allow-limiting-ctx-to-instance-0-for-av1-at-any-time.patch drm-amdgpu-vcn4-fix-ib-parsing-with-multiple-engine-info-packages.patch mtd-nand-raw-atmel-fix-comment-in-timings-preparation.patch mtd-nand-raw-atmel-respect-tar-tclr-in-read-setup-timing.patch +libceph-fix-invalid-accesses-to-ceph_connection_v1_info.patch -- 2.47.3