diff options
| author | Ilya Dryomov <idryomov@gmail.com> | 2025-07-03 12:10:50 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-10-02 13:39:01 +0200 |
| commit | ea12ab684f8ae8a6da11a22c78d94a79e2163096 (patch) | |
| tree | 4fdc7641b7f1fc9903efc96c30b64db8b8158c83 /net | |
| parent | 1e1bcbc5487776f5e039d13700695a9100f51447 (diff) | |
| download | linux-ea12ab684f8ae8a6da11a22c78d94a79e2163096.tar.gz linux-ea12ab684f8ae8a6da11a22c78d94a79e2163096.tar.bz2 linux-ea12ab684f8ae8a6da11a22c78d94a79e2163096.zip | |
libceph: fix invalid accesses to ceph_connection_v1_info
commit cdbc9836c7afadad68f374791738f118263c5371 upstream.
There is a place where generic code in messenger.c is reading and
another place where it is writing to con->v1 union member without
checking that the union member is active (i.e. msgr1 is in use).
On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,
so such a read is almost guaranteed to return a bogus value instead of
0 when msgr2 is in use. This ends up being fairly benign because the
side effect is just the invalidation of the authorizer and successive
fetching of new tickets.
con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that
it's being written to can cause more serious consequences, but luckily
it's not something that happens often.
Cc: stable@vger.kernel.org
Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ceph/messenger.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index 043cdbb2d980..8125cd18b335 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -1478,7 +1478,7 @@ static void con_fault_finish(struct ceph_connection *con) * in case we faulted due to authentication, invalidate our * current tickets so that we can get new ones. */ - if (con->v1.auth_retry) { + if (!ceph_msgr2(from_msgr(con->msgr)) && con->v1.auth_retry) { dout("auth_retry %d, invalidating\n", con->v1.auth_retry); if (con->ops->invalidate_authorizer) con->ops->invalidate_authorizer(con); @@ -1668,9 +1668,10 @@ static void clear_standby(struct ceph_connection *con) { /* come back from STANDBY? */ if (con->state == CEPH_CON_S_STANDBY) { - dout("clear_standby %p and ++connect_seq\n", con); + dout("clear_standby %p\n", con); con->state = CEPH_CON_S_PREOPEN; - con->v1.connect_seq++; + if (!ceph_msgr2(from_msgr(con->msgr))) + con->v1.connect_seq++; WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_WRITE_PENDING)); WARN_ON(ceph_con_flag_test(con, CEPH_CON_F_KEEPALIVE_PENDING)); } |