mirror of https://github.com/torvalds/linux.git
cdbc9836c7
There is a place where generic code in messenger.c is reading and
another place where it is writing to con->v1 union member without
checking that the union member is active (i.e. msgr1 is in use).
On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,
so such a read is almost guaranteed to return a bogus value instead of
0 when msgr2 is in use. This ends up being fairly benign because the
side effect is just the invalidation of the authorizer and successive
fetching of new tickets.
con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that
it's being written to can cause more serious consequences, but luckily
it's not something that happens often.
Cc: stable@vger.kernel.org
Fixes:
|
||
|---|---|---|
| .. | ||
| crush | ||
| Kconfig | ||
| Makefile | ||
| armor.c | ||
| auth.c | ||
| auth_none.c | ||
| auth_none.h | ||
| auth_x.c | ||
| auth_x.h | ||
| auth_x_protocol.h | ||
| buffer.c | ||
| ceph_common.c | ||
| ceph_hash.c | ||
| ceph_strings.c | ||
| cls_lock_client.c | ||
| crypto.c | ||
| crypto.h | ||
| debugfs.c | ||
| decode.c | ||
| messenger.c | ||
| messenger_v1.c | ||
| messenger_v2.c | ||
| mon_client.c | ||
| msgpool.c | ||
| osd_client.c | ||
| osdmap.c | ||
| pagelist.c | ||
| pagevec.c | ||
| snapshot.c | ||
| string_table.c | ||
| striper.c | ||