From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ilya Dryomov <idryomov@gmail.com>,
Josh Durgin <jdurgin@redhat.com>
Subject: [PATCH 3.14 20/37] rbd: prevent kernel stack blow up on rbd map
Date: Fri, 6 Nov 2015 11:24:35 -0800 [thread overview]
Message-ID: <20151106192411.928866078@linuxfoundation.org> (raw)
In-Reply-To: <20151106192410.681850286@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 6d69bb536bac0d403d83db1ca841444981b280cd upstream.
Mapping an image with a long parent chain (e.g. image foo, whose parent
is bar, whose parent is baz, etc) currently leads to a kernel stack
overflow, due to the following recursion in the reply path:
rbd_osd_req_callback()
rbd_obj_request_complete()
rbd_img_obj_callback()
rbd_img_parent_read_callback()
rbd_obj_request_complete()
...
Limit the parent chain to 16 images, which is ~5K worth of stack. When
the above recursion is eliminated, this limit can be lifted.
Fixes: http://tracker.ceph.com/issues/12538
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Josh Durgin <jdurgin@redhat.com>
[idryomov@gmail.com: backport to 3.14: rbd_dev->opts, context]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/rbd.c | 29 +++++++++++++++++++++--------
1 file changed, 21 insertions(+), 8 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -94,6 +94,8 @@ static int atomic_dec_return_safe(atomic
#define RBD_MINORS_PER_MAJOR 256
#define RBD_SINGLE_MAJOR_PART_SHIFT 4
+#define RBD_MAX_PARENT_CHAIN_LEN 16
+
#define RBD_SNAP_DEV_NAME_PREFIX "snap_"
#define RBD_MAX_SNAP_NAME_LEN \
(NAME_MAX - (sizeof (RBD_SNAP_DEV_NAME_PREFIX) - 1))
@@ -411,7 +413,7 @@ static ssize_t rbd_add_single_major(stru
size_t count);
static ssize_t rbd_remove_single_major(struct bus_type *bus, const char *buf,
size_t count);
-static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping);
+static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth);
static void rbd_spec_put(struct rbd_spec *spec);
static int rbd_dev_id_to_minor(int dev_id)
@@ -4822,7 +4824,12 @@ out_err:
return ret;
}
-static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
+/*
+ * @depth is rbd_dev_image_probe() -> rbd_dev_probe_parent() ->
+ * rbd_dev_image_probe() recursion depth, which means it's also the
+ * length of the already discovered part of the parent chain.
+ */
+static int rbd_dev_probe_parent(struct rbd_device *rbd_dev, int depth)
{
struct rbd_device *parent = NULL;
int ret;
@@ -4830,6 +4837,12 @@ static int rbd_dev_probe_parent(struct r
if (!rbd_dev->parent_spec)
return 0;
+ if (++depth > RBD_MAX_PARENT_CHAIN_LEN) {
+ pr_info("parent chain is too long (%d)\n", depth);
+ ret = -EINVAL;
+ goto out_err;
+ }
+
parent = rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec);
if (!parent) {
ret = -ENOMEM;
@@ -4843,7 +4856,7 @@ static int rbd_dev_probe_parent(struct r
__rbd_get_client(rbd_dev->rbd_client);
rbd_spec_get(rbd_dev->parent_spec);
- ret = rbd_dev_image_probe(parent, false);
+ ret = rbd_dev_image_probe(parent, depth);
if (ret < 0)
goto out_err;
@@ -4970,7 +4983,7 @@ static void rbd_dev_image_release(struct
* parent), initiate a watch on its header object before using that
* object to get detailed information about the rbd image.
*/
-static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
+static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth)
{
int ret;
@@ -4990,7 +5003,7 @@ static int rbd_dev_image_probe(struct rb
if (ret)
goto err_out_format;
- if (mapping) {
+ if (!depth) {
ret = rbd_dev_header_watch_sync(rbd_dev);
if (ret)
goto out_header_name;
@@ -5007,7 +5020,7 @@ static int rbd_dev_image_probe(struct rb
if (ret)
goto err_out_probe;
- ret = rbd_dev_probe_parent(rbd_dev);
+ ret = rbd_dev_probe_parent(rbd_dev, depth);
if (ret)
goto err_out_probe;
@@ -5018,7 +5031,7 @@ static int rbd_dev_image_probe(struct rb
err_out_probe:
rbd_dev_unprobe(rbd_dev);
err_out_watch:
- if (mapping)
+ if (!depth)
rbd_dev_header_unwatch_sync(rbd_dev);
out_header_name:
kfree(rbd_dev->header_name);
@@ -5085,7 +5098,7 @@ static ssize_t do_rbd_add(struct bus_typ
rbdc = NULL; /* rbd_dev now owns this */
spec = NULL; /* rbd_dev now owns this */
- rc = rbd_dev_image_probe(rbd_dev, true);
+ rc = rbd_dev_image_probe(rbd_dev, 0);
if (rc < 0)
goto err_out_rbd_dev;
next prev parent reply other threads:[~2015-11-06 19:42 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-06 19:24 [PATCH 3.14 00/37] 3.14.57-stable review Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 01/37] ath9k: declare required extra tx headroom Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 02/37] iwlwifi: dvm: fix D3 firmware PN programming Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 03/37] iwlwifi: fix firmware filename for 3160 Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 04/37] iwlwifi: mvm: fix D3 firmware PN programming Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 05/37] iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 06/37] iommu/amd: Dont clear DTE flags when modifying it Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 07/37] powerpc/rtas: Validate rtas.entry before calling enter_rtas() Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 08/37] ASoC: wm8904: Correct number of EQ registers Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 09/37] x86/setup: Extend low identity map to cover whole kernel range Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 10/37] mm: make sendfile(2) killable Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 14/37] drm/nouveau/gem: return only valid domain when theres only one Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 16/37] drm/radeon: dont try to recreate sysfs entries on resume Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 18/37] rbd: require stable pages if message data CRCs are enabled Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 19/37] rbd: dont leak parent_spec in rbd_dev_probe_parent() Greg Kroah-Hartman
2015-11-06 19:24 ` Greg Kroah-Hartman [this message]
2015-11-06 19:24 ` [PATCH 3.14 21/37] Revert "ARM64: unwind: Fix PC calculation" Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 22/37] dm btree remove: fix a bug when rebalancing nodes after removal Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 23/37] dm btree: fix leak of bufio-backed block in btree_split_beneath error path Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 24/37] xhci: handle no ping response error properly Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 25/37] xhci: Add spurious wakeup quirk for LynxPoint-LP controllers Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 26/37] xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 27/37] module: Fix locking in symbol_put_addr() Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 28/37] crypto: api - Only abort operations on fatal signal Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 29/37] md/raid1: submit_bio_wait() returns 0 on success Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 30/37] md/raid10: " Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 31/37] Revert "md: allow a partially recovered device to be hot-added to an array." Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 33/37] IB/cm: Fix rb-tree duplicate free and use-after-free Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 34/37] md/raid5: fix locking in handle_stripe_clean_event() Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 35/37] serial: 8250_pci: Add support for 16 port Exar boards Greg Kroah-Hartman
2015-11-23 14:23 ` Soeren Grunewald
2016-02-23 23:51 ` Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 36/37] serial: 8250_pci: Add support for 12 " Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 37/37] xen: fix backport of previous kexec patch Greg Kroah-Hartman
2015-11-07 1:41 ` [PATCH 3.14 00/37] 3.14.57-stable review Guenter Roeck
2015-11-07 2:54 ` Shuah Khan
[not found] ` <56402111.42371c0a.e127c.749b@mx.google.com>
2015-11-09 4:41 ` Kevin Hilman
2015-11-09 17:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151106192411.928866078@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=idryomov@gmail.com \
--cc=jdurgin@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.