From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jeff Layton <jlayton@kernel.org>,
Xiubo Li <xiubli@redhat.com>, Ilya Dryomov <idryomov@gmail.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 29/47] ceph: dont allow access to MDS-private inodes
Date: Thu, 20 May 2021 11:22:27 +0200 [thread overview]
Message-ID: <20210520092054.489098425@linuxfoundation.org> (raw)
In-Reply-To: <20210520092053.559923764@linuxfoundation.org>
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit d4f6b31d721779d91b5e2f8072478af73b196c34 ]
The MDS reserves a set of inodes for its own usage, and these should
never be accessible to clients. Add a new helper to vet a proposed
inode number against that range, and complain loudly and refuse to
create or look it up if it's in it.
Also, ensure that the MDS doesn't try to delegate inodes that are in
that range or lower. Print a warning if it does, and don't save the
range in the xarray.
URL: https://tracker.ceph.com/issues/49922
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/export.c | 8 ++++++++
fs/ceph/inode.c | 3 +++
fs/ceph/mds_client.c | 7 +++++++
fs/ceph/super.h | 24 ++++++++++++++++++++++++
4 files changed, 42 insertions(+)
diff --git a/fs/ceph/export.c b/fs/ceph/export.c
index baa6368bece5..042bb4a02c0a 100644
--- a/fs/ceph/export.c
+++ b/fs/ceph/export.c
@@ -129,6 +129,10 @@ static struct inode *__lookup_inode(struct super_block *sb, u64 ino)
vino.ino = ino;
vino.snap = CEPH_NOSNAP;
+
+ if (ceph_vino_is_reserved(vino))
+ return ERR_PTR(-ESTALE);
+
inode = ceph_find_inode(sb, vino);
if (!inode) {
struct ceph_mds_request *req;
@@ -214,6 +218,10 @@ static struct dentry *__snapfh_to_dentry(struct super_block *sb,
vino.ino = sfh->ino;
vino.snap = sfh->snapid;
}
+
+ if (ceph_vino_is_reserved(vino))
+ return ERR_PTR(-ESTALE);
+
inode = ceph_find_inode(sb, vino);
if (inode)
return d_obtain_alias(inode);
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index 790433cb849e..346fcdfcd3e9 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -56,6 +56,9 @@ struct inode *ceph_get_inode(struct super_block *sb, struct ceph_vino vino)
{
struct inode *inode;
+ if (ceph_vino_is_reserved(vino))
+ return ERR_PTR(-EREMOTEIO);
+
inode = iget5_locked(sb, (unsigned long)vino.ino, ceph_ino_compare,
ceph_set_ino_cb, &vino);
if (!inode)
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 8f1d7500a7ec..d560752b764d 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -433,6 +433,13 @@ static int ceph_parse_deleg_inos(void **p, void *end,
ceph_decode_64_safe(p, end, start, bad);
ceph_decode_64_safe(p, end, len, bad);
+
+ /* Don't accept a delegation of system inodes */
+ if (start < CEPH_INO_SYSTEM_BASE) {
+ pr_warn_ratelimited("ceph: ignoring reserved inode range delegation (start=0x%llx len=0x%llx)\n",
+ start, len);
+ continue;
+ }
while (len--) {
int err = xa_insert(&s->s_delegated_inos, ino = start++,
DELEGATED_INO_AVAILABLE,
diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index 482473e4cce1..c33f744a8e11 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -529,10 +529,34 @@ static inline int ceph_ino_compare(struct inode *inode, void *data)
ci->i_vino.snap == pvino->snap;
}
+/*
+ * The MDS reserves a set of inodes for its own usage. These should never
+ * be accessible by clients, and so the MDS has no reason to ever hand these
+ * out. The range is CEPH_MDS_INO_MDSDIR_OFFSET..CEPH_INO_SYSTEM_BASE.
+ *
+ * These come from src/mds/mdstypes.h in the ceph sources.
+ */
+#define CEPH_MAX_MDS 0x100
+#define CEPH_NUM_STRAY 10
+#define CEPH_MDS_INO_MDSDIR_OFFSET (1 * CEPH_MAX_MDS)
+#define CEPH_INO_SYSTEM_BASE ((6*CEPH_MAX_MDS) + (CEPH_MAX_MDS * CEPH_NUM_STRAY))
+
+static inline bool ceph_vino_is_reserved(const struct ceph_vino vino)
+{
+ if (vino.ino < CEPH_INO_SYSTEM_BASE &&
+ vino.ino >= CEPH_MDS_INO_MDSDIR_OFFSET) {
+ WARN_RATELIMIT(1, "Attempt to access reserved inode number 0x%llx", vino.ino);
+ return true;
+ }
+ return false;
+}
static inline struct inode *ceph_find_inode(struct super_block *sb,
struct ceph_vino vino)
{
+ if (ceph_vino_is_reserved(vino))
+ return NULL;
+
/*
* NB: The hashval will be run through the fs/inode.c hash function
* anyway, so there is no need to squash the inode number down to
--
2.30.2
next prev parent reply other threads:[~2021-05-20 9:29 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-20 9:21 [PATCH 5.10 00/47] 5.10.39-rc1 review Greg Kroah-Hartman
2021-05-20 9:21 ` [PATCH 5.10 01/47] x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 02/47] drm/i915/display: fix compiler warning about array overrun Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 03/47] airo: work around stack usage warning Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 04/47] kgdb: fix gcc-11 warning on indentation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 05/47] usb: sl811-hcd: improve misleading indentation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 06/47] cxgb4: Fix the -Wmisleading-indentation warning Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 07/47] isdn: capi: fix mismatched prototypes Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 08/47] virtio_net: Do not pull payload in skb->head Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 09/47] ARM: 9058/1: cache-v7: refactor v7_invalidate_l1 to avoid clobbering r5/r6 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 10/47] PCI: thunder: Fix compile testing Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 11/47] dmaengine: dw-edma: Fix crash on loading/unloading driver Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 12/47] ARM: 9066/1: ftrace: pause/unpause function graph tracer in cpu_suspend() Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 13/47] ACPI / hotplug / PCI: Fix reference count leak in enable_slot() Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 14/47] PCI: tegra: Fix runtime PM imbalance in pex_ep_event_pex_rst_deassert() Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 15/47] Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 16/47] Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 17/47] NFS: NFS_INO_REVAL_PAGECACHE should mark the change attribute invalid Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 18/47] um: Mark all kernel symbols as local Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 19/47] um: Disable CONFIG_GCOV with MODULES Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 20/47] PCI: tegra: Add Tegra194 MCFG quirks for ECAM errata Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 21/47] ARM: 9075/1: kernel: Fix interrupted SMC calls Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 22/47] platform/chrome: cros_ec_typec: Add DP mode check Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 23/47] riscv: Use $(LD) instead of $(CC) to link vDSO Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 24/47] scripts/recordmcount.pl: Fix RISC-V regex for clang Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 25/47] riscv: Workaround mcount name prior to clang-13 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 26/47] scsi: lpfc: Fix illegal memory access on Abort IOCBs Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 27/47] ceph: fix fscache invalidation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 28/47] ceph: dont clobber i_snap_caps on non-I_NEW inode Greg Kroah-Hartman
2021-05-20 9:22 ` Greg Kroah-Hartman [this message]
2021-05-20 9:22 ` [PATCH 5.10 30/47] scsi: target: tcmu: Return from tcmu_handle_completions() if cmd_id not found Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 31/47] amdgpu/pm: Prevent force of DCEFCLK on NAVI10 and SIENNA_CICHLID Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 32/47] bridge: Fix possible races between assigning rx_handler_data and setting IFF_BRIDGE_PORT bit Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 33/47] net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 34/47] nvmet: remove unsupported command noise Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 35/47] drm/amd/display: Fix two cursor duplication when using overlay Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 36/47] gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 37/47] net:CXGB4: fix leak if sk_buff is not used Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 38/47] ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 39/47] block: reexpand iov_iter after read/write Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 40/47] lib: stackdepot: turn depot_lock spinlock to raw_spinlock Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 41/47] net: stmmac: Do not enable RX FIFO overflow interrupts Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 42/47] ip6_gre: proper dev_{hold|put} in ndo_[un]init methods Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 43/47] sit: " Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 44/47] ip6_tunnel: " Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 45/47] ipv6: remove extra dev_hold() for fallback tunnels Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 46/47] tweewide: Fix most Shebang lines Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 47/47] scripts: switch explicitly to Python 3 Greg Kroah-Hartman
2021-05-20 11:24 ` [PATCH 5.10 00/47] 5.10.39-rc1 review Pavel Machek
2021-05-20 12:32 ` Jon Hunter
2021-05-20 12:59 ` Greg Kroah-Hartman
2021-05-20 14:07 ` Fox Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210520092054.489098425@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiubli@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox