From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ilya Dryomov <idryomov@gmail.com>,
Josh Durgin <jdurgin@redhat.com>
Subject: [PATCH 4.1 40/86] rbd: prevent kernel stack blow up on rbd map
Date: Fri, 6 Nov 2015 11:22:39 -0800 [thread overview]
Message-ID: <20151106192207.344840013@linuxfoundation.org> (raw)
In-Reply-To: <20151106192205.351595349@linuxfoundation.org>
4.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 6d69bb536bac0d403d83db1ca841444981b280cd upstream.
Mapping an image with a long parent chain (e.g. image foo, whose parent
is bar, whose parent is baz, etc) currently leads to a kernel stack
overflow, due to the following recursion in the reply path:
rbd_osd_req_callback()
rbd_obj_request_complete()
rbd_img_obj_callback()
rbd_img_parent_read_callback()
rbd_obj_request_complete()
...
Limit the parent chain to 16 images, which is ~5K worth of stack. When
the above recursion is eliminated, this limit can be lifted.
Fixes: http://tracker.ceph.com/issues/12538
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Josh Durgin <jdurgin@redhat.com>
[idryomov@gmail.com: backport to 4.1: rbd_dev->opts]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/rbd.c | 33 +++++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -96,6 +96,8 @@ static int atomic_dec_return_safe(atomic
#define RBD_MINORS_PER_MAJOR 256
#define RBD_SINGLE_MAJOR_PART_SHIFT 4
+#define RBD_MAX_PARENT_CHAIN_LEN 16
+
#define RBD_SNAP_DEV_NAME_PREFIX "snap_"
#define RBD_MAX_SNAP_NAME_LEN \
(NAME_MAX - (sizeof (RBD_SNAP_DEV_NAME_PREFIX) - 1))
@@ -425,7 +427,7 @@ static ssize_t rbd_add_single_major(stru
size_t count);
static ssize_t rbd_remove_single_major(struct bus_type *bus, const char *buf,
size_t count);
-static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping);
+static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth);
static void rbd_spec_put(struct rbd_spec *spec);
static int rbd_dev_id_to_minor(int dev_id)
@@ -5145,7 +5147,12 @@ out_err:
return ret;
}
-static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
+/*
+ * @depth is rbd_dev_image_probe() -> rbd_dev_probe_parent() ->
+ * rbd_dev_image_probe() recursion depth, which means it's also the
+ * length of the already discovered part of the parent chain.
+ */
+static int rbd_dev_probe_parent(struct rbd_device *rbd_dev, int depth)
{
struct rbd_device *parent = NULL;
int ret;
@@ -5153,6 +5160,12 @@ static int rbd_dev_probe_parent(struct r
if (!rbd_dev->parent_spec)
return 0;
+ if (++depth > RBD_MAX_PARENT_CHAIN_LEN) {
+ pr_info("parent chain is too long (%d)\n", depth);
+ ret = -EINVAL;
+ goto out_err;
+ }
+
parent = rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec);
if (!parent) {
ret = -ENOMEM;
@@ -5166,7 +5179,7 @@ static int rbd_dev_probe_parent(struct r
__rbd_get_client(rbd_dev->rbd_client);
rbd_spec_get(rbd_dev->parent_spec);
- ret = rbd_dev_image_probe(parent, false);
+ ret = rbd_dev_image_probe(parent, depth);
if (ret < 0)
goto out_err;
@@ -5295,7 +5308,7 @@ static void rbd_dev_image_release(struct
* parent), initiate a watch on its header object before using that
* object to get detailed information about the rbd image.
*/
-static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
+static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth)
{
int ret;
@@ -5313,7 +5326,7 @@ static int rbd_dev_image_probe(struct rb
if (ret)
goto err_out_format;
- if (mapping) {
+ if (!depth) {
ret = rbd_dev_header_watch_sync(rbd_dev);
if (ret) {
if (ret == -ENOENT)
@@ -5334,7 +5347,7 @@ static int rbd_dev_image_probe(struct rb
* Otherwise this is a parent image, identified by pool, image
* and snap ids - need to fill in names for those ids.
*/
- if (mapping)
+ if (!depth)
ret = rbd_spec_fill_snap_id(rbd_dev);
else
ret = rbd_spec_fill_names(rbd_dev);
@@ -5356,12 +5369,12 @@ static int rbd_dev_image_probe(struct rb
* Need to warn users if this image is the one being
* mapped and has a parent.
*/
- if (mapping && rbd_dev->parent_spec)
+ if (!depth && rbd_dev->parent_spec)
rbd_warn(rbd_dev,
"WARNING: kernel layering is EXPERIMENTAL!");
}
- ret = rbd_dev_probe_parent(rbd_dev);
+ ret = rbd_dev_probe_parent(rbd_dev, depth);
if (ret)
goto err_out_probe;
@@ -5372,7 +5385,7 @@ static int rbd_dev_image_probe(struct rb
err_out_probe:
rbd_dev_unprobe(rbd_dev);
err_out_watch:
- if (mapping)
+ if (!depth)
rbd_dev_header_unwatch_sync(rbd_dev);
out_header_name:
kfree(rbd_dev->header_name);
@@ -5437,7 +5450,7 @@ static ssize_t do_rbd_add(struct bus_typ
rbdc = NULL; /* rbd_dev now owns this */
spec = NULL; /* rbd_dev now owns this */
- rc = rbd_dev_image_probe(rbd_dev, true);
+ rc = rbd_dev_image_probe(rbd_dev, 0);
if (rc < 0)
goto err_out_rbd_dev;
next prev parent reply other threads:[~2015-11-06 19:22 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-06 19:21 [PATCH 4.1 00/86] 4.1.13-stable review Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 01/86] ath9k: declare required extra tx headroom Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 02/86] iwlwifi: dvm: fix D3 firmware PN programming Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 03/86] iwlwifi: fix firmware filename for 3160 Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 04/86] rtlwifi: rtl8821ae: Fix system lockups on boot Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 05/86] iwlwifi: mvm: clear csa countdown when AP is stopped Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 06/86] iwlwifi: mvm: fix D3 firmware PN programming Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 07/86] iwlwifi: mvm: init card correctly on ctkill exit check Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 08/86] iwlwifi: mvm: flush fw_dump_wk when mvm fails to start Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 09/86] iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 10/86] iommu/vt-d: fix range computation when making room for large pages Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 11/86] iommu/amd: Fix BUG when faulting a PROT_NONE VMA Greg Kroah-Hartman
2015-11-06 20:49 ` Linus Torvalds
2015-11-06 20:55 ` Linus Torvalds
2015-11-08 11:45 ` Joerg Roedel
2015-11-06 19:22 ` [PATCH 4.1 12/86] iommu/amd: Dont clear DTE flags when modifying it Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 13/86] powerpc/rtas: Validate rtas.entry before calling enter_rtas() Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 14/86] drm: fix mutex leak in drm_dp_get_mst_branch_device Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 15/86] [media] si2157: Bounds check firmware Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 16/86] [media] si2168: " Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 17/86] [media] rtl28xxu: fix control message flaws Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 18/86] KVM: arm: use GIC support unconditionally Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 19/86] ALSA: hda - Fix inverted internal mic on Lenovo G50-80 Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 20/86] ALSA: hda - Fix deadlock at error in building PCM Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 21/86] ASoC: Add info callback for SX_TLV controls Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 22/86] ASoC: wm8904: Correct number of EQ registers Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 24/86] x86/setup: Extend low identity map to cover whole kernel range Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 25/86] mm: make sendfile(2) killable Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 26/86] fault-inject: fix inverted interval/probability values in printk Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 27/86] drm/nouveau/gem: return only valid domain when theres only one Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 28/86] drm/radeon/dpm: dont add pwm attributes if DPM is disabled Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 32/86] drm/radeon: dont try to recreate sysfs entries on resume Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 36/86] iio: st_accel: fix interrupt handling on LIS3LV02 Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 37/86] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 38/86] rbd: require stable pages if message data CRCs are enabled Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 39/86] rbd: dont leak parent_spec in rbd_dev_probe_parent() Greg Kroah-Hartman
2015-11-06 19:22 ` Greg Kroah-Hartman [this message]
2015-11-06 19:22 ` [PATCH 4.1 41/86] ARM: orion: Fix DSA platform device after mvmdio conversion Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 42/86] ARM: mvebu: correct a385-db-ap compatible string Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 43/86] ARM: dts: Fix audio card detection on Peach boards Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 44/86] ARM: dts: am57xx-beagle-x15: set VDD_SD to always-on Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 45/86] ARM: dts: sunxi: Raise minimum CPU voltage for sun7i-a20 to meet SoC specifications Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 46/86] ARM: 8445/1: fix vdsomunge not to depend on glibc specific byteswap.h Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 47/86] ARM: 8449/1: fix bug in vdsomunge swab32 macro Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 48/86] Revert "ARM64: unwind: Fix PC calculation" Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 49/86] dm btree remove: fix a bug when rebalancing nodes after removal Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 50/86] dm btree: fix leak of bufio-backed block in btree_split_beneath error path Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 51/86] Revert "serial: 8250_dma: dont bother DMA with small transfers" Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 53/86] i2c: mv64xxx: really allow I2C offloading Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 54/86] xhci: handle no ping response error properly Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 55/86] xhci: Add spurious wakeup quirk for LynxPoint-LP controllers Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 56/86] xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 57/86] module: Fix locking in symbol_put_addr() Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 58/86] PCI: Prevent out of bounds access in numa_node override Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 59/86] ovl: free stack of paths in ovl_fill_super Greg Kroah-Hartman
2015-11-06 19:22 ` [PATCH 4.1 60/86] ovl: free lower_mnt array in ovl_put_super Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 61/86] ovl: use O_LARGEFILE in ovl_copy_up() Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 62/86] ovl: fix dentry reference leak Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 64/86] crypto: api - Only abort operations on fatal signal Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 65/86] md/raid1: submit_bio_wait() returns 0 on success Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 66/86] md/raid10: " Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 67/86] md/raid5: fix locking in handle_stripe_clean_event() Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 68/86] Revert "md: allow a partially recovered device to be hot-added to an array." Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 69/86] EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs() Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 70/86] irqchip/tegra: Propagate IRQ type setting to parent Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 72/86] MFD/OF: document MFD devices and handle simple-mfd Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 73/86] btrfs: fix possible leak in btrfs_ioctl_balance() Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 74/86] IB/cm: Fix rb-tree duplicate free and use-after-free Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 75/86] cpufreq: intel_pstate: Fix divide by zero on Knights Landing (KNL) Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 76/86] arm64: kernel: rename __cpu_suspend to keep it aligned with arm Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 77/86] arm64: kernel: fix tcr_el1.t0sz restore on systems with extended idmap Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 78/86] arm64: compat: fix stxr failure case in SWP emulation Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 79/86] NVMe: Fix memory leak on retried commands Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 80/86] drm/vmwgfx: Fix up user_dmabuf refcounting Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 81/86] thp: use is_zero_pfn() only after pte_present() check Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 82/86] pinctrl: baytrail: Serialize all register access Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 83/86] pinctrl: baytrail: Use raw_spinlock for locking Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 84/86] serial: 8250_pci: Add support for 12 port Exar boards Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 85/86] xen: fix backport of previous kexec patch Greg Kroah-Hartman
2015-11-06 19:23 ` [PATCH 4.1 86/86] dts: imx6: fix sd card gpio polarity specified in device tree Greg Kroah-Hartman
2015-11-07 1:43 ` [PATCH 4.1 00/86] 4.1.13-stable review Guenter Roeck
2015-11-07 2:53 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151106192207.344840013@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=idryomov@gmail.com \
--cc=jdurgin@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).