Skip to content

Commit 6d69bb5

Browse files
idryomovidryomov
committed
rbd: prevent kernel stack blow up on rbd map
Mapping an image with a long parent chain (e.g. image foo, whose parent is bar, whose parent is baz, etc) currently leads to a kernel stack overflow, due to the following recursion in the reply path: rbd_osd_req_callback() rbd_obj_request_complete() rbd_img_obj_callback() rbd_img_parent_read_callback() rbd_obj_request_complete() ... Limit the parent chain to 16 images, which is ~5K worth of stack. When the above recursion is eliminated, this limit can be lifted. Fixes: http://tracker.ceph.com/issues/12538 Cc: [email protected] # 3.10+, needs backporting for < 4.2 Signed-off-by: Ilya Dryomov <[email protected]> Reviewed-by: Josh Durgin <[email protected]>
1 parent 1f2c665 commit 6d69bb5

File tree

1 file changed

+23
-10
lines changed

1 file changed

+23
-10
lines changed

drivers/block/rbd.c

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,8 @@ static int atomic_dec_return_safe(atomic_t *v)
9696
#define RBD_MINORS_PER_MAJOR 256
9797
#define RBD_SINGLE_MAJOR_PART_SHIFT 4
9898

99+
#define RBD_MAX_PARENT_CHAIN_LEN 16
100+
99101
#define RBD_SNAP_DEV_NAME_PREFIX "snap_"
100102
#define RBD_MAX_SNAP_NAME_LEN \
101103
(NAME_MAX - (sizeof (RBD_SNAP_DEV_NAME_PREFIX) - 1))
@@ -426,7 +428,7 @@ static ssize_t rbd_add_single_major(struct bus_type *bus, const char *buf,
426428
size_t count);
427429
static ssize_t rbd_remove_single_major(struct bus_type *bus, const char *buf,
428430
size_t count);
429-
static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping);
431+
static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth);
430432
static void rbd_spec_put(struct rbd_spec *spec);
431433

432434
static int rbd_dev_id_to_minor(int dev_id)
@@ -5131,14 +5133,25 @@ static int rbd_dev_v2_header_onetime(struct rbd_device *rbd_dev)
51315133
return ret;
51325134
}
51335135

5134-
static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
5136+
/*
5137+
* @depth is rbd_dev_image_probe() -> rbd_dev_probe_parent() ->
5138+
* rbd_dev_image_probe() recursion depth, which means it's also the
5139+
* length of the already discovered part of the parent chain.
5140+
*/
5141+
static int rbd_dev_probe_parent(struct rbd_device *rbd_dev, int depth)
51355142
{
51365143
struct rbd_device *parent = NULL;
51375144
int ret;
51385145

51395146
if (!rbd_dev->parent_spec)
51405147
return 0;
51415148

5149+
if (++depth > RBD_MAX_PARENT_CHAIN_LEN) {
5150+
pr_info("parent chain is too long (%d)\n", depth);
5151+
ret = -EINVAL;
5152+
goto out_err;
5153+
}
5154+
51425155
parent = rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec,
51435156
NULL);
51445157
if (!parent) {
@@ -5153,7 +5166,7 @@ static int rbd_dev_probe_parent(struct rbd_device *rbd_dev)
51535166
__rbd_get_client(rbd_dev->rbd_client);
51545167
rbd_spec_get(rbd_dev->parent_spec);
51555168

5156-
ret = rbd_dev_image_probe(parent, false);
5169+
ret = rbd_dev_image_probe(parent, depth);
51575170
if (ret < 0)
51585171
goto out_err;
51595172

@@ -5282,7 +5295,7 @@ static void rbd_dev_image_release(struct rbd_device *rbd_dev)
52825295
* parent), initiate a watch on its header object before using that
52835296
* object to get detailed information about the rbd image.
52845297
*/
5285-
static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
5298+
static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth)
52865299
{
52875300
int ret;
52885301

@@ -5300,7 +5313,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
53005313
if (ret)
53015314
goto err_out_format;
53025315

5303-
if (mapping) {
5316+
if (!depth) {
53045317
ret = rbd_dev_header_watch_sync(rbd_dev);
53055318
if (ret) {
53065319
if (ret == -ENOENT)
@@ -5321,7 +5334,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
53215334
* Otherwise this is a parent image, identified by pool, image
53225335
* and snap ids - need to fill in names for those ids.
53235336
*/
5324-
if (mapping)
5337+
if (!depth)
53255338
ret = rbd_spec_fill_snap_id(rbd_dev);
53265339
else
53275340
ret = rbd_spec_fill_names(rbd_dev);
@@ -5343,12 +5356,12 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
53435356
* Need to warn users if this image is the one being
53445357
* mapped and has a parent.
53455358
*/
5346-
if (mapping && rbd_dev->parent_spec)
5359+
if (!depth && rbd_dev->parent_spec)
53475360
rbd_warn(rbd_dev,
53485361
"WARNING: kernel layering is EXPERIMENTAL!");
53495362
}
53505363

5351-
ret = rbd_dev_probe_parent(rbd_dev);
5364+
ret = rbd_dev_probe_parent(rbd_dev, depth);
53525365
if (ret)
53535366
goto err_out_probe;
53545367

@@ -5359,7 +5372,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, bool mapping)
53595372
err_out_probe:
53605373
rbd_dev_unprobe(rbd_dev);
53615374
err_out_watch:
5362-
if (mapping)
5375+
if (!depth)
53635376
rbd_dev_header_unwatch_sync(rbd_dev);
53645377
out_header_name:
53655378
kfree(rbd_dev->header_name);
@@ -5422,7 +5435,7 @@ static ssize_t do_rbd_add(struct bus_type *bus,
54225435
spec = NULL; /* rbd_dev now owns this */
54235436
rbd_opts = NULL; /* rbd_dev now owns this */
54245437

5425-
rc = rbd_dev_image_probe(rbd_dev, true);
5438+
rc = rbd_dev_image_probe(rbd_dev, 0);
54265439
if (rc < 0)
54275440
goto err_out_rbd_dev;
54285441

0 commit comments

Comments
 (0)