ceph: give up on paths longer than PATH_MAX

commit 550f7ca98ee028a606aa75705a7e77b1bd11720f upstream.

If the full path to be built by ceph_mdsc_build_path() happens to be
longer than PATH_MAX, then this function will enter an endless (retry)
loop, effectively blocking the whole task.  Most of the machine
becomes unusable, making this a very simple and effective DoS
vulnerability.

I cannot imagine why this retry was ever implemented, but it seems
rather useless and harmful to me.  Let's remove it and fail with
ENAMETOOLONG instead.

Cc: stable@vger.kernel.org
Reported-by: Dario Weißer <dario@cure53.de>
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
[idryomov@gmail.com: backport to 6.1: pr_warn() is still in use]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index df1ecb8bfebf7071c9f7bc50893fade5f04e9675..f411e35512460f3d322e035295d9626ef8c2d55d 100644 (file)
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -2451,12 +2451,11 @@ retry:
 
        if (pos < 0) {
                /*
-                * A rename didn't occur, but somehow we didn't end up where
-                * we thought we would. Throw a warning and try again.
+                * The path is longer than PATH_MAX and this function
+                * cannot ever succeed.  Creating paths that long is
+                * possible with Ceph, but Linux cannot use them.
                 */
-               pr_warn("build_path did not end path lookup where "
-                       "expected, pos is %d\n", pos);
-               goto retry;
+               return ERR_PTR(-ENAMETOOLONG);
        }
 
        *pbase = base;