From: Greg Kroah-Hartman Date: Thu, 9 Jan 2025 12:50:47 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.6.71~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4588e97edd99347c919edc15424a41003d90cff;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ceph-give-up-on-paths-longer-than-path_max.patch series --- diff --git a/queue-5.10/ceph-give-up-on-paths-longer-than-path_max.patch b/queue-5.10/ceph-give-up-on-paths-longer-than-path_max.patch new file mode 100644 index 00000000000..81cdd3e07f7 --- /dev/null +++ b/queue-5.10/ceph-give-up-on-paths-longer-than-path_max.patch @@ -0,0 +1,52 @@ +From 550f7ca98ee028a606aa75705a7e77b1bd11720f Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Mon, 18 Nov 2024 23:28:28 +0100 +Subject: ceph: give up on paths longer than PATH_MAX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Max Kellermann + +commit 550f7ca98ee028a606aa75705a7e77b1bd11720f upstream. + +If the full path to be built by ceph_mdsc_build_path() happens to be +longer than PATH_MAX, then this function will enter an endless (retry) +loop, effectively blocking the whole task. Most of the machine +becomes unusable, making this a very simple and effective DoS +vulnerability. + +I cannot imagine why this retry was ever implemented, but it seems +rather useless and harmful to me. Let's remove it and fail with +ENAMETOOLONG instead. + +Cc: stable@vger.kernel.org +Reported-by: Dario Weißer +Signed-off-by: Max Kellermann +Reviewed-by: Alex Markuze +Signed-off-by: Ilya Dryomov +[idryomov@gmail.com: backport to 6.1: pr_warn() is still in use] +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/mds_client.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -2451,12 +2451,11 @@ retry: + + if (pos < 0) { + /* +- * A rename didn't occur, but somehow we didn't end up where +- * we thought we would. Throw a warning and try again. ++ * The path is longer than PATH_MAX and this function ++ * cannot ever succeed. Creating paths that long is ++ * possible with Ceph, but Linux cannot use them. + */ +- pr_warn("build_path did not end path lookup where " +- "expected, pos is %d\n", pos); +- goto retry; ++ return ERR_PTR(-ENAMETOOLONG); + } + + *pbase = base; diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..daad144f3f0 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1 @@ +ceph-give-up-on-paths-longer-than-path_max.patch