From 8221c33ef49541e8d1a81950fcc06a92e3522882 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 9 Jan 2025 13:51:04 +0100 Subject: [PATCH] 5.15-stable patches added patches: ceph-give-up-on-paths-longer-than-path_max.patch series --- ...ive-up-on-paths-longer-than-path_max.patch | 52 +++++++++++++++++++ queue-5.15/series | 1 + 2 files changed, 53 insertions(+) create mode 100644 queue-5.15/ceph-give-up-on-paths-longer-than-path_max.patch create mode 100644 queue-5.15/series diff --git a/queue-5.15/ceph-give-up-on-paths-longer-than-path_max.patch b/queue-5.15/ceph-give-up-on-paths-longer-than-path_max.patch new file mode 100644 index 00000000000..4f358d9221e --- /dev/null +++ b/queue-5.15/ceph-give-up-on-paths-longer-than-path_max.patch @@ -0,0 +1,52 @@ +From 550f7ca98ee028a606aa75705a7e77b1bd11720f Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Mon, 18 Nov 2024 23:28:28 +0100 +Subject: ceph: give up on paths longer than PATH_MAX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Max Kellermann + +commit 550f7ca98ee028a606aa75705a7e77b1bd11720f upstream. + +If the full path to be built by ceph_mdsc_build_path() happens to be +longer than PATH_MAX, then this function will enter an endless (retry) +loop, effectively blocking the whole task. Most of the machine +becomes unusable, making this a very simple and effective DoS +vulnerability. + +I cannot imagine why this retry was ever implemented, but it seems +rather useless and harmful to me. Let's remove it and fail with +ENAMETOOLONG instead. + +Cc: stable@vger.kernel.org +Reported-by: Dario Weißer +Signed-off-by: Max Kellermann +Reviewed-by: Alex Markuze +Signed-off-by: Ilya Dryomov +[idryomov@gmail.com: backport to 6.1: pr_warn() is still in use] +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/mds_client.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -2432,12 +2432,11 @@ retry: + + if (pos < 0) { + /* +- * A rename didn't occur, but somehow we didn't end up where +- * we thought we would. Throw a warning and try again. ++ * The path is longer than PATH_MAX and this function ++ * cannot ever succeed. Creating paths that long is ++ * possible with Ceph, but Linux cannot use them. + */ +- pr_warn("build_path did not end path lookup where " +- "expected, pos is %d\n", pos); +- goto retry; ++ return ERR_PTR(-ENAMETOOLONG); + } + + *pbase = base; diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 00000000000..daad144f3f0 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1 @@ +ceph-give-up-on-paths-longer-than-path_max.patch -- 2.47.3