[dm-devel] [PATCH 1/2] dm mpath: fix infinite recursion in ioctl when no paths and queue_if_no_path is not set

Mike Snitzer snitzer at redhat.com
Thu Nov 19 19:39:27 UTC 2015 

On Tue, Nov 17 2015 at  4:36am -0500,
Junichi Nomura <j-nomura at ce.jp.nec.com> wrote:

> In multipath_prepare_ioctl(),
>   - pgpath is a path selected from available paths
>   - m->queue_io is true if we cannot send a request immediately to
>     paths, either because:
>       * there is no available path
>       * the path group needs activation (pg_init)
>           - pg_init is not started
>           - pg_init is still running
>   - m->queue_if_no_path is true if the device is configured to queue
>     I/O if there is no available path
> 
> If !pgpath && !m->queue_if_no_path, the handler should return -EIO.
> However in the course of refactoring the condition check has broken
> and returns success in that case.  Since bdev points to the dm device
> itself, dm_blk_ioctl() calls __blk_dev_driver_ioctl() for itself and
> recurses until crash.
> 
> You could reproduce the problem like this:
> 
>   # dmsetup create mp --table '0 1024 multipath 0 0 0 0'
>   # sg_inq /dev/mapper/mp
>   <crash>
>   [  172.648615] BUG: unable to handle kernel paging request at fffffffc81b10268
>   [  172.662843] PGD 19dd067 PUD 0
>   [  172.666269] Thread overran stack, or stack corrupted
>   [  172.671808] Oops: 0000 [#1] SMP
>   ...
> 
> This patch fixes the condition check with some clarifications.
> 
> Fixes: e56f81e0b01e ("dm: refactor ioctl handling")
> Signed-off-by: Jun'ichi Nomura <j-nomura at ce.jp.nec.com>
> Cc: Christoph Hellwig <hch at lst.de>
> Cc: Mike Snitzer <snitzer at redhat.com>

I've staged this fix for 4.4-rc, see:
https://git.kernel.org/cgit/linux/kernel/git/device-mapper/linux-dm.git/commit/?h=dm-4.4&id=43e43c9ea60a7a1831ec823773e924d2dadefd44

I think your fix improves the readability of the code.

But I also applied this fix based on the above patch header (which would
also resolve this issue without your fix):
https://git.kernel.org/cgit/linux/kernel/git/device-mapper/linux-dm.git/commit/?h=dm-4.4&id=647a20d5cad7477033bc021ec9dd75edf4bbf9a0

More information about the dm-devel mailing list