From patchwork Wed Oct 17 19:20:24 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ilya Dryomov <idryomov@gmail.com>
X-Patchwork-Id: 10646011
Return-Path: <ceph-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2FA55157A
	for <patchwork-ceph-devel@patchwork.kernel.org>;
 Wed, 17 Oct 2018 19:21:07 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 20788286AA
	for <patchwork-ceph-devel@patchwork.kernel.org>;
 Wed, 17 Oct 2018 19:21:07 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 150CF287C6; Wed, 17 Oct 2018 19:21:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B2AEC286AA
	for <patchwork-ceph-devel@patchwork.kernel.org>;
 Wed, 17 Oct 2018 19:21:06 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728410AbeJRDSM (ORCPT
        <rfc822;patchwork-ceph-devel@patchwork.kernel.org>);
        Wed, 17 Oct 2018 23:18:12 -0400
Received: from mail-wr1-f68.google.com ([209.85.221.68]:37295 "EHLO
        mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728149AbeJRDSL (ORCPT
        <rfc822;ceph-devel@vger.kernel.org>); Wed, 17 Oct 2018 23:18:11 -0400
Received: by mail-wr1-f68.google.com with SMTP id y11-v6so30923554wrd.4
        for <ceph-devel@vger.kernel.org>;
 Wed, 17 Oct 2018 12:21:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:subject:date:message-id:in-reply-to:references;
        bh=11zVojx294SGWccpjLtAxB3r2zF5IJRMqO4p3sW04tc=;
        b=RdWDTkeqAnfdK9gvlLYj9z9Qu/b9TpS81Qm9lUsY1sazJZksomRsPVDnH3TYgDGyzh
         w7uMBFXgrupJehbsn7hE1hsb0UgWSEOkm61lhIC65OsH+RZYHqrwxCbY67c64LEYqDME
         gmnUlXaRjj7Mbw6upVMu1GfDERUjsd8wTIs8AjGLU9reZYmShhLj5KoWd/DOFjyltk2U
         KWKqd38az/IkFqO0ISf3mv50GloKTU8d8l4mE3TtZdx9hfEPc3mqONkumRUoLrLJNz5B
         UkwlbNPVo0PzSrvk64YwxMGUgjpwyaoNlR/WiEMdfw7xL5JjldhvqZTO9NXvJ8G42WkL
         Z5kQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
         :references;
        bh=11zVojx294SGWccpjLtAxB3r2zF5IJRMqO4p3sW04tc=;
        b=NsdgzQjphyb/TbfJi2mb+jzVDKJemR1MYj+zauYfeUXyzJHvzOJGRuT+euA6iX5qAq
         TJNpLkChxSl2/53Gebdn/ndnOFX+CO0I3JbmWbyRjd+lcsAwKhdhFR5g73b+qeFoCCtM
         LDcu5PmRfW+46kcHU+nKn3JfUzSIZcYFlwCqaT+1uQfDq+mFmZ0J8+JQ6dvx2ku92zFX
         yreIkx/w1XN1HF3eKjjL8pyf7Ng8ipwX6WpTJ/mb4F05zIYnIGqMnjil75MDMzAazDQZ
         bxip905Rlpj4bqjFDRFxRVvSLR2rdwzK9eVXsRCYEoqtR/nTgur9Eax2CZZH4mL0y4Z2
         xQ2A==
X-Gm-Message-State: ABuFfojTLHrf6uuDmA36McEg9DaWyIGFLw0notrqMbmVzLM1ArZEUhCl
        kLZXfY5cYgPQ+T7MuUoTjB8m9D40
X-Google-Smtp-Source: 
 ACcGV60oogmAJE1LGX2KxvQUlLf06h7YBxwTlsv5UVL1CZjF7Bu8HFFJMrHHdZYuiMpfDgkSBnh7Kw==
X-Received: by 2002:a5d:6a11:: with SMTP id
 m17-v6mr25939086wru.192.1539804062629;
        Wed, 17 Oct 2018 12:21:02 -0700 (PDT)
Received: from orange.redhat.com ([213.175.37.12])
        by smtp.gmail.com with ESMTPSA id
 f7-v6sm16059501wrr.68.2018.10.17.12.21.01
        for <ceph-devel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 17 Oct 2018 12:21:02 -0700 (PDT)
From: Ilya Dryomov <idryomov@gmail.com>
To: ceph-devel@vger.kernel.org
Subject: [PATCH 05/10] libceph: enable fallback to ceph_msg_new() in
 ceph_msgpool_get()
Date: Wed, 17 Oct 2018 21:20:24 +0200
Message-Id: <20181017192029.23294-6-idryomov@gmail.com>
X-Mailer: git-send-email 2.14.4
In-Reply-To: <20181017192029.23294-1-idryomov@gmail.com>
References: <20181017192029.23294-1-idryomov@gmail.com>
Sender: ceph-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <ceph-devel.vger.kernel.org>
X-Mailing-List: ceph-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

ceph_msgpool_get() can fall back to ceph_msg_new() when it is asked for
a message whose front portion is larger than pool->front_len.  However
the caller always passes 0, effectively disabling that code path.  The
allocation goes to the message pool and returns a message with a front
that is smaller than requested, setting us up for a crash.

One example of this is a directory with a large number of snapshots.
If its snap context doesn't fit, we oops in encode_request_partial().

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---
 net/ceph/msgpool.c    | 2 +-
 net/ceph/osd_client.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ceph/msgpool.c b/net/ceph/msgpool.c
index 72571535883f..3dddc074f0d7 100644
--- a/net/ceph/msgpool.c
+++ b/net/ceph/msgpool.c
@@ -61,7 +61,7 @@ struct ceph_msg *ceph_msgpool_get(struct ceph_msgpool *pool,
 	if (front_len > pool->front_len) {
 		dout("msgpool_get %s need front %d, pool size is %d\n",
 		       pool->name, front_len, pool->front_len);
-		WARN_ON(1);
+		WARN_ON_ONCE(1);
 
 		/* try to alloc a fresh message */
 		return ceph_msg_new(pool->type, front_len, GFP_NOFS, false);
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index f403a483d51d..35bc77c8c230 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -641,7 +641,7 @@ int ceph_osdc_alloc_messages(struct ceph_osd_request *req, gfp_t gfp)
 	msg_size += 4 + 8; /* retry_attempt, features */
 
 	if (req->r_mempool)
-		msg = ceph_msgpool_get(&osdc->msgpool_op, 0);
+		msg = ceph_msgpool_get(&osdc->msgpool_op, msg_size);
 	else
 		msg = ceph_msg_new(CEPH_MSG_OSD_OP, msg_size, gfp, true);
 	if (!msg)
@@ -656,7 +656,7 @@ int ceph_osdc_alloc_messages(struct ceph_osd_request *req, gfp_t gfp)
 	msg_size += req->r_num_ops * sizeof(struct ceph_osd_op);
 
 	if (req->r_mempool)
-		msg = ceph_msgpool_get(&osdc->msgpool_op_reply, 0);
+		msg = ceph_msgpool_get(&osdc->msgpool_op_reply, msg_size);
 	else
 		msg = ceph_msg_new(CEPH_MSG_OSD_OPREPLY, msg_size, gfp, true);
 	if (!msg)