From patchwork Tue Nov 17 09:36:56 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Junichi Nomura <j-nomura@ce.jp.nec.com>
X-Patchwork-Id: 7634441
X-Patchwork-Delegate: snitzer@redhat.com
Return-Path: <dm-devel-bounces@redhat.com>
X-Original-To: patchwork-dm-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 57928BF90C
	for <patchwork-dm-devel@patchwork.kernel.org>;
	Tue, 17 Nov 2015 09:47:05 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 7AEAB203A5
	for <patchwork-dm-devel@patchwork.kernel.org>;
	Tue, 17 Nov 2015 09:47:04 +0000 (UTC)
Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 8A09F20465
	for <patchwork-dm-devel@patchwork.kernel.org>;
	Tue, 17 Nov 2015 09:47:03 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
	(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tAH9h5kT016486;
	Tue, 17 Nov 2015 04:43:06 -0500
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with
	ESMTP id tAH9h444026072 for <dm-devel@listman.util.phx.redhat.com>;
	Tue, 17 Nov 2015 04:43:04 -0500
Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com
	[10.5.110.26])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id tAH9h3f5027745
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO); Tue, 17 Nov 2015 04:43:03 -0500
Received: from tyo201.gate.nec.co.jp (TYO201.gate.nec.co.jp [210.143.35.51])
	by mx1.redhat.com (Postfix) with ESMTPS id 9DBC48E232;
	Tue, 17 Nov 2015 09:43:02 +0000 (UTC)
Received: from mailgate3.nec.co.jp ([10.7.69.197])
	by tyo201.gate.nec.co.jp (8.13.8/8.13.4) with ESMTP id tAH9gt2n024837;
	Tue, 17 Nov 2015 18:42:55 +0900 (JST)
Received: from mailsv4.nec.co.jp (imss61.nec.co.jp [10.7.69.156]) by
	mailgate3.nec.co.jp (8.11.7/3.7W-MAILGATE-NEC) with ESMTP
	id tAH9gtg24355; Tue, 17 Nov 2015 18:42:55 +0900 (JST)
Received: from mail02.kamome.nec.co.jp (mail02.kamome.nec.co.jp [10.25.43.5])
	by mailsv4.nec.co.jp (8.13.8/8.13.4) with ESMTP id tAH9gtaT025469;
	Tue, 17 Nov 2015 18:42:55 +0900 (JST)
Received: from bpxc99gp.gisp.nec.co.jp ([10.38.151.138] [10.38.151.138]) by
	mail03.kamome.nec.co.jp with ESMTP id BT-MMP-3514546;
	Tue, 17 Nov 2015 18:36:57 +0900
Received: from BPXM12GP.gisp.nec.co.jp ([10.38.151.204]) by
	BPXC10GP.gisp.nec.co.jp ([10.38.151.138]) with mapi id 14.03.0224.002;
	Tue, 17 Nov 2015 18:36:56 +0900
From: Junichi Nomura <j-nomura@ce.jp.nec.com>
To: device-mapper development <dm-devel@redhat.com>,
	Christoph Hellwig <hch@lst.de>, Mike Snitzer <snitzer@redhat.com>
Thread-Topic: [PATCH 1/2] dm mpath: fix infinite recursion in ioctl when no
	paths and queue_if_no_path is not set
Thread-Index: AQHRIRt/tatqkZBzCEadpfEiBqm1xA==
Date: Tue, 17 Nov 2015 09:36:56 +0000
Message-ID: <20151117093654.GA13022@xzibit.linux.bs1.fc.nec.co.jp>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.34.125.85]
Content-ID: <32F8DB39CB929E4591470863A0F4BBC6@gisp.nec.co.jp>
MIME-Version: 1.0
X-RedHat-Spam-Score: -1.502  (BAYES_50, RCVD_IN_DNSWL_MED, SPF_HELO_PASS,
	SPF_PASS) 210.143.35.51 TYO201.gate.nec.co.jp
	210.143.35.51 TYO201.gate.nec.co.jp <j-nomura@ce.jp.nec.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Scanned-By: MIMEDefang 2.75 on 10.5.110.26
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id tAH9h444026072
X-loop: dm-devel@redhat.com
Subject: [dm-devel] [PATCH 1/2] dm mpath: fix infinite recursion in ioctl
	when no paths and queue_if_no_path is not set
X-BeenThere: dm-devel@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
Reply-To: device-mapper development <dm-devel@redhat.com>
List-Id: device-mapper development <dm-devel.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/dm-devel>,
	<mailto:dm-devel-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/dm-devel>
List-Post: <mailto:dm-devel@redhat.com>
List-Help: <mailto:dm-devel-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/dm-devel>,
	<mailto:dm-devel-request@redhat.com?subject=subscribe>
Sender: dm-devel-bounces@redhat.com
Errors-To: dm-devel-bounces@redhat.com
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

In multipath_prepare_ioctl(),
  - pgpath is a path selected from available paths
  - m->queue_io is true if we cannot send a request immediately to
    paths, either because:
      * there is no available path
      * the path group needs activation (pg_init)
          - pg_init is not started
          - pg_init is still running
  - m->queue_if_no_path is true if the device is configured to queue
    I/O if there is no available path

If !pgpath && !m->queue_if_no_path, the handler should return -EIO.
However in the course of refactoring the condition check has broken
and returns success in that case.  Since bdev points to the dm device
itself, dm_blk_ioctl() calls __blk_dev_driver_ioctl() for itself and
recurses until crash.

You could reproduce the problem like this:

  # dmsetup create mp --table '0 1024 multipath 0 0 0 0'
  # sg_inq /dev/mapper/mp
  <crash>
  [  172.648615] BUG: unable to handle kernel paging request at fffffffc81b10268
  [  172.662843] PGD 19dd067 PUD 0
  [  172.666269] Thread overran stack, or stack corrupted
  [  172.671808] Oops: 0000 [#1] SMP
  ...

This patch fixes the condition check with some clarifications.

Fixes: e56f81e0b01e ("dm: refactor ioctl handling")
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Mike Snitzer <snitzer@redhat.com>
Tested-by: Bart Van Assche <bart.vanassche@sandisk.com>
---
 drivers/md/dm-mpath.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index aaa6caa..0ad50ff 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1537,29 +1537,31 @@ static int multipath_prepare_ioctl(struct dm_target *ti,
 		struct block_device **bdev, fmode_t *mode)
 {
 	struct multipath *m = ti->private;
-	struct pgpath *pgpath;
 	unsigned long flags;
 	int r;
 
-	r = 0;
-
 	spin_lock_irqsave(&m->lock, flags);
 
 	if (!m->current_pgpath)
 		__choose_pgpath(m, 0);
 
-	pgpath = m->current_pgpath;
-
-	if (pgpath) {
-		*bdev = pgpath->path.dev->bdev;
-		*mode = pgpath->path.dev->mode;
+	if (m->current_pgpath) {
+		if (!m->queue_io) {
+			*bdev = m->current_pgpath->path.dev->bdev;
+			*mode = m->current_pgpath->path.dev->mode;
+			r = 0;
+		} else {
+			/* pg_init has not started or completed */
+			r = -ENOTCONN;
+		}
+	} else {
+		/* No path is available */
+		if (m->queue_if_no_path)
+			r = -ENOTCONN;
+		else
+			r = -EIO;
 	}
 
-	if ((pgpath && m->queue_io) || (!pgpath && m->queue_if_no_path))
-		r = -ENOTCONN;
-	else if (!*bdev)
-		r = -EIO;
-
 	spin_unlock_irqrestore(&m->lock, flags);
 
 	if (r == -ENOTCONN && !fatal_signal_pending(current)) {