commit: c357b06befef6081de23c9cfca250a8390ddff99 Author: Arisu Tachibana <alicef <AT> gentoo <DOT> org> AuthorDate: Sat Jan 24 17:17:01 2026 +0000 Commit: Arisu Tachibana <alicef <AT> gentoo <DOT> org> CommitDate: Sat Jan 24 17:17:01 2026 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=c357b06b
Add ceph: fix kernel crash in ceph_open() Ref: https://bugs.gentoo.org/968950 Signed-off-by: Arisu Tachibana <alicef <AT> gentoo.org> 0000_README | 4 + 1910_ceph_fix_kernel_crash_in_ceph_open.patch | 480 ++++++++++++++++++++++++++ 2 files changed, 484 insertions(+) diff --git a/0000_README b/0000_README index cc919b09..c468b368 100644 --- a/0000_README +++ b/0000_README @@ -83,6 +83,10 @@ Patch: 1730_parisc-Disable-prctl.patch From: https://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux.git Desc: prctl: Temporarily disable prctl(PR_SET_MDWE) on parisc +Patch: 1910_ceph_fix_kernel_crash_in_ceph_open.patch +From: https://bugs.gentoo.org/968950 +Desc: ceph: fix kernel crash in ceph_open() + Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch From: https://lore.kernel.org/linux-bluetooth/[email protected]/raw Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 diff --git a/1910_ceph_fix_kernel_crash_in_ceph_open.patch b/1910_ceph_fix_kernel_crash_in_ceph_open.patch new file mode 100644 index 00000000..568c3bc2 --- /dev/null +++ b/1910_ceph_fix_kernel_crash_in_ceph_open.patch @@ -0,0 +1,480 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Received: from mail-yx1-f44.google.com (mail-yx1-f44.google.com [74.125.224.44]) + (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) + (No client certificate requested) + by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8772C33B962 + for <[email protected]>; Wed, 14 Jan 2026 19:56:05 +0000 (UTC) +Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.44 +ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; + t=1768420567; cv=none; b=LcWvcDJSl3FKd2ti/dSbvfdNo4p/W8UM2nVOdwM+WMv87EQa2fVoQoQabh+QLL8G2m4Ug8pVtVjx5NlTth0bvTj6yQJ3XKW0RWx/AjyTo4xWmGLBcmJmyVCD2eHJfuHxS6GVQxZvC6GopcBly8rMda0eR9HlFCwXbc+07S8d0ik= +ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; + s=arc-20240116; t=1768420567; c=relaxed/simple; + bh=UjqzK7WXh3dwPd4Hc3eGQ2pIWp4CjkP7JpXai/u84Y4=; + h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IndLN/jqoFlhdV8TrKlVeJmeWfnu9KEgEh+kenEPtvbLx1EkDgc/EMlg+Y2U9Nn2IwA2cmIkFbapt9wZ0Xh3XyHc11bIEnRrTtUtR/fKD5Fmu08GTmKtIzQNLngqRV3o5xtP65vdQg2mV5H/IWdOS61bbHHPL/XVKxZPpswQVFg= +ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=dubeyko.com; spf=pass smtp.mailfrom=dubeyko.com; dkim=pass (2048-bit key) header.d=dubeyko-com.20230601.gappssmtp.com [email protected] header.b=3EsYOgRn; arc=none smtp.client-ip=74.125.224.44 +Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=dubeyko.com +Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=dubeyko.com +Authentication-Results: smtp.subspace.kernel.org; + dkim=pass (2048-bit key) header.d=dubeyko-com.20230601.gappssmtp.com [email protected] header.b="3EsYOgRn" +Received: by mail-yx1-f44.google.com with SMTP id 956f58d0204a3-640e065991dso108905d50.3 + for <[email protected]>; Wed, 14 Jan 2026 11:56:05 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=dubeyko-com.20230601.gappssmtp.com; s=20230601; t=1768420564; x=1769025364; darn=vger.kernel.org; + h=content-transfer-encoding:mime-version:message-id:date:subject:cc + :to:from:from:to:cc:subject:date:message-id:reply-to; + bh=lGcAjWH2tIWXdzYBsucp1/eHxP57Gh9RjxuO3kMNjBE=; + b=3EsYOgRnf3Kkt7VEVBoDL/dSXJi4NpUaCqzBNzmdhDkkgJHip4Dvbr4DCLn5HjaPjK + rdTNz6KBn+KnxD2Q59Zf3in/sRbB1zYGx8poQ0r9K+chbpDTHiJcUUuk5v5rC/F9UE+Y + 2SFZUDtTLvl6S1Iopcpr3NUOOS3iGU2qgPzkkajown/4gvSY5Wex0EQ9CVxOiXnkCUGE + PvtT/VNGEPaLcCHSjbQUiNn4aBMImp4hGrn9uSUThX3HuMOR4zJvvu0hvomC+bP/oX4W + WHvgd5Oi9/8uqWmvSgZ4jnl1G0PUk0M2y4Wl1PvkdLvO30qnCbZ2zF5NzB7ZSgPBBItx + d5wA== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20230601; t=1768420564; x=1769025364; + h=content-transfer-encoding:mime-version:message-id:date:subject:cc + :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date + :message-id:reply-to; + bh=lGcAjWH2tIWXdzYBsucp1/eHxP57Gh9RjxuO3kMNjBE=; + b=J1+LmTm8OLlPKIiKoj0UHkr6BCNl5fRTfQmDIkfhbuf7kh1oekL1sIyWS0wOv57Zxs + 7Ctap9a1JCwsj6353hmG3prRZiZYWT+aqNUSyM2WWJRsfQ2jI2NKHT6MDmsT8WkpTl1x + tyALT4Q9wu9MKpSg2zxpqnrhOdY7xq7ASCJfwVeOgDDD40r7mDYH6a+mIbaqzHDE4ITs + UIZWggxbiyyAQ25HIZqcuEWYrx33ONnzL0iCS1KTs2GLMRhvMB/omyRtN5O4O+0nzmoE + 5QdNXxyi8m0Y2/ju8nJBG9dSsKF3LkUedOiRlFnrgETdRAzg3w0V8DT9SahcqG+58qMa + es7A== +X-Gm-Message-State: AOJu0Yx8HhsNtTHSKZqexUwDxDc7+jzwjv2z/CgTO8UEs7cLOMCWWj3t + mZEAvnaRjSkA461K6E2C3slc0AeJlC/n1kCFSZLG/tYFYkUrepdVpAo//ILLYenbWyB0JfwXWsu + N4lAoIJk= +X-Gm-Gg: AY/fxX55prxXXw8rQjqZOYOlnS9zAfpuyU1GLelYq9c8eRsa/0vqRKj7qFFsfXz0P50 + 9+C8xZMSZwZ+mMeC2dZl34Xsn5oZbz2QPSwR7vLELXNB2Wma17ZyXv5gnGeX5GFPAok2aYsDlw/ + FBn6Sd+JSiP65SR9ji8B9l8YwMw6QkEHxTicuNiucfgdj4kXKw8tsmvV1zjrl3tLxwIEXXF3I0K + mLPnBplrG+y8VikFKkGP1H/aUUBiVmi0tT5QVQdMoiIJ4yRP873VSAl5M4WZD1MVUf/1JCdU8XJ + EOSBCXozwVvA1exfwArEGvfKe8iW2VUVQV9Sgpvz0NMAk4yCRpj9bArRBiIH/Ck7o2hcjuI1dik + BLx/qCtg9SAdtNcDR79GnRGveb2dBvkOuzJiBslPgtrBtNf7HRzVskxYpMmhjGwTNW4hIjE7+LV + cXKJUEHz+vZ4qI7yBaKI2LivSzhMKTMz56jvGnkRmiZMTV1qTptHeboXB5xPWucSHfcfA4CE6Il + xVFoj+Px8vwV1HCTEA= +X-Received: by 2002:a05:690e:c4a:b0:648:fecb:1e00 with SMTP id 956f58d0204a3-64903b5d7eemr2418700d50.82.1768420563953; + Wed, 14 Jan 2026 11:56:03 -0800 (PST) +Received: from system76-pc.attlocal.net ([2600:1700:6476:1430:cf4e:ea8f:19ac:63a0]) + by smtp.gmail.com with ESMTPSA id 00721157ae682-790aa58f9f5sm93223607b3.24.2026.01.14.11.56.02 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Wed, 14 Jan 2026 11:56:03 -0800 (PST) +From: Viacheslav Dubeyko <[email protected]> +To: [email protected], + [email protected] +Cc: [email protected], + [email protected], + [email protected], + [email protected], + [email protected], + [email protected], + [email protected], + [email protected] +Subject: [PATCH v5] ceph: fix kernel crash in ceph_open() +Date: Wed, 14 Jan 2026 11:55:25 -0800 +Message-ID: <[email protected]> +X-Mailer: git-send-email 2.43.0 +Precedence: bulk +X-Mailing-List: [email protected] +List-Id: <ceph-devel.vger.kernel.org> +List-Subscribe: <mailto:[email protected]> +List-Unsubscribe: <mailto:[email protected]> +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit + +From: Viacheslav Dubeyko <[email protected]> + +The CephFS kernel client has regression starting from 6.18-rc1. + +sudo ./check -g quick +FSTYP -- ceph +PLATFORM -- Linux/x86_64 ceph-0005 6.18.0-rc5+ #52 SMP PREEMPT_DYNAMIC Fri +Nov 14 11:26:14 PST 2025 +MKFS_OPTIONS -- 192.168.1.213:3300:/scratch +MOUNT_OPTIONS -- -o name=admin,ms_mode=secure 192.168.1.213:3300:/scratch +/mnt/cephfs/scratch + +Killed + +Nov 14 11:48:10 ceph-0005 kernel: [ 154.723902] libceph: mon0 +(2)192.168.1.213:3300 session established +Nov 14 11:48:10 ceph-0005 kernel: [ 154.727225] libceph: client167616 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.087260] BUG: kernel NULL pointer +dereference, address: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.087756] #PF: supervisor read access in +kernel mode +Nov 14 11:48:11 ceph-0005 kernel: [ 155.088043] #PF: error_code(0x0000) - not- +present page +Nov 14 11:48:11 ceph-0005 kernel: [ 155.088302] PGD 0 P4D 0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.088688] Oops: Oops: 0000 [#1] SMP KASAN +NOPTI +Nov 14 11:48:11 ceph-0005 kernel: [ 155.090080] CPU: 4 UID: 0 PID: 3453 Comm: +xfs_io Not tainted 6.18.0-rc5+ #52 PREEMPT(voluntary) +Nov 14 11:48:11 ceph-0005 kernel: [ 155.091245] Hardware name: QEMU Standard PC +(i440FX + PIIX, 1996), BIOS 1.17.0-5.fc42 04/01/2014 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.092103] RIP: 0010:strcmp+0x1c/0x40 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.092493] Code: 90 90 90 90 90 90 90 90 +90 90 90 90 90 90 31 c0 eb 14 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 83 c0 01 84 +d2 74 19 0f b6 14 07 <3a> 14 06 74 ef 19 c0 83 c8 01 31 d2 31 f6 31 ff c3 cc cc +cc cc 31 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.094057] RSP: 0018:ffff8881536875c0 +EFLAGS: 00010246 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.094522] RAX: 0000000000000000 RBX: +ffff888116003200 RCX: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.095114] RDX: 0000000000000063 RSI: +0000000000000000 RDI: ffff88810126c900 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.095714] RBP: ffff8881536876a8 R08: +0000000000000000 R09: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.096297] R10: 0000000000000000 R11: +0000000000000000 R12: dffffc0000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.096889] R13: ffff8881061d0000 R14: +0000000000000000 R15: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.097490] FS: 000074a85c082840(0000) +GS:ffff8882401a4000(0000) knlGS:0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.098146] CS: 0010 DS: 0000 ES: 0000 +CR0: 0000000080050033 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.098630] CR2: 0000000000000000 CR3: +0000000110ebd001 CR4: 0000000000772ef0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.099219] PKRU: 55555554 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.099476] Call Trace: +Nov 14 11:48:11 ceph-0005 kernel: [ 155.099686] <TASK> +Nov 14 11:48:11 ceph-0005 kernel: [ 155.099873] ? +ceph_mds_check_access+0x348/0x1760 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.100267] ? +__kasan_check_write+0x14/0x30 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.100671] ? lockref_get+0xb1/0x170 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.100979] ? +__pfx__raw_spin_lock+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.101372] ceph_open+0x322/0xef0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.101669] ? __pfx_ceph_open+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.101996] ? +__pfx_apparmor_file_open+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.102434] ? +__ceph_caps_issued_mask_metric+0xd6/0x180 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.102911] do_dentry_open+0x7bf/0x10e0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.103249] ? __pfx_ceph_open+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.103508] vfs_open+0x6d/0x450 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.103697] ? may_open+0xec/0x370 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.103893] path_openat+0x2017/0x50a0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.104110] ? __pfx_path_openat+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.104345] ? +__pfx_stack_trace_save+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.104599] ? +stack_depot_save_flags+0x28/0x8f0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.104865] ? stack_depot_save+0xe/0x20 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.105063] do_filp_open+0x1b4/0x450 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.105253] ? +__pfx__raw_spin_lock_irqsave+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.105538] ? __pfx_do_filp_open+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.105748] ? __link_object+0x13d/0x2b0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.105949] ? +__pfx__raw_spin_lock+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.106169] ? +__check_object_size+0x453/0x600 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.106428] ? _raw_spin_unlock+0xe/0x40 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.106635] do_sys_openat2+0xe6/0x180 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.106827] ? +__pfx_do_sys_openat2+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.107052] __x64_sys_openat+0x108/0x240 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.107258] ? +__pfx___x64_sys_openat+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.107529] ? +__pfx___handle_mm_fault+0x10/0x10 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.107783] x64_sys_call+0x134f/0x2350 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.108007] do_syscall_64+0x82/0xd50 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.108201] ? +fpregs_assert_state_consistent+0x5c/0x100 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.108467] ? do_syscall_64+0xba/0xd50 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.108626] ? __kasan_check_read+0x11/0x20 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.108801] ? +count_memcg_events+0x25b/0x400 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.109013] ? handle_mm_fault+0x38b/0x6a0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.109216] ? __kasan_check_read+0x11/0x20 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.109457] ? +fpregs_assert_state_consistent+0x5c/0x100 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.109724] ? +irqentry_exit_to_user_mode+0x2e/0x2a0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.109991] ? irqentry_exit+0x43/0x50 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.110180] ? exc_page_fault+0x95/0x100 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.110389] +entry_SYSCALL_64_after_hwframe+0x76/0x7e +Nov 14 11:48:11 ceph-0005 kernel: [ 155.110638] RIP: 0033:0x74a85bf145ab +Nov 14 11:48:11 ceph-0005 kernel: [ 155.110821] Code: 25 00 00 41 00 3d 00 00 +41 00 74 4b 64 8b 04 25 18 00 00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff +b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 54 24 28 64 48 +2b 14 25 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.111724] RSP: 002b:00007ffc77d316d0 +EFLAGS: 00000246 ORIG_RAX: 0000000000000101 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.112080] RAX: ffffffffffffffda RBX: +0000000000000002 RCX: 000074a85bf145ab +Nov 14 11:48:11 ceph-0005 kernel: [ 155.112442] RDX: 0000000000000000 RSI: +00007ffc77d32789 RDI: 00000000ffffff9c +Nov 14 11:48:11 ceph-0005 kernel: [ 155.112790] RBP: 00007ffc77d32789 R08: +00007ffc77d31980 R09: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.113125] R10: 0000000000000000 R11: +0000000000000246 R12: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.113502] R13: 00000000ffffffff R14: +0000000000000180 R15: 0000000000000001 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.113838] </TASK> +Nov 14 11:48:11 ceph-0005 kernel: [ 155.113957] Modules linked in: +intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core +pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec +kvm_intel kvm joydev irqbypass polyval_clmulni ghash_clmulni_intel aesni_intel +rapl floppy input_leds psmouse i2c_piix4 vga16fb mac_hid i2c_smbus vgastate +serio_raw bochs qemu_fw_cfg pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp +parport efi_pstore +Nov 14 11:48:11 ceph-0005 kernel: [ 155.116339] CR2: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.116574] ---[ end trace 0000000000000000 +]--- +Nov 14 11:48:11 ceph-0005 kernel: [ 155.116826] RIP: 0010:strcmp+0x1c/0x40 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.117058] Code: 90 90 90 90 90 90 90 90 +90 90 90 90 90 90 31 c0 eb 14 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 83 c0 01 84 +d2 74 19 0f b6 14 07 <3a> 14 06 74 ef 19 c0 83 c8 01 31 d2 31 f6 31 ff c3 cc cc +cc cc 31 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.118070] RSP: 0018:ffff8881536875c0 +EFLAGS: 00010246 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.118362] RAX: 0000000000000000 RBX: +ffff888116003200 RCX: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.118748] RDX: 0000000000000063 RSI: +0000000000000000 RDI: ffff88810126c900 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.119116] RBP: ffff8881536876a8 R08: +0000000000000000 R09: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.119492] R10: 0000000000000000 R11: +0000000000000000 R12: dffffc0000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.119865] R13: ffff8881061d0000 R14: +0000000000000000 R15: 0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.120242] FS: 000074a85c082840(0000) +GS:ffff8882401a4000(0000) knlGS:0000000000000000 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.120704] CS: 0010 DS: 0000 ES: 0000 +CR0: 0000000080050033 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.121008] CR2: 0000000000000000 CR3: +0000000110ebd001 CR4: 0000000000772ef0 +Nov 14 11:48:11 ceph-0005 kernel: [ 155.121409] PKRU: 55555554 + +We have issue here [1] if fs_name == NULL: + +const char fs_name = mdsc->fsc->mount_options->mds_namespace; + ... + if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) { + / fsname mismatch, try next one */ + return 0; + } + +v2 +Patrick Donnelly suggested that: In summary, we should definitely start +decoding `fs_name` from the MDSMap and do strict authorizations checks +against it. Note that the `--mds_namespace` should only be used for +selecting the file system to mount and nothing else. It's possible +no mds_namespace is specified but the kernel will mount the only +file system that exists which may have name "foo". + +v3 +The namespace_equals() logic has been generalized into +__namespace_equals() with the goal of using it in +ceph_mdsc_handle_fsmap() and ceph_mds_auth_match(). +The misspelling of CEPH_NAMESPACE_WILDCARD has been corrected. + +v4 +The __namespace_equals() now supports wildcard check. + +v5 +Patrick Donnelly suggested to add the sanity check of +kstrdup() returned pointer in ceph_mdsmap_decode() +added logic. Also, he suggested much simpler logic of +namespace strings comparison in the form of +ceph_namespace_match() logic. + +This patch reworks ceph_mdsmap_decode() and namespace_equals() with +the goal of supporting the suggested concept. Now struct ceph_mdsmap +contains m_fs_name field that receives copy of extracted FS name +by ceph_extract_encoded_string(). For the case of "old" CephFS file systems, +it is used "cephfs" name. Also, namespace_equals() method has been +reworked with the goal of proper names comparison. + +[1] https://elixir.bootlin.com/linux/v6.18-rc4/source/fs/ceph/mds_client.c#L5666 +[2] https://tracker.ceph.com/issues/73886 + +Fixes: 22c73d52a6d0 ("ceph: fix multifs mds auth caps issue") +Signed-off-by: Viacheslav Dubeyko <[email protected]> +cc: Kotresh Hiremath Ravishankar <[email protected]> +cc: Alex Markuze <[email protected]> +cc: Ilya Dryomov <[email protected]> +cc: Patrick Donnelly <[email protected]> +cc: Ceph Development <[email protected]> +--- + fs/ceph/mds_client.c | 11 +++++------ + fs/ceph/mdsmap.c | 24 ++++++++++++++++++------ + fs/ceph/mdsmap.h | 1 + + fs/ceph/super.h | 24 +++++++++++++++++++----- + include/linux/ceph/ceph_fs.h | 6 ++++++ + 5 files changed, 49 insertions(+), 17 deletions(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 7e4eab824dae..703c14bc3c95 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -5671,7 +5671,7 @@ static int ceph_mds_auth_match(struct ceph_mds_client *mdsc, + u32 caller_uid = from_kuid(&init_user_ns, cred->fsuid); + u32 caller_gid = from_kgid(&init_user_ns, cred->fsgid); + struct ceph_client *cl = mdsc->fsc->client; +- const char *fs_name = mdsc->fsc->mount_options->mds_namespace; ++ const char *fs_name = mdsc->mdsmap->m_fs_name; + const char *spath = mdsc->fsc->mount_options->server_path; + bool gid_matched = false; + u32 gid, tlen, len; +@@ -5679,7 +5679,8 @@ static int ceph_mds_auth_match(struct ceph_mds_client *mdsc, + + doutc(cl, "fsname check fs_name=%s match.fs_name=%s\n", + fs_name, auth->match.fs_name ? auth->match.fs_name : ""); +- if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) { ++ ++ if (!ceph_namespace_match(auth->match.fs_name, fs_name, NAME_MAX)) { + /* fsname mismatch, try next one */ + return 0; + } +@@ -6122,7 +6123,6 @@ void ceph_mdsc_handle_fsmap(struct ceph_mds_client *mdsc, struct ceph_msg *msg) + { + struct ceph_fs_client *fsc = mdsc->fsc; + struct ceph_client *cl = fsc->client; +- const char *mds_namespace = fsc->mount_options->mds_namespace; + void *p = msg->front.iov_base; + void *end = p + msg->front.iov_len; + u32 epoch; +@@ -6157,9 +6157,8 @@ void ceph_mdsc_handle_fsmap(struct ceph_mds_client *mdsc, struct ceph_msg *msg) + namelen = ceph_decode_32(&info_p); + ceph_decode_need(&info_p, info_end, namelen, bad); + +- if (mds_namespace && +- strlen(mds_namespace) == namelen && +- !strncmp(mds_namespace, (char *)info_p, namelen)) { ++ if (namespace_equals(fsc->mount_options, ++ (char *)info_p, namelen)) { + mount_fscid = fscid; + break; + } +diff --git a/fs/ceph/mdsmap.c b/fs/ceph/mdsmap.c +index 2c7b151a7c95..f0c0ed202184 100644 +--- a/fs/ceph/mdsmap.c ++++ b/fs/ceph/mdsmap.c +@@ -353,22 +353,33 @@ struct ceph_mdsmap *ceph_mdsmap_decode(struct ceph_mds_client *mdsc, void **p, + __decode_and_drop_type(p, end, u8, bad_ext); + } + if (mdsmap_ev >= 8) { +- u32 fsname_len; ++ size_t fsname_len; ++ + /* enabled */ + ceph_decode_8_safe(p, end, m->m_enabled, bad_ext); ++ + /* fs_name */ +- ceph_decode_32_safe(p, end, fsname_len, bad_ext); ++ m->m_fs_name = ceph_extract_encoded_string(p, end, ++ &fsname_len, ++ GFP_NOFS); ++ if (IS_ERR(m->m_fs_name)) { ++ m->m_fs_name = NULL; ++ goto nomem; ++ } + + /* validate fsname against mds_namespace */ +- if (!namespace_equals(mdsc->fsc->mount_options, *p, ++ if (!namespace_equals(mdsc->fsc->mount_options, m->m_fs_name, + fsname_len)) { + pr_warn_client(cl, "fsname %*pE doesn't match mds_namespace %s\n", +- (int)fsname_len, (char *)*p, ++ (int)fsname_len, m->m_fs_name, + mdsc->fsc->mount_options->mds_namespace); + goto bad; + } +- /* skip fsname after validation */ +- ceph_decode_skip_n(p, end, fsname_len, bad); ++ } else { ++ m->m_enabled = false; ++ m->m_fs_name = kstrdup(CEPH_OLD_FS_NAME, GFP_NOFS); ++ if (!m->m_fs_name) ++ goto nomem; + } + /* damaged */ + if (mdsmap_ev >= 9) { +@@ -430,6 +441,7 @@ void ceph_mdsmap_destroy(struct ceph_mdsmap *m) + kfree(m->m_info); + } + kfree(m->m_data_pg_pools); ++ kfree(m->m_fs_name); + kfree(m); + } + +diff --git a/fs/ceph/mdsmap.h b/fs/ceph/mdsmap.h +index 1f2171dd01bf..d48d07c3516d 100644 +--- a/fs/ceph/mdsmap.h ++++ b/fs/ceph/mdsmap.h +@@ -45,6 +45,7 @@ struct ceph_mdsmap { + bool m_enabled; + bool m_damaged; + int m_num_laggy; ++ char *m_fs_name; + }; + + static inline struct ceph_entity_addr * +diff --git a/fs/ceph/super.h b/fs/ceph/super.h +index a1f781c46b41..c8def96a129f 100644 +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -104,18 +104,32 @@ struct ceph_mount_options { + struct fscrypt_dummy_policy dummy_enc_policy; + }; + ++#define CEPH_NAMESPACE_WILDCARD "*" ++ ++static inline bool ceph_namespace_match(const char *pattern, ++ const char *target, ++ size_t target_len) ++{ ++ if (!pattern || !pattern[0] || ++ !strcmp(pattern, CEPH_NAMESPACE_WILDCARD)) ++ return true; ++ ++ if (strlen(pattern) != target_len) ++ return false; ++ ++ return !strncmp(pattern, target, target_len); ++} ++ + /* + * Check if the mds namespace in ceph_mount_options matches + * the passed in namespace string. First time match (when + * ->mds_namespace is NULL) is treated specially, since + * ->mds_namespace needs to be initialized by the caller. + */ +-static inline int namespace_equals(struct ceph_mount_options *fsopt, +- const char *namespace, size_t len) ++static inline bool namespace_equals(struct ceph_mount_options *fsopt, ++ const char *namespace, size_t len) + { +- return !(fsopt->mds_namespace && +- (strlen(fsopt->mds_namespace) != len || +- strncmp(fsopt->mds_namespace, namespace, len))); ++ return ceph_namespace_match(fsopt->mds_namespace, namespace, len); + } + + /* mount state */ +diff --git a/include/linux/ceph/ceph_fs.h b/include/linux/ceph/ceph_fs.h +index c7f2c63b3bc3..08e5dbe15ca4 100644 +--- a/include/linux/ceph/ceph_fs.h ++++ b/include/linux/ceph/ceph_fs.h +@@ -31,6 +31,12 @@ + #define CEPH_INO_CEPH 2 /* hidden .ceph dir */ + #define CEPH_INO_GLOBAL_SNAPREALM 3 /* global dummy snaprealm */ + ++/* ++ * name for "old" CephFS file systems, ++ * see ceph.git e2b151d009640114b2565c901d6f41f6cd5ec652 ++ */ ++#define CEPH_OLD_FS_NAME "cephfs" ++ + /* arbitrary limit on max # of monitors (cluster of 3 is typical) */ + #define CEPH_MAX_MON 31 + +-- +2.52.0 + +
