[dm-devel] Infinite recursion when creating devices

[Hannes Reinecke <hare suse de>]

Hi all,

I found a nice way of crashing the kernel:

dd if=/dev/zero of=/tmp/testdisk bs=512 count=4096
losetup /dev/loop1 /tmp/testdisk
echo '0 4096 linear /dev/loop1 0' | dmsetup create test1
echo '0 4096 linear /dev/dm-0 0' | dmsetup reload test1
dmsetup resume test1
-> Watch the system go up in flames.

The above case can be trivially fixed by eg:

diff --git a/fs/block_dev.c b/fs/block_dev.c
index 0e575d1..da46690 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -896,6 +896,12 @@ int bd_link_disk_holder(struct block_device
*bdev, struct g
endisk *disk)
        if (WARN_ON(!disk->slave_dir || !bdev->bd_part->holder_dir))
                goto out_unlock;

+       /* Prevent infinite loops */
+       if (bdev->bd_disk == disk) {
+               ret = -ELOOP;
+               goto out_unlock;
+       }
+
        holder = bd_find_holder_disk(bdev, disk);
        if (holder) {
                holder->refcnt++;

but obviously that doesn't cover the more 'interesting' cases
involving several devices, like

dd if=/dev/zero of=/tmp/testdisk bs=512 count=4096
losetup /dev/loop1 /tmp/testdisk
echo '0 4096 linear /dev/loop1 0' | dmsetup create test1
echo '0 4096 linear /dev/dm-0 0' | dmsetup create test2
echo '0 4096 linear /dev/dm-1 0' | dmsetup create test3
echo '0 4096 linear /dev/dm-2 0' | dmsetup reload test1
dmsetup resume test1

For these cases we probably don't have any better chance
then fixing things ex-post, eg proper loop detection in each and
every interaction.

Anyone a better idea?

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		      zSeries & Storage
hare suse de			      +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: J. Hawn, J. Guild, F. Imendörffer, HRB 16746 (AG Nürnberg)