From: Ilya Dryomov <idryomov@gmail.com>
Date: Mon, 15 Dec 2025 10:53:31 +0000 (+0100)
Subject: libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
X-Git-Tag: v5.15.198~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b106fbb1c7b841cd402abd83eb2447164c799ea;p=thirdparty%2Fkernel%2Fstable.git

libceph: replace overzealous BUG_ON in osdmap_apply_incremental()

commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream.

If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG.  Instead, just declare the incremental osdmap to be invalid.

Cc: stable@vger.kernel.org
Reported-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index ce4a4c23fc6be..ddaf7b4c75645 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1959,11 +1959,13 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, bool msgr2,
 			 sizeof(u64) + sizeof(u32), e_inval);
 	ceph_decode_copy(p, &fsid, sizeof(fsid));
 	epoch = ceph_decode_32(p);
-	BUG_ON(epoch != map->epoch+1);
 	ceph_decode_copy(p, &modified, sizeof(modified));
 	new_pool_max = ceph_decode_64(p);
 	new_flags = ceph_decode_32(p);
 
+	if (epoch != map->epoch + 1)
+		goto e_inval;
+
 	/* full map? */
 	ceph_decode_32_safe(p, end, len, e_inval);
 	if (len > 0) {