libceph: replace overzealous BUG_ON in osdmap_apply_incremental()

commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream. If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. Cc: stable@vger.kernel.org Reported-by: ziming zhang <ezrakiez@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ilya Dryomov <idryomov@gmail.com> 2025-12-15 11:53:31 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-01-17 16:31:17 +0100
commit: 6c6cec3db3b418c4fdf815731bc39e46dff75e1b (patch)
tree: 313c15aa4a2cb61ee4da297854bfab268d2dd064
parent: 2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index f5f60deb680a..0722e9347a64 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1979,11 +1979,13 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, bool msgr2,
 			 sizeof(u64) + sizeof(u32), e_inval);
 	ceph_decode_copy(p, &fsid, sizeof(fsid));
 	epoch = ceph_decode_32(p);
-	BUG_ON(epoch != map->epoch+1);
 	ceph_decode_copy(p, &modified, sizeof(modified));
 	new_pool_max = ceph_decode_64(p);
 	new_flags = ceph_decode_32(p);
 
+	if (epoch != map->epoch + 1)
+		goto e_inval;
+
 	/* full map? */
 	ceph_decode_32_safe(p, end, len, e_inval);
 	if (len > 0) {
author	Ilya Dryomov <idryomov@gmail.com>	2025-12-15 11:53:31 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-01-17 16:31:17 +0100
commit	6c6cec3db3b418c4fdf815731bc39e46dff75e1b (patch)
tree	313c15aa4a2cb61ee4da297854bfab268d2dd064
parent	2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 (diff)