[PATCH 6.17 141/146] libceph: replace BUG_ON with bounds check for map->max_osd - Linux-stable-mirror

3 Dec 2025

6.17-stable review patch.  If anyone has any objections, please let me know.
------------------
From: ziming zhang ezrakiez@gmail.com
commit ec3797f043756a94ea2d0f106022e14ac4946c02 upstream.
OSD indexes come from untrusted network packets. Boundary checks are
added to validate these against map->max_osd.
[ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic
  edits ]
Cc: stable@vger.kernel.org
Signed-off-by: ziming zhang ezrakiez@gmail.com
Reviewed-by: Ilya Dryomov idryomov@gmail.com
Signed-off-by: Ilya Dryomov idryomov@gmail.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 net/ceph/osdmap.c |   18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1504,8 +1504,6 @@ static int decode_new_primary_temp(void
u32 ceph_get_primary_affinity(struct ceph_osdmap *map, int osd)
 {
-	BUG_ON(osd >= map->max_osd);
-
    if (!map->osd_primary_affinity)
    	return CEPH_OSD_DEFAULT_PRIMARY_AFFINITY;
@@ -1514,8 +1512,6 @@ u32 ceph_get_primary_affinity(struct cep
static int set_primary_affinity(struct ceph_osdmap *map, int osd, u32 aff)
 {
-	BUG_ON(osd >= map->max_osd);
-
    if (!map->osd_primary_affinity) {
    	int i;
@@ -1577,6 +1573,8 @@ static int decode_new_primary_affinity(v
ceph_decode_32_safe(p, end, osd, e_inval);
    	ceph_decode_32_safe(p, end, aff, e_inval);
+		if (osd >= map->max_osd)
+			goto e_inval;
ret = set_primary_affinity(map, osd, aff);
    	if (ret)
@@ -1879,7 +1877,9 @@ static int decode_new_up_state_weight(vo
    	ceph_decode_need(p, end, 2*sizeof(u32), e_inval);
    	osd = ceph_decode_32(p);
    	w = ceph_decode_32(p);
-		BUG_ON(osd >= map->max_osd);
+		if (osd >= map->max_osd)
+			goto e_inval;
+
    	osdmap_info(map, "osd%d weight 0x%x %s\n", osd, w,
    		    w == CEPH_OSD_IN ? "(in)" :
    		    (w == CEPH_OSD_OUT ? "(out)" : ""));
@@ -1905,13 +1905,15 @@ static int decode_new_up_state_weight(vo
    	u32 xorstate;
osd = ceph_decode_32(p);
+		if (osd >= map->max_osd)
+			goto e_inval;
+
    	if (struct_v >= 5)
    		xorstate = ceph_decode_32(p);
    	else
    		xorstate = ceph_decode_8(p);
    	if (xorstate == 0)
    		xorstate = CEPH_OSD_UP;
-		BUG_ON(osd >= map->max_osd);
    	if ((map->osd_state[osd] & CEPH_OSD_UP) &&
    	    (xorstate & CEPH_OSD_UP))
    		osdmap_info(map, "osd%d down\n", osd);
@@ -1937,7 +1939,9 @@ static int decode_new_up_state_weight(vo
    	struct ceph_entity_addr addr;
osd = ceph_decode_32(p);
-		BUG_ON(osd >= map->max_osd);
+		if (osd >= map->max_osd)
+			goto e_inval;
+
    	if (struct_v >= 7)
    		ret = ceph_decode_entity_addrvec(p, end, msgr2, &addr);
    	else

    