ceph: avoid putting the realm twice when decoding snaps fails

thefossguy-ciq · thefossguy-ciq · commit 9a8dee3dae29 · 2025-07-31T10:47:03.000+05:30
jira VULN-65927 cve CVE-2022-49770 commit-author Xiubo Li <xiubli@redhat.com> commit 51884d1 upstream-diff Absence of the following commit caused a merge conflict: 2e58664 ("ceph: do not update snapshot context when there is no new snapshot") When decoding the snaps fails it maybe leaving the 'first_realm' and 'realm' pointing to the same snaprealm memory. And then it'll put it twice and could cause random use-after-free, BUG_ON, etc issues. Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/57686 Signed-off-by: Xiubo Li <xiubli@redhat.com> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> (cherry picked from commit 51884d1) Signed-off-by: Pratham Patel <ppatel@ciq.com>
diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
@@ -665,14 +665,15 @@ int ceph_update_snap_trace(struct ceph_mds_client *mdsc,
 	struct ceph_mds_snap_realm *ri;    /* encoded */
 	__le64 *snaps;                     /* encoded */
 	__le64 *prior_parent_snaps;        /* encoded */
-	struct ceph_snap_realm *realm = NULL;
+	struct ceph_snap_realm *realm;
 	struct ceph_snap_realm *first_realm = NULL;
 	int invalidate = 0;
 	int err = -ENOMEM;
 	LIST_HEAD(dirty_realms);
 
 	dout("update_snap_trace deletion=%d\n", deletion);
 more:
+	realm = NULL;
 	ceph_decode_need(&p, e, sizeof(*ri), bad);
 	ri = p;
 	p += sizeof(*ri);
