CVE-2026-52954

In the Linux kernel, the following vulnerability has been resolved:

libceph: handle rbtree insertion error in decode choose args()

A message of type CEPH MSG OSD MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose args that get decoded in decode choose args(). In this function, num choose arg maps is read from the message, and a corresponding number of crush choose arg maps gets decoded afterwards. Each crush choose arg map has a choose args index, which serves as the key when inserting it into the choose args rbtree of the decoded crush map. If a (potentially corrupted) message contains two crush choose arg maps with the same index, the assertion in insert choose arg map() triggers a kernel BUG when trying to insert the second crush choose arg map.

This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails.

[ idryomov: changelog ]