CVE-2025-39927

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: fix race condition validating r_parent before applying state<br /> <br /> Add validation to ensure the cached parent directory inode matches the<br /> directory info in MDS replies. This prevents client-side race conditions<br /> where concurrent operations (e.g. rename) cause r_parent to become stale<br /> between request initiation and reply processing, which could lead to<br /> applying state changes to incorrect directory inodes.<br /> <br /> [ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to<br /> move CEPH_CAP_PIN reference when r_parent is updated:<br /> <br /> When the parent directory lock is not held, req-&gt;r_parent can become<br /> stale and is updated to point to the correct inode. However, the<br /> associated CEPH_CAP_PIN reference was not being adjusted. The<br /> CEPH_CAP_PIN is a reference on an inode that is tracked for<br /> accounting purposes. Moving this pin is important to keep the<br /> accounting balanced. When the pin was not moved from the old parent<br /> to the new one, it created two problems: The reference on the old,<br /> stale parent was never released, causing a reference leak.<br /> A reference for the new parent was never acquired, creating the risk<br /> of a reference underflow later in ceph_mdsc_release_request(). This<br /> patch corrects the logic by releasing the pin from the old parent and<br /> acquiring it for the new parent when r_parent is switched. This<br /> ensures reference accounting stays balanced. ]