CVE-2025-68285

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: fix potential use-after-free in have_mon_and_osd_map()<br /> <br /> The wait loop in __ceph_open_session() can race with the client<br /> receiving a new monmap or osdmap shortly after the initial map is<br /> received. Both ceph_monc_handle_map() and handle_one_map() install<br /> a new map immediately after freeing the old one<br /> <br /> kfree(monc-&gt;monmap);<br /> monc-&gt;monmap = monmap;<br /> <br /> ceph_osdmap_destroy(osdc-&gt;osdmap);<br /> osdc-&gt;osdmap = newmap;<br /> <br /> under client-&gt;monc.mutex and client-&gt;osdc.lock respectively, but<br /> because neither is taken in have_mon_and_osd_map() it&amp;#39;s possible for<br /> client-&gt;monc.monmap-&gt;epoch and client-&gt;osdc.osdmap-&gt;epoch arms in<br /> <br /> client-&gt;monc.monmap &amp;&amp; client-&gt;monc.monmap-&gt;epoch &amp;&amp;<br /> client-&gt;osdc.osdmap &amp;&amp; client-&gt;osdc.osdmap-&gt;epoch;<br /> <br /> condition to dereference an already freed map. This happens to be<br /> reproducible with generic/395 and generic/397 with KASAN enabled:<br /> <br /> BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70<br /> Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305<br /> CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266<br /> ...<br /> Call Trace:<br /> <br /> have_mon_and_osd_map+0x56/0x70<br /> ceph_open_session+0x182/0x290<br /> ceph_get_tree+0x333/0x680<br /> vfs_get_tree+0x49/0x180<br /> do_new_mount+0x1a3/0x2d0<br /> path_mount+0x6dd/0x730<br /> do_mount+0x99/0xe0<br /> __do_sys_mount+0x141/0x180<br /> do_syscall_64+0x9f/0x100<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> <br /> Allocated by task 13305:<br /> ceph_osdmap_alloc+0x16/0x130<br /> ceph_osdc_init+0x27a/0x4c0<br /> ceph_create_client+0x153/0x190<br /> create_fs_client+0x50/0x2a0<br /> ceph_get_tree+0xff/0x680<br /> vfs_get_tree+0x49/0x180<br /> do_new_mount+0x1a3/0x2d0<br /> path_mount+0x6dd/0x730<br /> do_mount+0x99/0xe0<br /> __do_sys_mount+0x141/0x180<br /> do_syscall_64+0x9f/0x100<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 9475:<br /> kfree+0x212/0x290<br /> handle_one_map+0x23c/0x3b0<br /> ceph_osdc_handle_map+0x3c9/0x590<br /> mon_dispatch+0x655/0x6f0<br /> ceph_con_process_message+0xc3/0xe0<br /> ceph_con_v1_try_read+0x614/0x760<br /> ceph_con_workfn+0x2de/0x650<br /> process_one_work+0x486/0x7c0<br /> process_scheduled_works+0x73/0x90<br /> worker_thread+0x1c8/0x2a0<br /> kthread+0x2ec/0x300<br /> ret_from_fork+0x24/0x40<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Rewrite the wait loop to check the above condition directly with<br /> client-&gt;monc.mutex and client-&gt;osdc.lock taken as appropriate. While<br /> at it, improve the timeout handling (previously mount_timeout could be<br /> exceeded in case wait_event_interruptible_timeout() slept more than<br /> once) and access client-&gt;auth_err under client-&gt;monc.mutex to match<br /> how it&amp;#39;s set in finish_auth().<br /> <br /> monmap_show() and osdmap_show() now take the respective lock before<br /> accessing the map as well.