CVE-2026-43408

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: add a bunch of missing ceph_path_info initializers<br /> <br /> ceph_mdsc_build_path() must be called with a zero-initialized<br /> ceph_path_info parameter, or else the following<br /> ceph_mdsc_free_path_info() may crash.<br /> <br /> Example crash (on Linux 6.18.12):<br /> <br /> virt_to_cache: Object is not a Slab page!<br /> WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400<br /> [...]<br /> Call Trace:<br /> [...]<br /> ceph_open+0x13d/0x3e0<br /> do_dentry_open+0x134/0x480<br /> vfs_open+0x2a/0xe0<br /> path_openat+0x9a3/0x1160<br /> [...]<br /> cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info<br /> WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400<br /> [...]<br /> kernel BUG at mm/slub.c:634!<br /> Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> RIP: 0010:__slab_free+0x1a4/0x350<br /> <br /> Some of the ceph_mdsc_build_path() callers had initializers, but<br /> others had not, even though they were all added by commit 15f519e9f883<br /> ("ceph: fix race condition validating r_parent before applying state").<br /> The ones without initializer are suspectible to random crashes. (I can<br /> imagine it could even be possible to exploit this bug to elevate<br /> privileges.)<br /> <br /> Unfortunately, these Ceph functions are undocumented and its semantics<br /> can only be derived from the code. I see that ceph_mdsc_build_path()<br /> initializes the structure only on success, but not on error.<br /> <br /> Calling ceph_mdsc_free_path_info() after a failed<br /> ceph_mdsc_build_path() call does not even make sense, but that&amp;#39;s what<br /> all callers do, and for it to be safe, the structure must be<br /> zero-initialized. The least intrusive approach to fix this is<br /> therefore to add initializers everywhere.