{"id":"CVE-2025-68285","summary":"libceph: fix potential use-after-free in have_mon_and_osd_map()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived.  Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n    kfree(monc-\u003emonmap);\n    monc-\u003emonmap = monmap;\n\n    ceph_osdmap_destroy(osdc-\u003eosdmap);\n    osdc-\u003eosdmap = newmap;\n\nunder client-\u003emonc.mutex and client-\u003eosdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it's possible for\nclient-\u003emonc.monmap-\u003eepoch and client-\u003eosdc.osdmap-\u003eepoch arms in\n\n    client-\u003emonc.monmap && client-\u003emonc.monmap-\u003eepoch &&\n        client-\u003eosdc.osdmap && client-\u003eosdc.osdmap-\u003eepoch;\n\ncondition to dereference an already freed map.  This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n    BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n    Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n    CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n    ...\n    Call Trace:\n    \u003cTASK\u003e\n    have_mon_and_osd_map+0x56/0x70\n    ceph_open_session+0x182/0x290\n    ceph_get_tree+0x333/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n    \u003c/TASK\u003e\n\n    Allocated by task 13305:\n    ceph_osdmap_alloc+0x16/0x130\n    ceph_osdc_init+0x27a/0x4c0\n    ceph_create_client+0x153/0x190\n    create_fs_client+0x50/0x2a0\n    ceph_get_tree+0xff/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n    Freed by task 9475:\n    kfree+0x212/0x290\n    handle_one_map+0x23c/0x3b0\n    ceph_osdc_handle_map+0x3c9/0x590\n    mon_dispatch+0x655/0x6f0\n    ceph_con_process_message+0xc3/0xe0\n    ceph_con_v1_try_read+0x614/0x760\n    ceph_con_workfn+0x2de/0x650\n    process_one_work+0x486/0x7c0\n    process_scheduled_works+0x73/0x90\n    worker_thread+0x1c8/0x2a0\n    kthread+0x2ec/0x300\n    ret_from_fork+0x24/0x40\n    ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient-\u003emonc.mutex and client-\u003eosdc.lock taken as appropriate.  While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client-\u003eauth_err under client-\u003emonc.mutex to match\nhow it's set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well.","modified":"2026-04-16T04:40:32.817629815Z","published":"2025-12-16T15:06:07.078Z","related":["ALSA-2026:0443","ALSA-2026:0444","ALSA-2026:0786","ALSA-2026:0793","SUSE-SU-2026:0411-1","SUSE-SU-2026:0447-1","SUSE-SU-2026:0471-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0474-1","SUSE-SU-2026:0496-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:0928-1","SUSE-SU-2026:0939-1","SUSE-SU-2026:0940-1","SUSE-SU-2026:0941-1","SUSE-SU-2026:0943-1","SUSE-SU-2026:0944-1","SUSE-SU-2026:0945-1","SUSE-SU-2026:0946-1","SUSE-SU-2026:0951-1","SUSE-SU-2026:0953-1","SUSE-SU-2026:0954-1","SUSE-SU-2026:0958-1","SUSE-SU-2026:0961-1","SUSE-SU-2026:0964-1","SUSE-SU-2026:0967-1","SUSE-SU-2026:0970-1","SUSE-SU-2026:0983-1","SUSE-SU-2026:0985-1","SUSE-SU-2026:0992-1","SUSE-SU-2026:0997-1","SUSE-SU-2026:1000-1","SUSE-SU-2026:1002-1","SUSE-SU-2026:1039-1","SUSE-SU-2026:1044-1","SUSE-SU-2026:1045-1","SUSE-SU-2026:1046-1","SUSE-SU-2026:1048-1","SUSE-SU-2026:1049-1","SUSE-SU-2026:1059-1","SUSE-SU-2026:1073-1","SUSE-SU-2026:1078-1","SUSE-SU-2026:1083-1","SUSE-SU-2026:1088-1","SUSE-SU-2026:1089-1","SUSE-SU-2026:1096-1","SUSE-SU-2026:1099-1","SUSE-SU-2026:1100-1","SUSE-SU-2026:1101-1","SUSE-SU-2026:1102-1","SUSE-SU-2026:1125-1","SUSE-SU-2026:1132-1","SUSE-SU-2026:1136-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20828-1","SUSE-SU-2026:20829-1","SUSE-SU-2026:20831-1","SUSE-SU-2026:20832-1","SUSE-SU-2026:20837-1","SUSE-SU-2026:20840-1","SUSE-SU-2026:20841-1","SUSE-SU-2026:20842-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20853-1","SUSE-SU-2026:20854-1","SUSE-SU-2026:20855-1","SUSE-SU-2026:20856-1","SUSE-SU-2026:20862-1","SUSE-SU-2026:20863-1","SUSE-SU-2026:20864-1","SUSE-SU-2026:20865-1","SUSE-SU-2026:20866-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20885-1","SUSE-SU-2026:20886-1","SUSE-SU-2026:20887-1","SUSE-SU-2026:20888-1","SUSE-SU-2026:20889-1","SUSE-SU-2026:20897-1","SUSE-SU-2026:20898-1","SUSE-SU-2026:20899-1","SUSE-SU-2026:20900-1","SUSE-SU-2026:20944-1","SUSE-SU-2026:20945-1","SUSE-SU-2026:20946-1","SUSE-SU-2026:20947-1","openSUSE-SU-2026:20145-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68285.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68285.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68285"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6822d00b5462e7a9dfa11dcc60cc25823a2107c5"},{"fixed":"bb4910c5fd436701faf367e1b5476a5a6d2aff1c"},{"fixed":"05ec43e9a9de67132dc8cd3b22afef001574947f"},{"fixed":"7c8ccdc1714d9fabecd26e1be7db1771061acc6e"},{"fixed":"183ad6e3b651e8fb0b66d6a2678f4b80bfbba092"},{"fixed":"e08021b3b56b2407f37b5fe47b654be80cc665fb"},{"fixed":"3fc43120b22a3d4f1fbeff56a35ce2105b6a5683"},{"fixed":"076381c261374c587700b3accf410bdd2dba334e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68285.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.35"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.119"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.61"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68285.json"}}],"schema_version":"1.7.5"}