{"id":"CVE-2025-21737","summary":"ceph: fix memory leak in ceph_mds_auth_match()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leak in ceph_mds_auth_match()\n\nWe now free the temporary target path substring allocation on every\npossible branch, instead of omitting the default branch. In some\ncases, a memory leak occured, which could rapidly crash the system\n(depending on how many file accesses were attempted).\n\nThis was detected in production because it caused a continuous memory\ngrowth, eventually triggering kernel OOM and completely hard-locking\nthe kernel.\n\nRelevant kmemleak stacktrace:\n\n unreferenced object 0xffff888131e69900 (size 128):\n comm \"git\", pid 66104, jiffies 4295435999\n hex dump (first 32 bytes):\n 76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65 volumes/containe\n 72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67 rs/gitea/gitea/g\n backtrace (crc 2f3bb450):\n [\u003cffffffffaa68fb49\u003e] __kmalloc_noprof+0x359/0x510\n [\u003cffffffffc32bf1df\u003e] ceph_mds_check_access+0x5bf/0x14e0 [ceph]\n [\u003cffffffffc3235722\u003e] ceph_open+0x312/0xd80 [ceph]\n [\u003cffffffffaa7dd786\u003e] do_dentry_open+0x456/0x1120\n [\u003cffffffffaa7e3729\u003e] vfs_open+0x79/0x360\n [\u003cffffffffaa832875\u003e] path_openat+0x1de5/0x4390\n [\u003cffffffffaa834fcc\u003e] do_filp_open+0x19c/0x3c0\n [\u003cffffffffaa7e44a1\u003e] do_sys_openat2+0x141/0x180\n [\u003cffffffffaa7e4945\u003e] __x64_sys_open+0xe5/0x1a0\n [\u003cffffffffac2cc2f7\u003e] do_syscall_64+0xb7/0x210\n [\u003cffffffffac400130\u003e] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nIt can be triggered by mouting a subdirectory of a CephFS filesystem,\nand then trying to access files on this subdirectory with an auth token\nusing a path-scoped capability:\n\n $ ceph auth get client.services\n [client.services]\n key = REDACTED\n caps mds = \"allow rw fsname=cephfs path=/volumes/\"\n caps mon = \"allow r fsname=cephfs\"\n caps osd = \"allow rw tag cephfs data=cephfs\"\n\n $ cat /proc/self/mounts\n services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=\u003chidden\u003e,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0\n\n $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} && \\\n seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{}\n\n[ idryomov: combine if statements, rename rc to path_matched and make\n it a bool, formatting ]","modified":"2026-03-20T12:41:08.781283Z","published":"2025-02-27T02:12:13.434Z","related":["USN-7521-2"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21737.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/146109fe936ac07f8f60cd6267543688985b96bc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2b6086c5efe5c7bd6e0eb440d96c26ca0d20d9d7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3b7d93db450e9d8ead80d75e2a303248f1528c35"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21737.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21737"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"596afb0b8933ba6ed7227adcc538db26feb25c74"},{"fixed":"146109fe936ac07f8f60cd6267543688985b96bc"},{"fixed":"2b6086c5efe5c7bd6e0eb440d96c26ca0d20d9d7"},{"fixed":"3b7d93db450e9d8ead80d75e2a303248f1528c35"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21737.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}