CVE-2026-52961

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix BUG ON in ceph build xattrs blob() due to stale blob size

The generic/642 test-case can reproduce the kernel crash:

[40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr ceph con workfn [40243.612715] RIP: 0010: ceph build xattrs blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] [40243.628188] prep cap+0x3fd/0x4a0 [40243.628789] ? do raw spin unlock+0x4e/0xe0 [40243.629474] ceph check caps+0x46a/0xc80 [40243.630094] ? lock acquire+0x4a2/0x2650 [40243.630773] ? find held lock+0x31/0x90 [40243.631347] ? handle cap grant+0x79f/0x1060 [40243.632068] ? lock release+0xd9/0x300 [40243.632696] ? mutex unlock slowpath+0x3e/0x340 [40243.633429] ? lock release+0xd9/0x300 [40243.634052] handle cap grant+0xcf6/0x1060 [40243.634745] ceph handle caps+0x122b/0x2110 [40243.635415] mds dispatch+0x5bd/0x2160 [40243.636034] ? ceph con process message+0x65/0x190 [40243.636828] ? lock release+0xd9/0x300 [40243.637431] ceph con process message+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] process message+0x16/0x1a0 [40243.639915] ? sg free table+0x39/0x90 [40243.640572] ceph con v2 try read+0xf58/0x2120 [40243.641255] ? lock acquire+0xc8/0x300 [40243.641863] ceph con workfn+0x151/0x820 [40243.642493] process one work+0x22f/0x630 [40243.643093] ? process one work+0x254/0x630 [40243.643770] worker thread+0x1e2/0x400 [40243.644332] ? pfx worker thread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? pfx kthread+0x10/0x10 [40243.646125] ret from fork+0x3f8/0x480 [40243.646752] ? pfx kthread+0x10/0x10 [40243.647316] ? pfx kthread+0x10/0x10 [40243.647919] ret from fork asm+0x1a/0x30 [40243.648556] [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel rapl msr intel rapl common intel uncore frequency common skx edac common nfit kvm intel kvm irqbypass joydev ghash clmulni intel aesni intel rapl input leds mac hid psmouse vga16fb serio raw vgastate floppy i2c piix4 pata acpi bochs qemu fw cfg i2c smbus sch fq codel rbd dm crypt msr parport pc ppdev lp parport efi pstore [40243.654766] ---[ end trace 0000000000000000 ]---

Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the required blob size computation to before the build xattrs() call, introducing a race.

build xattrs() releases and reacquires i ceph lock during execution. In that window, handle cap grant() may update i xattrs.blob with a newer MDS-provided blob and bump i xattrs.version. When bui ---truncated---