CVE-2026-23189

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix NULL pointer dereference in cephmdsauth_match()

The CephFS kernel client has regression starting from 6.18-rc1. We have issue in cephmdsauthmatch() if fsname == NULL:

const char fs_name = mdsc->fsc->mount_options->mds_namespace;
...
if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {
        / fsname mismatch, try next one */
        return 0;
}

Patrick Donnelly suggested that: In summary, we should definitely start decoding fs_name from the MDSMap and do strict authorizations checks against it. Note that the -o mds_namespace=foo should only be used for selecting the file system to mount and nothing else. It's possible no mds_namespace is specified but the kernel will mount the only file system that exists which may have name "foo".

This patch reworks cephmdsmapdecode() and namespaceequals() with the goal of supporting the suggested concept. Now struct cephmdsmap contains mfsname field that receives copy of extracted FS name by cephextractencoded_string(). For the case of "old" CephFS file systems, it is used "cephfs" name.

[ idryomov: replace redundant %*pE with %s in cephmdsmapdecode(), get rid of a series of strlen() calls in cephnamespacematch(), drop changes to namespaceequals() body to avoid treating empty mdsnamespace as equal, drop changes to cephmdschandlefsmap() as namespaceequals() isn't an equivalent substitution there ]