CVE-2026-46079
published 2026-05-27CVE-2026-46079: In the Linux kernel, the following vulnerability has been resolved: rbd: fix null-ptr-deref when device_add_disk() fails do_rbd_add() publishes the device with…
medium5.5
In the Linux kernel, the following vulnerability has been resolved:
rbd: fix null-ptr-deref when device_add_disk() fails
do_rbd_add() publishes the device with device_add() before calling
device_add_disk(). If device_add_disk() fails after device_add()
succeeds, the error path calls rbd_free_disk() directly and then later
falls through to rbd_dev_device_release(), which calls rbd_free_disk()
again. This double teardown can leave blk-mq cleanup operating on
invalid state and trigger a null-ptr-deref in
__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().
Fix this by following the normal remove ordering: call device_del()
before rbd_dev_device_release() when device_add_disk() fails after
device_add(). That keeps the teardown sequence consistent and avoids
re-entering disk cleanup through the wrong path.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available.
We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64
guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer
confines failslab injections to the __add_disk() range and injects
fail-nth while mapping an RBD image through
/sys/bus/rbd/add_single_major.
On the unpatched kernel, fail-nth=4 reliably triggered the fault:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240
Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00
RSP: 0018:ff110000
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= 27c97abc30e2b9ad2288977c0ecbef4d50553f57 < 78bd0c143dea4b7a4c23c13356987ca0eafb442e | 78bd0c143dea4b7a4c23c13356987ca0eafb442e |
| linux | linux | >= 27c97abc30e2b9ad2288977c0ecbef4d50553f57 < 2f4809a879f0750c7790bbeeae86c9505797a06f | 2f4809a879f0750c7790bbeeae86c9505797a06f |
| linux | linux | >= 27c97abc30e2b9ad2288977c0ecbef4d50553f57 < 564cd8f4aeb9a938e470c5c91922fd02e4d41acc | 564cd8f4aeb9a938e470c5c91922fd02e4d41acc |
| linux | linux | >= 27c97abc30e2b9ad2288977c0ecbef4d50553f57 < ad0126ffcba8777109852979eaaa6dca6703abdb | ad0126ffcba8777109852979eaaa6dca6703abdb |
| linux | linux | >= 27c97abc30e2b9ad2288977c0ecbef4d50553f57 < 059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e | 059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e |
| linux | linux | >= 27c97abc30e2b9ad2288977c0ecbef4d50553f57 < d1fef92e414433ca7b89abf85cb0df42b8d475eb | d1fef92e414433ca7b89abf85cb0df42b8d475eb |
| linux | linux_kernel | — | — |