CVE-2026-46079

Source
https://cve.org/CVERecord?id=CVE-2026-46079
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46079.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46079
Downstream
Related
Published
2026-05-27T12:58:13.903Z
Modified
2026-06-26T11:56:49.635786714Z
Summary
rbd: fix null-ptr-deref when device_add_disk() fails
Details

In the Linux kernel, the following vulnerability has been resolved:

rbd: fix null-ptr-deref when deviceadddisk() fails

dorbdadd() publishes the device with deviceadd() before calling deviceadddisk(). If deviceadddisk() fails after deviceadd() succeeds, the error path calls rbdfreedisk() directly and then later falls through to rbddevdevicerelease(), which calls rbdfree_disk() again. This double teardown can leave blk-mq cleanup operating on invalid state and trigger a null-ptr-deref in _blkmqfreemapandrqs(), reached from blkmqfreetagset().

Fix this by following the normal remove ordering: call devicedel() before rbddevdevicerelease() when deviceadddisk() fails after device_add(). That keeps the teardown sequence consistent and avoids re-entering disk cleanup through the wrong path.

The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available.

We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x8664 guest booted with KASAN and CONFIGFAILSLAB enabled. The reproducer confines failslab injections to the _adddisk() range and injects fail-nth while mapping an RBD image through /sys/bus/rbd/addsinglemajor.

On the unpatched kernel, fail-nth=4 reliably triggered the fault:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240
Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00
RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4
RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b
R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000
R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004
FS:  00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0
PKRU: 55555554
Call Trace:
 <TASK>
 blk_mq_free_tag_set+0x77/0x460
 do_rbd_add+0x1446/0x2b80
 ? __pfx_do_rbd_add+0x10/0x10
 ? lock_acquire+0x18c/0x300
 ? find_held_lock+0x2b/0x80
 ? sysfs_file_kobj+0xb6/0x1b0
 ? __pfx_sysfs_kf_write+0x10/0x10
 kernfs_fop_write_iter+0x2f4/0x4a0
 vfs_write+0x98e/0x1000
 ? expand_files+0x51f/0x850
 ? __pfx_vfs_write+0x10/0x10
 ksys_write+0xf2/0x1d0
 ? __pfx_ksys_write+0x10/0x10
 do_syscall_64+0x115/0x690
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0fbea15907
Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907
RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001
RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141
R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058
R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004
 </TASK>

With this fix applied, rerunning the reproducer over fail-nth=1..256 yields no KASAN reports.

[ idryomov: rename erroutdevicedel -> errout_device ]

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46079.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
27c97abc30e2b9ad2288977c0ecbef4d50553f57
Fixed
78bd0c143dea4b7a4c23c13356987ca0eafb442e
Fixed
2f4809a879f0750c7790bbeeae86c9505797a06f
Fixed
564cd8f4aeb9a938e470c5c91922fd02e4d41acc
Fixed
ad0126ffcba8777109852979eaaa6dca6703abdb
Fixed
059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e
Fixed
d1fef92e414433ca7b89abf85cb0df42b8d475eb

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46079.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46079.json"