VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-46079

CVE-2026-46079

Description

In the Linux kernel, the following vulnerability has been resolved:

rbd: fix null-ptr-deref when device_add_disk() fails

do_rbd_add() publishes the device with device_add() before calling device_add_disk(). If device_add_disk() fails after device_add() succeeds, the error path calls rbd_free_disk() directly and then later falls through to rbd_dev_device_release(), which calls rbd_free_disk() again. This double teardown can leave blk-mq cleanup operating on invalid state and trigger a null-ptr-deref in __blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().

Fix this by following the normal remove ordering: call device_del() before rbd_dev_device_release() when device_add_disk() fails after device_add(). That keeps the teardown sequence consistent and avoids re-entering disk cleanup through the wrong path.

The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available.

We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64 guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer confines failslab injections to the __add_disk() range and injects fail-nth while mapping an RBD image through /sys/bus/rbd/add_single_major.

On the unpatched kernel, fail-nth=4 reliably triggered the fault:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240 Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00 RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4 RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000 R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004 FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0 PKRU: 55555554 Call Trace:

blk_mq_free_tag_set+0x77/0x460 do_rbd_add+0x1446/0x2b80 ? __pfx_do_rbd_add+0x10/0x10 ? lock_acquire+0x18c/0x300 ? find_held_lock+0x2b/0x80 ? sysfs_file_kobj+0xb6/0x1b0 ? __pfx_sysfs_kf_write+0x10/0x10 kernfs_fop_write_iter+0x2f4/0x4a0 vfs_write+0x98e/0x1000 ? expand_files+0x51f/0x850 ? __pfx_vfs_write+0x10/0x10 ksys_write+0xf2/0x1d0 ? __pfx_ksys_write+0x10/0x10 do_syscall_64+0x115/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0fbea15907 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907 RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001 RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141 R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058 R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004

With this fix applied, rerunning the reproducer over fail-nth=1..256 yields no KASAN reports.

[ idryomov: rename err_out_device_del -> err_out_device ]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-46079: In the Linux kernel's RBD driver, when device_add_disk() fails after device_add(), a double free of disk structures leads to a null-ptr-deref.

Vulnerability

The vulnerability resides in the Linux kernel's RBD (RADOS Block Device) driver. In drivers/block/rbd.c, the function do_rbd_add() calls device_add() to publish the device, then calls device_add_disk(). If device_add_disk() fails after device_add() succeeds, the error path directly calls rbd_free_disk() and later falls through to rbd_dev_device_release(), which calls rbd_free_disk() again. This double teardown corrupts block layer structures and can trigger a null-ptr-deref in __blk_mq_free_map_and_rqs(). The issue affects the Linux kernel versions prior to the fix commit d1fef92e414433ca7b89abf85cb0df42b8d475eb (e.g., v6.13-rc1 and v7.0 as tested) [1].

Exploitation

An attacker requires the ability to create RBD images and trigger the failure path. In a typical setup, a user with access to /sys/bus/rbd/add_single_major can map an RBD image. By causing a failure injection (e.g., using CONFIG_FAILSLAB and fail-nth injection) during the __add_disk() call, the bug can be reliably reproduced. For example, on a QEMU x86_64 guest with KASAN enabled, fail-nth=4 triggered the null-ptr-deref. No elevated privileges beyond normal RBD image mapping are needed, but the attacker must be able to induce the device_add_disk() failure [1].

Impact

Successful exploitation leads to a kernel NULL pointer dereference, resulting in a system crash (denial of service). The crash occurs in blk_mq_free_tag_set()__blk_mq_free_map_and_rqs(). The vulnerability does not provide privilege escalation because the bug is in the error handling path and is triggered by a failure condition; however, an attacker who can force such failures can cause a denial of service. The impact is limited to availability; no information disclosure or code execution is indicated [1].

Mitigation

The fix is included in the Linux kernel commit d1fef92e414433ca7b89abf85cb0df42b8d475eb. The patch changes the error path in do_rbd_add() to call device_del() before rbd_dev_device_release() when device_add_disk() fails, ensuring proper cleanup order and avoiding the double free. Users should apply this patch or update to a kernel version containing it. No workaround is described if the fix cannot be applied; the vulnerability is not listed on the CISA KEV as of this analysis [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
2f4809a879f0

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDawei FengApr 19, 2026Fixed in 6.6.140via kernel-cna
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 6f68c2a7436105..a50b946c3934fd 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7172,7 +7172,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7186,8 +7186,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
564cd8f4aeb9

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDawei FengApr 19, 2026Fixed in 6.12.86via kernel-cna
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 28e60fc7e2dcaa..9f9e4e0fc95db7 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7166,7 +7166,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7180,8 +7180,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
ad0126ffcba8

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDawei FengApr 19, 2026Fixed in 6.18.27via kernel-cna
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 8f441eb8b19265..9236b5184bce32 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7165,7 +7165,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7179,8 +7179,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
059fb7656723

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDawei FengApr 19, 2026Fixed in 7.0.4via kernel-cna
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index e7da06200c1e1c..4065336ebd1f1a 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7165,7 +7165,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7179,8 +7179,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
d1fef92e4144

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDawei FengApr 19, 2026Fixed in 7.1-rc1via kernel-cna
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index e7da06200c1e1c..4065336ebd1f1a 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7165,7 +7165,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7179,8 +7179,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
2f4809a879f0

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDawei FengApr 19, 2026via nvd-ref
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 6f68c2a7436105..a50b946c3934fd 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7172,7 +7172,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7186,8 +7186,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
564cd8f4aeb9

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDawei FengApr 19, 2026via nvd-ref
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 28e60fc7e2dcaa..9f9e4e0fc95db7 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7166,7 +7166,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7180,8 +7180,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
ad0126ffcba8

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDawei FengApr 19, 2026via nvd-ref
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 8f441eb8b19265..9236b5184bce32 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7165,7 +7165,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7179,8 +7179,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
d1fef92e4144

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDawei FengApr 19, 2026via nvd-ref
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index e7da06200c1e1c..4065336ebd1f1a 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7165,7 +7165,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7179,8 +7179,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg
059fb7656723

rbd: fix null-ptr-deref when device_add_disk() fails

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDawei FengApr 19, 2026via nvd-ref
commit
1 file changed · +3 4
  • drivers/block/rbd.c+3 4 modified
    diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index e7da06200c1e1c..4065336ebd1f1a 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7165,7 +7165,7 @@ static ssize_t do_rbd_add(const char *buf, size_t count)
 
 	rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL);
 	if (rc)
-		goto err_out_cleanup_disk;
+		goto err_out_device;
 
 	spin_lock(&rbd_dev_list_lock);
 	list_add_tail(&rbd_dev->node, &rbd_dev_list);
@@ -7179,8 +7179,8 @@ out:
 	module_put(THIS_MODULE);
 	return rc;
 
-err_out_cleanup_disk:
-	rbd_free_disk(rbd_dev);
+err_out_device:
+	device_del(&rbd_dev->dev);
 err_out_image_lock:
 	rbd_dev_image_unlock(rbd_dev);
 	rbd_dev_device_release(rbd_dev);
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Double-free of disk resources in do_rbd_add() error path when device_add_disk() fails after device_add() succeeds."

Attack vector

An attacker who can write to `/sys/bus/rbd/add_single_major` (or the legacy `/sys/bus/rbd/add` interface) to map an RBD image can trigger this bug by inducing a failure in `device_add_disk()`. The reproducer uses `CONFIG_FAILSLAB` and fail-nth injection confined to the `__add_disk()` range while writing an RBD mapping request. When `device_add_disk()` fails after `device_add()` has already published the device, the old error path calls `rbd_free_disk()` twice, leading to a null-ptr-deref in `__blk_mq_free_map_and_rqs()` via `blk_mq_free_tag_set()`.

Affected code

The bug is in the `do_rbd_add()` function in `drivers/block/rbd.c`. The error path after a failed `device_add_disk()` call jumped to `err_out_cleanup_disk`, which called `rbd_free_disk()` directly, and then fell through to `rbd_dev_device_release()`, which called `rbd_free_disk()` a second time.

What the fix does

The patch replaces the `err_out_cleanup_disk` label (which called `rbd_free_disk()`) with a new `err_out_device` label that calls `device_del()` instead. This ensures the device is properly removed from the kernel device hierarchy before falling through to `rbd_dev_device_release()`, which handles the remaining cleanup including `rbd_free_disk()`. The fix eliminates the double call to `rbd_free_disk()` by following the normal remove ordering — `device_del()` then `rbd_dev_device_release()` — consistent with the successful teardown path.

Preconditions

  • inputAbility to write to /sys/bus/rbd/add_single_major (or /sys/bus/rbd/add) to map an RBD image
  • inputA failure in device_add_disk() must occur after device_add() has succeeded

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.