CVE-2026-46079 in Linux
Zusammenfassung
von VulDB • 28.05.2026
This log snippet and the accompanying text describe a **kernel bug fix** related to the **RBD (RADOS Block Device)** driver in the Linux kernel, specifically addressing a **KASAN (Kernel Address Sanitizer)** report.
### Breakdown of the Log
1. **The Crash/Warning Context**: * The register dump (`RIP`, `RSP`, `RAX`, etc.) and the `Call Trace` indicate a kernel panic or warning occurred during a system call (`do_syscall_64` -> `ksys_write` -> `vfs_write` -> `kernfs_fop_write_iter`). * The write operation was targeting a sysfs file, which triggered `do_rbd_add`. This function is responsible for adding a new RBD device. * The crash happened deep in the block layer: `blk_mq_free_tag_set`. This suggests a memory corruption or use-after-free issue related to block queue tag management.
2. **The Fix**: * The text states: *"With this fix applied, rerunning the reproducer over fail-nth=1..256 yields no KASAN reports."* * This confirms that the patch resolves a memory safety issue detected by KASAN. * The commit message note `[ idryomov: rename err_out_device_del -> err_out_device ]` indicates a minor code cleanup (renaming an error-handling label) by Ilya Dryomov, a maintainer of the Ceph/RBD subsystem.
3. **Root Cause (Inferred)**: * The call trace shows `do_rbd_add` calling `blk_mq_free_tag_set`. * In the RBD driver, when adding a device, resources are allocated. If an error occurs during initialization (e.g., after some resources are allocated but before the device is fully registered), the error path must clean up those resources. * The bug likely involved an incorrect error path where `blk_mq_free_tag_set` was called on a tag set that was either: * Not properly initialized. * Already freed. * Freed twice (double-free). * KASAN detects such invalid memory accesses. The fix ensures that the cleanup path correctly handles the block queue tag set, preventing the invalid access.
### Summary
* **Subsystem**: Linux Kernel, Block Layer, RBD (RADOS Block Device) driver. * **Issue**: Memory corruption/invalid access detected by KASAN during RBD device creation (`do_rbd_add`). * **Trigger**: Writing to a sysfs file to add an RBD device, specifically under stress testing (`fail-nth=1..256` suggests using `CONFIG_KASAN` or `CONFIG_FAILSLAB`/`CONFIG_FAIL_PAGE_ALLOC` to inject failures). * **Resolution**: A patch was applied to fix the error handling path in `do_rbd_add`, ensuring `blk_mq_free_tag_set` is called safely. The patch also includes a minor label rename for clarity. * **Verification**: The reproducer no longer triggers KASAN errors after the fix.
This is a typical kernel bug fix scenario where a complex error path in a driver was corrected to prevent memory safety violations.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.