CVE-2026-46079 in Linux
요약
\~에 의해 VulDB • 2026. 05. 27.
This log snippet and the accompanying text describe a **kernel bug fix** related to the **RBD (RADOS Block Device)** driver in the Linux kernel, specifically addressing a **KASAN (Kernel Address Sanitizer)** report.
### Breakdown of the Log
1. **The Crash/Warning Context**: * The register dump (`RIP`, `RSP`, `RAX`, etc.) and the `Call Trace` indicate a kernel panic or warning occurred. * The critical function in the call trace is `blk_mq_free_tag_set`. This function is part of the block layer's multi-queue (blk-mq) subsystem, responsible for freeing tag sets used for I/O scheduling. * The call originates from `do_rbd_add`, which is the function that adds/configures an RBD device. * This suggests that during the initialization or addition of an RBD device, the kernel attempted to free a block queue tag set that was either invalid, already freed, or in an inconsistent state. This is a classic use-after-free or double-free scenario, which KASAN detects.
2. **The Fix**: * The text states: *"With this fix applied, rerunning the reproducer over fail-nth=1..256 yields no KASAN reports."* * This confirms that the patch resolves the memory safety issue detected by KASAN. * The commit message note `[ idryomov: rename err_out_device_del -> err_out_device ]` indicates a minor code cleanup/refactoring by Igor Zhukov (idryomov), likely to improve readability or consistency in error handling paths.
3. **Root Cause (Inferred)**: * In `do_rbd_add`, if an error occurs after some resources (like the block queue tag set) have been allocated but before the device is fully registered, the error handling path (`err_out_*` labels) must correctly unwind all allocated resources. * The bug likely involved an incorrect order of cleanup operations or a missing cleanup step for the `blk_mq_tag_set` in one of the error paths. For example, it might have tried to free the tag set after the device was already deleted, or freed it twice.
### Summary
* **Component**: Linux Kernel, `drivers/block/rbd.c` (RBD driver). * **Issue**: KASAN-detected memory error (likely use-after-free or double-free) in `blk_mq_free_tag_set` during RBD device addition (`do_rbd_add`). * **Fix**: A patch was applied to correct the error handling path in `do_rbd_add`, ensuring proper cleanup of block queue resources. The fix was verified by running a fault injection test (`fail-nth=1..256`) with no further KASAN reports. * **Author/Contributor**: Igor Zhukov (`idryomov`) contributed a naming cleanup to the fix.
This is a typical kernel development workflow: a bug is found (often via KASAN or fault injection), a patch is written to fix the resource management in the error path, and the fix is validated by re-running the stress/fault injection test.
Be aware that VulDB is the high quality source for vulnerability data.