{"api_version":"1","generated_at":"2026-05-27T23:32:12+00:00","cve":"CVE-2026-46079","urls":{"html":"https://cve.report/CVE-2026-46079","api":"https://cve.report/api/cve/CVE-2026-46079.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46079","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46079"},"summary":{"title":"rbd: fix null-ptr-deref when device_add_disk() fails","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nrbd: fix null-ptr-deref when device_add_disk() fails\n\ndo_rbd_add() publishes the device with device_add() before calling\ndevice_add_disk(). If device_add_disk() fails after device_add()\nsucceeds, the error path calls rbd_free_disk() directly and then later\nfalls through to rbd_dev_device_release(), which calls rbd_free_disk()\nagain. This double teardown can leave blk-mq cleanup operating on\ninvalid state and trigger a null-ptr-deref in\n__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().\n\nFix this by following the normal remove ordering: call device_del()\nbefore rbd_dev_device_release() when device_add_disk() fails after\ndevice_add(). That keeps the teardown sequence consistent and avoids\nre-entering disk cleanup through the wrong path.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable.\n\nWe reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64\nguest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer\nconfines failslab injections to the __add_disk() range and injects\nfail-nth while mapping an RBD image through\n/sys/bus/rbd/add_single_major.\n\nOn the unpatched kernel, fail-nth=4 reliably triggered the fault:\n\n\tOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n\tKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\tCPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tRIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240\n\tCode: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00\n\tRSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246\n\tRAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000\n\tRDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4\n\tRBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b\n\tR10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000\n\tR13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004\n\tFS:  00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000\n\tCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0\n\tPKRU: 55555554\n\tCall Trace:\n\t <TASK>\n\t blk_mq_free_tag_set+0x77/0x460\n\t do_rbd_add+0x1446/0x2b80\n\t ? __pfx_do_rbd_add+0x10/0x10\n\t ? lock_acquire+0x18c/0x300\n\t ? find_held_lock+0x2b/0x80\n\t ? sysfs_file_kobj+0xb6/0x1b0\n\t ? __pfx_sysfs_kf_write+0x10/0x10\n\t kernfs_fop_write_iter+0x2f4/0x4a0\n\t vfs_write+0x98e/0x1000\n\t ? expand_files+0x51f/0x850\n\t ? __pfx_vfs_write+0x10/0x10\n\t ksys_write+0xf2/0x1d0\n\t ? __pfx_ksys_write+0x10/0x10\n\t do_syscall_64+0x115/0x690\n\t entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7f0fbea15907\n\tCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\n\tRSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n\tRAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907\n\tRDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001\n\tRBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141\n\tR10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058\n\tR13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004\n\t </TASK>\n\nWith this fix applied, rerunning the reproducer over fail-nth=1..256\nyields no KASAN reports.\n\n[ idryomov: rename err_out_device_del -> err_out_device ]","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:29","updated_at":"2026-05-27 14:48:03"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb","name":"https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc","name":"https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e","name":"https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f","name":"https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb","name":"https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46079","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46079","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 27c97abc30e2b9ad2288977c0ecbef4d50553f57 2f4809a879f0750c7790bbeeae86c9505797a06f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 27c97abc30e2b9ad2288977c0ecbef4d50553f57 564cd8f4aeb9a938e470c5c91922fd02e4d41acc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 27c97abc30e2b9ad2288977c0ecbef4d50553f57 ad0126ffcba8777109852979eaaa6dca6703abdb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 27c97abc30e2b9ad2288977c0ecbef4d50553f57 059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 27c97abc30e2b9ad2288977c0ecbef4d50553f57 d1fef92e414433ca7b89abf85cb0df42b8d475eb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.16","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.140 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.86 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.27 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.4 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/block/rbd.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"2f4809a879f0750c7790bbeeae86c9505797a06f","status":"affected","version":"27c97abc30e2b9ad2288977c0ecbef4d50553f57","versionType":"git"},{"lessThan":"564cd8f4aeb9a938e470c5c91922fd02e4d41acc","status":"affected","version":"27c97abc30e2b9ad2288977c0ecbef4d50553f57","versionType":"git"},{"lessThan":"ad0126ffcba8777109852979eaaa6dca6703abdb","status":"affected","version":"27c97abc30e2b9ad2288977c0ecbef4d50553f57","versionType":"git"},{"lessThan":"059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e","status":"affected","version":"27c97abc30e2b9ad2288977c0ecbef4d50553f57","versionType":"git"},{"lessThan":"d1fef92e414433ca7b89abf85cb0df42b8d475eb","status":"affected","version":"27c97abc30e2b9ad2288977c0ecbef4d50553f57","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/block/rbd.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.16"},{"lessThan":"5.16","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.140","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.86","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.27","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.140","versionStartIncluding":"5.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.86","versionStartIncluding":"5.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.27","versionStartIncluding":"5.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.4","versionStartIncluding":"5.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc1","versionStartIncluding":"5.16","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrbd: fix null-ptr-deref when device_add_disk() fails\n\ndo_rbd_add() publishes the device with device_add() before calling\ndevice_add_disk(). If device_add_disk() fails after device_add()\nsucceeds, the error path calls rbd_free_disk() directly and then later\nfalls through to rbd_dev_device_release(), which calls rbd_free_disk()\nagain. This double teardown can leave blk-mq cleanup operating on\ninvalid state and trigger a null-ptr-deref in\n__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().\n\nFix this by following the normal remove ordering: call device_del()\nbefore rbd_dev_device_release() when device_add_disk() fails after\ndevice_add(). That keeps the teardown sequence consistent and avoids\nre-entering disk cleanup through the wrong path.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable.\n\nWe reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64\nguest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer\nconfines failslab injections to the __add_disk() range and injects\nfail-nth while mapping an RBD image through\n/sys/bus/rbd/add_single_major.\n\nOn the unpatched kernel, fail-nth=4 reliably triggered the fault:\n\n\tOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n\tKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\tCPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tRIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240\n\tCode: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00\n\tRSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246\n\tRAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000\n\tRDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4\n\tRBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b\n\tR10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000\n\tR13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004\n\tFS:  00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000\n\tCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0\n\tPKRU: 55555554\n\tCall Trace:\n\t <TASK>\n\t blk_mq_free_tag_set+0x77/0x460\n\t do_rbd_add+0x1446/0x2b80\n\t ? __pfx_do_rbd_add+0x10/0x10\n\t ? lock_acquire+0x18c/0x300\n\t ? find_held_lock+0x2b/0x80\n\t ? sysfs_file_kobj+0xb6/0x1b0\n\t ? __pfx_sysfs_kf_write+0x10/0x10\n\t kernfs_fop_write_iter+0x2f4/0x4a0\n\t vfs_write+0x98e/0x1000\n\t ? expand_files+0x51f/0x850\n\t ? __pfx_vfs_write+0x10/0x10\n\t ksys_write+0xf2/0x1d0\n\t ? __pfx_ksys_write+0x10/0x10\n\t do_syscall_64+0x115/0x690\n\t entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7f0fbea15907\n\tCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\n\tRSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n\tRAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907\n\tRDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001\n\tRBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141\n\tR10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058\n\tR13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004\n\t </TASK>\n\nWith this fix applied, rerunning the reproducer over fail-nth=1..256\nyields no KASAN reports.\n\n[ idryomov: rename err_out_device_del -> err_out_device ]"}],"providerMetadata":{"dateUpdated":"2026-05-27T12:58:13.903Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f"},{"url":"https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc"},{"url":"https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb"},{"url":"https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e"},{"url":"https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb"}],"title":"rbd: fix null-ptr-deref when device_add_disk() fails","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46079","datePublished":"2026-05-27T12:58:13.903Z","dateReserved":"2026-05-13T15:03:33.096Z","dateUpdated":"2026-05-27T12:58:13.903Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:29","lastModifiedDate":"2026-05-27 14:48:03","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46079","Ordinal":"1","Title":"rbd: fix null-ptr-deref when device_add_disk() fails","CVE":"CVE-2026-46079","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46079","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nrbd: fix null-ptr-deref when device_add_disk() fails\n\ndo_rbd_add() publishes the device with device_add() before calling\ndevice_add_disk(). If device_add_disk() fails after device_add()\nsucceeds, the error path calls rbd_free_disk() directly and then later\nfalls through to rbd_dev_device_release(), which calls rbd_free_disk()\nagain. This double teardown can leave blk-mq cleanup operating on\ninvalid state and trigger a null-ptr-deref in\n__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().\n\nFix this by following the normal remove ordering: call device_del()\nbefore rbd_dev_device_release() when device_add_disk() fails after\ndevice_add(). That keeps the teardown sequence consistent and avoids\nre-entering disk cleanup through the wrong path.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable.\n\nWe reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64\nguest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer\nconfines failslab injections to the __add_disk() range and injects\nfail-nth while mapping an RBD image through\n/sys/bus/rbd/add_single_major.\n\nOn the unpatched kernel, fail-nth=4 reliably triggered the fault:\n\n\tOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n\tKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\tCPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tRIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240\n\tCode: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00\n\tRSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246\n\tRAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000\n\tRDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4\n\tRBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b\n\tR10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000\n\tR13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004\n\tFS:  00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000\n\tCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0\n\tPKRU: 55555554\n\tCall Trace:\n\t <TASK>\n\t blk_mq_free_tag_set+0x77/0x460\n\t do_rbd_add+0x1446/0x2b80\n\t ? __pfx_do_rbd_add+0x10/0x10\n\t ? lock_acquire+0x18c/0x300\n\t ? find_held_lock+0x2b/0x80\n\t ? sysfs_file_kobj+0xb6/0x1b0\n\t ? __pfx_sysfs_kf_write+0x10/0x10\n\t kernfs_fop_write_iter+0x2f4/0x4a0\n\t vfs_write+0x98e/0x1000\n\t ? expand_files+0x51f/0x850\n\t ? __pfx_vfs_write+0x10/0x10\n\t ksys_write+0xf2/0x1d0\n\t ? __pfx_ksys_write+0x10/0x10\n\t do_syscall_64+0x115/0x690\n\t entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7f0fbea15907\n\tCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\n\tRSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n\tRAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907\n\tRDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001\n\tRBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141\n\tR10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058\n\tR13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004\n\t </TASK>\n\nWith this fix applied, rerunning the reproducer over fail-nth=1..256\nyields no KASAN reports.\n\n[ idryomov: rename err_out_device_del -> err_out_device ]","Type":"Description","Title":"rbd: fix null-ptr-deref when device_add_disk() fails"}]}}}