CVE-2026-31580

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bcache: fix cached_dev.sb_bio use-after-free and crash<br /> <br /> In our production environment, we have received multiple crash reports<br /> regarding libceph, which have caught our attention:<br /> <br /> ```<br /> [6888366.280350] Call Trace:<br /> [6888366.280452] blk_update_request+0x14e/0x370<br /> [6888366.280561] blk_mq_end_request+0x1a/0x130<br /> [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd]<br /> [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd]<br /> [6888366.280903] __complete_request+0x22/0x70 [libceph]<br /> [6888366.281032] osd_dispatch+0x15e/0xb40 [libceph]<br /> [6888366.281164] ? inet_recvmsg+0x5b/0xd0<br /> [6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]<br /> [6888366.281405] ceph_con_process_message+0x79/0x140 [libceph]<br /> [6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph]<br /> [6888366.281661] ceph_con_workfn+0x329/0x680 [libceph]<br /> ```<br /> <br /> After analyzing the coredump file, we found that the address of<br /> dc-&gt;sb_bio has been freed. We know that cached_dev is only freed when it<br /> is stopped.<br /> <br /> Since sb_bio is a part of struct cached_dev, rather than an alloc every<br /> time. If the device is stopped while writing to the superblock, the<br /> released address will be accessed at endio.<br /> <br /> This patch hopes to wait for sb_write to complete in cached_dev_free.<br /> <br /> It should be noted that we analyzed the cause of the problem, then tell<br /> all details to the QWEN and adopted the modifications it made.