{"id":"CVE-2026-31580","summary":"bcache: fix cached_dev.sb_bio use-after-free and crash","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix cached_dev.sb_bio use-after-free and crash\n\nIn our production environment, we have received multiple crash reports\nregarding libceph, which have caught our attention:\n\n```\n[6888366.280350] Call Trace:\n[6888366.280452]  blk_update_request+0x14e/0x370\n[6888366.280561]  blk_mq_end_request+0x1a/0x130\n[6888366.280671]  rbd_img_handle_request+0x1a0/0x1b0 [rbd]\n[6888366.280792]  rbd_obj_handle_request+0x32/0x40 [rbd]\n[6888366.280903]  __complete_request+0x22/0x70 [libceph]\n[6888366.281032]  osd_dispatch+0x15e/0xb40 [libceph]\n[6888366.281164]  ? inet_recvmsg+0x5b/0xd0\n[6888366.281272]  ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]\n[6888366.281405]  ceph_con_process_message+0x79/0x140 [libceph]\n[6888366.281534]  ceph_con_v1_try_read+0x5d7/0xf30 [libceph]\n[6888366.281661]  ceph_con_workfn+0x329/0x680 [libceph]\n```\n\nAfter analyzing the coredump file, we found that the address of\ndc-\u003esb_bio has been freed. We know that cached_dev is only freed when it\nis stopped.\n\nSince sb_bio is a part of struct cached_dev, rather than an alloc every\ntime.  If the device is stopped while writing to the superblock, the\nreleased address will be accessed at endio.\n\nThis patch hopes to wait for sb_write to complete in cached_dev_free.\n\nIt should be noted that we analyzed the cause of the problem, then tell\nall details to the QWEN and adopted the modifications it made.","modified":"2026-07-03T18:29:22.419733192Z","published":"2026-04-24T14:42:10.874Z","related":["CGA-72f6-5jfv-8jf8","SUSE-SU-2026:22433-1","openSUSE-SU-2026:10703-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31580.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576"},{"type":"WEB","url":"https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27"},{"type":"WEB","url":"https://git.kernel.org/stable/c/81f44ed8c3f54abb7561ece774ea4cca5070b2f2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9467d360be70e6ee55b0c1cd2a1f1424f57b5b85"},{"type":"WEB","url":"https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f50e7c325ab1207fe941555bcff659f6d7050572"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31580.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31580"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cafe563591446cf80bfbc2fe3bc72a2e36cf1060"},{"fixed":"81f44ed8c3f54abb7561ece774ea4cca5070b2f2"},{"fixed":"f50e7c325ab1207fe941555bcff659f6d7050572"},{"fixed":"9467d360be70e6ee55b0c1cd2a1f1424f57b5b85"},{"fixed":"47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1"},{"fixed":"add4982510f3b7c318a2dd7438bdc9c63171e753"},{"fixed":"2d6965581e164fa2ba3f7652ddae5535f6336576"},{"fixed":"4f71c8ba2dc009042493021d94a9718fbe2ebf27"},{"fixed":"383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9"},{"fixed":"fec114a98b8735ee89c75216c45a78e28be0f128"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31580.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.10.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.20.0"},{"fixed":"7.0.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31580.json"}}],"schema_version":"1.7.5"}