bcache: fix uninitialized closure object

In the previous patch ("bcache: fix cached_dev.sb_bio use-after-free and crash"), we adopted a simple modification suggestion from AI to fix the use-after-free. But in actual testing, we found an extreme case where the device is stopped before calling bch_write_bdev_super(). At this point, struct closure sb_write has not been initialized yet. For this patch, we ensure that sb_bio has been completed via sb_write_mutex. Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn> Signed-off-by: Coly Li <colyli@fnnas.com> Link: https://patch.msgid.link/20260403042135.2221247-1-colyli@fnnas.com Fixes: fec114a98b87 ("bcache: fix cached_dev.sb_bio use-after-free and crash") Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Mingzhe Zou <mingzhe.zou@easystack.cn> 2026-04-03 12:21:35 +0800
committer: Jens Axboe <axboe@kernel.dk> 2026-04-03 05:11:08 -0600
commit: 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 (patch)
tree: 77449720793ecf3fe3a978aea76250e6ae110ca7
parent: fec114a98b8735ee89c75216c45a78e28be0f128 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 6627a381f65a..97d9adb0bf96 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1378,7 +1378,8 @@ static CLOSURE_CALLBACK(cached_dev_free)
 	 * The sb_bio is embedded in struct cached_dev, so we must
 	 * ensure no I/O is in progress.
 	 */
-	closure_sync(&dc->sb_write);
+	down(&dc->sb_write_mutex);
+	up(&dc->sb_write_mutex);
 
 	if (dc->sb_disk)
 		folio_put(virt_to_folio(dc->sb_disk));
author	Mingzhe Zou <mingzhe.zou@easystack.cn>	2026-04-03 12:21:35 +0800
committer	Jens Axboe <axboe@kernel.dk>	2026-04-03 05:11:08 -0600
commit	20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 (patch)
tree	77449720793ecf3fe3a978aea76250e6ae110ca7
parent	fec114a98b8735ee89c75216c45a78e28be0f128 (diff)