CVE-2026-22995

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: fix use-after-free in ublk_partition_scan_work<br /> <br /> A race condition exists between the async partition scan work and device<br /> teardown that can lead to a use-after-free of ub-&gt;ub_disk:<br /> <br /> 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()<br /> 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:<br /> - del_gendisk(ub-&gt;ub_disk)<br /> - ublk_detach_disk() sets ub-&gt;ub_disk = NULL<br /> - put_disk() which may free the disk<br /> 3. The worker ublk_partition_scan_work() then dereferences ub-&gt;ub_disk<br /> leading to UAF<br /> <br /> Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold<br /> a reference to the disk during the partition scan. The spinlock in<br /> ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker<br /> either gets a valid reference or sees NULL and exits early.<br /> <br /> Also change flush_work() to cancel_work_sync() to avoid running the<br /> partition scan work unnecessarily when the disk is already detached.