In the Linux kernel, the following vulnerability has been resolved:

fs/mbcache: cancel shrink work before destroying the cache

mb_cache_destroy() calls shrinker_free() and then frees all cache
entries and the cache itself, but it does not cancel the pending
c_shrink_work work item first.

If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
and the work item is still pending or running when mb_cache_destroy()
runs, mb_cache_shrink_worker() will access the cache after its memory
has been freed, causing a use-after-free.

This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.

Cancel the work item with cancel_work_sync() before calling
shrinker_free(), ensuring the worker has finished and will not be
rescheduled before the cache is torn down.

https://git.kernel.org/stable/c/0e4eff315d799f5842b95872199b0f0fb8ef5f51

https://git.kernel.org/stable/c/a88d39a74a208e197c03bffaa2df34de732af19f

https://git.kernel.org/stable/c/b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4c

https://git.kernel.org/stable/c/d227786ab1119669df4dc333a61510c52047cce4

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["fs/mbcache.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"c2f3140fe2eceb3a6c1615b2648b9471544881c6","lessThan":"a88d39a74a208e197c03bffaa2df34de732af19f","versionType":"git","status":"affected"},{"version":"c2f3140fe2eceb3a6c1615b2648b9471544881c6","lessThan":"0e4eff315d799f5842b95872199b0f0fb8ef5f51","versionType":"git","status":"affected"},{"version":"c2f3140fe2eceb3a6c1615b2648b9471544881c6","lessThan":"b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4c","versionType":"git","status":"affected"},{"version":"c2f3140fe2eceb3a6c1615b2648b9471544881c6","lessThan":"d227786ab1119669df4dc333a61510c52047cce4","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["fs/mbcache.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4.6","status":"affected"},{"version":"0","lessThan":"4.6","versionType":"semver","status":"unaffected"},{"version":"6.12.91","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.33","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","versionType":"semver","status":"unaffected"},{"version":"7.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]