In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()
The finalization of nilfs_segctor_thread() can race with nilfs_segctor_kill_thread() which terminates that thread, potentially causing a use-after-free BUG as KASAN detected.
At the end of nilfs_segctor_thread(), it assigns NULL to sc_task member of struct nilfs_sc_info to indicate the thread has finished, and then notifies nilfs_segctor_kill_thread() of this using waitqueue sc_wait_task on the struct nilfs_sc_info.
However, here, immediately after the NULL assignment to sc_task, it is possible that nilfs_segctor_kill_thread() will detect it and return to continue the deallocation, freeing the nilfs_sc_info structure before the thread does the notification.
This fixes the issue by protecting the NULL assignment to sc_task and its notification, with spinlock sc_state_lock of the struct nilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to see if sc_task is NULL with sc_state_lock locked, this can eliminate the race.