In the Linux kernel, the following vulnerability has been resolved:
ceph: fix potential use-after-free bug when trimming caps
When trimming the caps and just after the session->s_cap_lock is released in ceph_iterate_session_caps() the cap maybe removed by another thread, and when using the stale cap memory in the callbacks it will trigger use-after-free crash.
We need to check the existence of the cap just after the ci->i_ceph_lock being acquired. And do nothing if its already removed.