CVE-2026-22995

In the Linux kernel, the following vulnerability has been resolved:

ublk: fix use-after-free in ublkpartitionscan_work

A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk:

1. ublkctrlstartdev() schedules partitionscanwork after adddisk()
2. ublkstopdev() calls ublkstopdevunlocked() which does:
   • delgendisk(ub->ubdisk)
   • ublkdetachdisk() sets ub->ubdisk = NULL
   • put_disk() which may free the disk
3. The worker ublkpartitionscanwork() then dereferences ub->ubdisk leading to UAF

Fix this by using ublkgetdisk()/ublkputdisk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublkgetdisk() synchronizes with ublkdetachdisk() ensuring the worker either gets a valid reference or sees NULL and exits early.

Also change flushwork() to cancelwork_sync() to avoid running the partition scan work unnecessarily when the disk is already detached.