In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in updatesuperwork when racing with umount Commit b98535d09179 ("ext4: fix bugon in startthishandle during umount filesystem") moved ext4unregistersysfs() before flushing ssbupdwork to prevent new error work from being queued via /proc/fs/ext4/xx/mbgroups reads during unmount. However, this introduced a use-after-free because updatesuperwork calls ext4notifyerrorsysfs() -> sysfsnotify() which accesses the kobject's kernfsnode after it has been freed by kobjectdel() in ext4unregistersysfs(): updatesuperwork ext4putsuper ----------------- -------------- ext4unregistersysfs(sb) kobjectdel(&sbi->s_kobj) _kobjectdel() sysfsremovedir() kobj->sd = NULL sysfsput(sd) kernfsput() // RCU free ext4notifyerrorsysfs(sbi) sysfsnotify(&sbi->skobj) kn = kobj->sd // stale pointer kernfsget(kn) // UAF on freed kernfsnode ext4journaldestroy() flushwork(&sbi->ssbupdwork) Instead of reordering the teardown sequence, fix this by making ext4notifyerrorsysfs() detect that sysfs has already been torn down by checking skobj.stateinsysfs, and skipping the sysfsnotify() call in that case. A dedicated mutex (serrornotifymutex) serializes ext4notifyerrorsysfs() against kobjectdel() in ext4unregistersysfs() to prevent TOCTOU races where the kobject could be deleted between the stateinsysfs check and the sysfsnotify() call.