DEBIAN-CVE-2026-22995

In the Linux kernel, the following vulnerability has been resolved:  ublk: fix use-after-free in ublkpartitionscanwork  A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ubdisk:  1. ublkctrlstartdev() schedules partitionscanwork after adddisk() 2. ublkstopdev() calls ublkstopdevunlocked() which does:    - delgendisk(ub->ubdisk)    - ublkdetachdisk() sets ub->ubdisk = NULL    - putdisk() which may free the disk 3. The worker ublkpartitionscanwork() then dereferences ub->ubdisk    leading to UAF  Fix this by using ublkgetdisk()/ublkputdisk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublkgetdisk() synchronizes with ublkdetachdisk() ensuring the worker either gets a valid reference or sees NULL and exits early.  Also change flushwork() to cancelworksync() to avoid running the partition scan work unnecessarily when the disk is already detached.