Integer underflow in fs_context.c’s legacy_parse_param() function which was introduced in v5.1. When bounds checking the provided options length, they compare it with system page size - 2 - context data size. The context data size can be controlled by the user, and can exceed system page size - 2. If an attacker passes 4095 for example, the bounds check is rendered useless because it’ll allow SIZE_MAX bytes to be passed. This gives you a size-controlled overflow in the kmalloc-4k cache.

It’s worth noting this vulnerability does require CAP_SYS_ADMIN to exploit, however this capability check can be bypassed by using user namespaces if they’re enabled.