The Async Abort Race: drop_caches × SIGKILL × fuse_abort_conn = Double Put — Part 4 & Conclusion
struct fuse_req borrows inode references without bumping i_count. A SIGKILL’d reader, an unrelated drop_caches sysctl, and a delayed daemon abort conspire to dereference freed-and-reoccupied slab memory. The result: a refcount decrement on whatever struct cred lands in the freed slot — the entire kill chain in three syscalls and one signal.