kernel is vulnerable to arbitrary code execution. A user-after-free occurs in try_merge_free_space
in fs/btrfs/free-space-cache.c
when mounting malicious btrfs filesystem image and subsequently making a syncfs system call. This could potentially lead to arbitrary code execution on the OS.