CVE-2026-22980

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: provide locking for v4_end_grace<br /> <br /> Writing to v4_end_grace can race with server shutdown and result in<br /> memory being accessed after it was freed - reclaim_str_hashtbl in<br /> particularly.<br /> <br /> We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is<br /> held while client_tracking_op-&gt;init() is called and that can wait for<br /> an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a<br /> deadlock.<br /> <br /> nfsd4_end_grace() is also called by the landromat work queue and this<br /> doesn&amp;#39;t require locking as server shutdown will stop the work and wait<br /> for it before freeing anything that nfsd4_end_grace() might access.<br /> <br /> However, we must be sure that writing to v4_end_grace doesn&amp;#39;t restart<br /> the work item after shutdown has already waited for it. For this we<br /> add a new flag protected with nn-&gt;client_lock. It is set only while it<br /> is safe to make client tracking calls, and v4_end_grace only schedules<br /> work while the flag is set with the spinlock held.<br /> <br /> So this patch adds a nfsd_net field "client_tracking_active" which is<br /> set as described. Another field "grace_end_forced", is set when<br /> v4_end_grace is written. After this is set, and providing<br /> client_tracking_active is set, the laundromat is scheduled.<br /> This "grace_end_forced" field bypasses other checks for whether the<br /> grace period has finished.<br /> <br /> This resolves a race which can result in use-after-free.