CVE-2026-31404

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Defer sub-object cleanup in export put callbacks<br /> <br /> svc_export_put() calls path_put() and auth_domain_put() immediately<br /> when the last reference drops, before the RCU grace period. RCU<br /> readers in e_show() and c_show() access both ex_path (via<br /> seq_path/d_path) and ex_client-&gt;name (via seq_escape) without<br /> holding a reference. If cache_clean removes the entry and drops the<br /> last reference concurrently, the sub-objects are freed while still<br /> in use, producing a NULL pointer dereference in d_path.<br /> <br /> Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or<br /> ex_stats") moved kfree of ex_uuid and ex_stats into the<br /> call_rcu callback, but left path_put() and auth_domain_put() running<br /> before the grace period because both may sleep and call_rcu<br /> callbacks execute in softirq context.<br /> <br /> Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the<br /> callback until after the RCU grace period and executes it in process<br /> context where sleeping is permitted. This allows path_put() and<br /> auth_domain_put() to be moved into the deferred callback alongside<br /> the other resource releases. Apply the same fix to expkey_put(),<br /> which has the identical pattern with ek_path and ek_client.<br /> <br /> A dedicated workqueue scopes the shutdown drain to only NFSD<br /> export release work items; flushing the shared<br /> system_unbound_wq would stall on unrelated work from other<br /> subsystems. nfsd_export_shutdown() uses rcu_barrier() followed<br /> by flush_workqueue() to ensure all deferred release callbacks<br /> complete before the export caches are destroyed.<br /> <br /> Reviwed-by: Jeff Layton