NFSD: Defer sub-object cleanup in export put callbacks
Summary
| CVE | CVE-2026-31404 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-03 16:16:39 UTC |
| Updated | 2026-04-07 13:20:55 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: NFSD: Defer sub-object cleanup in export put callbacks svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show() access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path. Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context. Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client. A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed. Reviwed-by: Jeff Layton <[email protected]> |
Risk And Classification
EPSS: 0.000170000 probability, percentile 0.039750000 (date 2026-04-07)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected c224edca7af028828e2ad866b61d731b5e72b46d 2829e80d29b627886d12b5ea40856d56b516e67d git | Not specified |
| CNA | Linux | Linux | affected c224edca7af028828e2ad866b61d731b5e72b46d f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2 git | Not specified |
| CNA | Linux | Linux | affected c224edca7af028828e2ad866b61d731b5e72b46d 48db892356d6cb80f6942885545de4a6dd8d2a29 git | Not specified |
| CNA | Linux | Linux | affected 6.14 | Not specified |
| CNA | Linux | Linux | unaffected 6.14 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.20 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.10 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0-rc5 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/2829e80d29b627886d12b5ea40856d56b516e67d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/48db892356d6cb80f6942885545de4a6dd8d2a29 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.