CVE-2026-31400

In the Linux kernel, the following vulnerability has been resolved:

sunrpc: fix cache request leak in cache release

When a reader's file descriptor is closed while in the middle of reading a cache request (rp->offset != 0), cache release() decrements the request's readers count but never checks whether it should free the request.

In cache read(), when readers drops to 0 and CACHE PENDING is clear, the cache request is removed from the queue and freed along with its buffer and cache head reference. cache release() lacks this cleanup.

The only other path that frees requests with readers == 0 is cache dequeue(), but it runs only when CACHE PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache dequeue() will have skipped the request, and no subsequent call will clean it up.

Add the same cleanup logic from cache read() to cache release(): after decrementing readers, check if it reached 0 with CACHE PENDING clear, and if so, dequeue and free the cache request.