CVE-2026-31404

In the Linux kernel, the following vulnerability has been resolved:

NFSD: Defer sub-object cleanup in export put callbacks

svc export put() calls path put() and auth domain put() immediately when the last reference drops, before the RCU grace period. RCU readers in e show() and c show() access both ex path (via seq path/d path) and ex client->name (via seq escape) without holding a reference. If cache clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d path.

Commit 2530766492ec ("nfsd: fix UAF when access ex uuid or ex stats") moved kfree of ex uuid and ex stats into the call rcu callback, but left path put() and auth domain put() running before the grace period because both may sleep and call rcu callbacks execute in softirq context.

Replace call rcu/kfree rcu with queue rcu work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path put() and auth domain put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey put(), which has the identical pattern with ek path and ek client.

A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system unbound wq would stall on unrelated work from other subsystems. nfsd export shutdown() uses rcu barrier() followed by flush workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed.

Reviwed-by: Jeff Layton jlayton@kernel.org