CVE-2026-31481

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Drain deferred trigger frees if kthread creation fails<br /> <br /> Boot-time trigger registration can fail before the trigger-data cleanup<br /> kthread exists. Deferring those frees until late init is fine, but the<br /> post-boot fallback must still drain the deferred list if kthread<br /> creation never succeeds.<br /> <br /> Otherwise, boot-deferred nodes can accumulate on<br /> trigger_data_free_list, later frees fall back to synchronously freeing<br /> only the current object, and the older queued entries are leaked<br /> forever.<br /> <br /> To trigger this, add the following to the kernel command line:<br /> <br /> trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon<br /> <br /> The second traceon trigger will fail and be freed. This triggers a NULL<br /> pointer dereference and crashes the kernel.<br /> <br /> Keep the deferred boot-time behavior, but when kthread creation fails,<br /> drain the whole queued list synchronously. Do the same in the late-init<br /> drain path so queued entries are not stranded there either.