CVE-2026-46106

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> eventfs: Hold eventfs_mutex and SRCU when remount walks events<br /> <br /> Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the<br /> events descriptor") had eventfs_set_attrs() recurse through ei-&gt;children<br /> on remount. The walk only holds the rcu_read_lock() taken by<br /> tracefs_apply_options() over tracefs_inodes, which is wrong:<br /> <br /> - list_for_each_entry over ei-&gt;children races with the list_del_rcu()<br /> in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as<br /> d2603279c7d6.<br /> - eventfs_inodes are freed via call_srcu(&amp;eventfs_srcu, ...).<br /> rcu_read_lock() does not extend an SRCU grace period, so ti-&gt;private<br /> can be reclaimed under the walk.<br /> - The writes to ei-&gt;attr race with eventfs_set_attr(), which holds<br /> eventfs_mutex.<br /> <br /> Reproducer:<br /> <br /> while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &amp;<br /> while :; do<br /> echo "p:kp submit_bio" &gt; /sys/kernel/tracing/kprobe_events<br /> echo &gt; /sys/kernel/tracing/kprobe_events<br /> done<br /> <br /> Wrap the events portion of tracefs_apply_options() in<br /> eventfs_remount_lock()/_unlock() that take eventfs_mutex and<br /> srcu_read_lock(&amp;eventfs_srcu). eventfs_set_attrs() doesn&amp;#39;t sleep so the<br /> nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.<br /> <br /> Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.