CVE-2026-46196

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()<br /> <br /> When a tracepoint goes through the 0 -&gt; 1 transition, tracepoint_add_func()<br /> invokes the subsystem&amp;#39;s ext-&gt;regfunc() before attempting to install the<br /> new probe via func_add(). If func_add() then fails (for example, when<br /> allocate_probes() cannot allocate a new probe array under memory pressure<br /> and returns -ENOMEM), the function returns the error without calling the<br /> matching ext-&gt;unregfunc(), leaving the side effects of regfunc() behind<br /> with no installed probe to justify them.<br /> <br /> For syscall tracepoints this is particularly unpleasant: syscall_regfunc()<br /> bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.<br /> After a leaked failure, the refcount is stuck at a non-zero value with no<br /> consumer, and every task continues paying the syscall trace entry/exit<br /> overhead until reboot. Other subsystems providing regfunc()/unregfunc()<br /> pairs exhibit similarly scoped persistent state.<br /> <br /> Mirror the existing 1 -&gt; 0 cleanup and call ext-&gt;unregfunc() in the<br /> func_add() error path, gated on the same condition used there so the<br /> unwind is symmetric with the registration.