CVE-2026-31541

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix trace_marker copy link list updates<br /> <br /> When the "copy_trace_marker" option is enabled for an instance, anything<br /> written into /sys/kernel/tracing/trace_marker is also copied into that<br /> instances buffer. When the option is set, that instance&amp;#39;s trace_array<br /> descriptor is added to the marker_copies link list. This list is protected<br /> by RCU, as all iterations uses an RCU protected list traversal.<br /> <br /> When the instance is deleted, all the flags that were enabled are cleared.<br /> This also clears the copy_trace_marker flag and removes the trace_array<br /> descriptor from the list.<br /> <br /> The issue is after the flags are called, a direct call to<br /> update_marker_trace() is performed to clear the flag. This function<br /> returns true if the state of the flag changed and false otherwise. If it<br /> returns true here, synchronize_rcu() is called to make sure all readers<br /> see that its removed from the list.<br /> <br /> But since the flag was already cleared, the state does not change and the<br /> synchronization is never called, leaving a possible UAF bug.<br /> <br /> Move the clearing of all flags below the updating of the copy_trace_marker<br /> option which then makes sure the synchronization is performed.<br /> <br /> Also use the flag for checking the state in update_marker_trace() instead<br /> of looking at if the list is empty.