eventfs: Hold eventfs_mutex and SRCU when remount walks events

Summary

CVE	CVE-2026-46106
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-28 10:16:25 UTC
Updated	2026-05-28 13:44:01 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: - list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6. - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. - The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU.

Risk And Classification

EPSS: 0.000180000 probability, percentile 0.050770000 (date 2026-06-01)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 7ec535ed8724d18ae4e714d2277a5b89450659d2 ae9cd0b46b1890040006a2fc5e905c5d6053fd02 git	Not specified
CNA	Linux	Linux	affected 340f0c7067a95281ad13734f8225f49c6cf52067 44e64d8a432837308f4dda3ffe819f1ec092a0ba git	Not specified
CNA	Linux	Linux	affected 340f0c7067a95281ad13734f8225f49c6cf52067 52b109f1b875b912d4ab2c5fdd8c322d47119d9b git	Not specified
CNA	Linux	Linux	affected 340f0c7067a95281ad13734f8225f49c6cf52067 ed2ad73bcb0a7a6cc934097d4853b6d5124c317e git	Not specified
CNA	Linux	Linux	affected 340f0c7067a95281ad13734f8225f49c6cf52067 07004a8c4b572171934390148ee48c4175c77eed git	Not specified
CNA	Linux	Linux	affected 99b86d85f7c73d676c50e8c35748f94dd41389da git	Not specified
CNA	Linux	Linux	affected 6.6.35 6.6.140 semver	Not specified
CNA	Linux	Linux	affected 6.9.6 6.10 semver	Not specified
CNA	Linux	Linux	affected 6.10	Not specified
CNA	Linux	Linux	unaffected 6.10 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.88 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.30 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.7 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ae9cd0b46b1890040006a2fc5e905c5d6053fd02	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ed2ad73bcb0a7a6cc934097d4853b6d5124c317e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.