CVE-2026-46196

In the Linux kernel, the following vulnerability has been resolved:

tracepoint: balance regfunc() on func add() failure in tracepoint add func()

When a tracepoint goes through the 0 -> 1 transition, tracepoint add func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func add(). If func add() then fails (for example, when allocate probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.

For syscall tracepoints this is particularly unpleasant: syscall regfunc() bumps sys tracepoint refcount and sets SYSCALL TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.

Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func add() error path, gated on the same condition used there so the unwind is symmetric with the registration.