Add fix for CVE-2026-46316 (KVM arm64 vgic-its UAF) ahead of RHEL

SOURCES/1312-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch

@@ -0,0 +1,51 @@
+From 13031fb6b8357fbbcded2a7f4cba73e4781ee594 Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Mon, 1 Jun 2026 23:53:26 +0900
+Subject: [PATCH] KVM: arm64: vgic-its: Drop the translation cache reference
+ only for the erased entry
+
+vgic_its_invalidate_cache() walks the per-ITS translation cache with
+xa_for_each() and drops the cache's reference on each entry with
+vgic_put_irq(). It puts the iterated pointer, though, rather than the
+value returned by xa_erase().
+
+The function is called from contexts that do not exclude one another: the
+ITS command handlers hold its_lock, the GITS_CTLR write path holds
+cmd_lock, and the path that clears EnableLPIs in a redistributor's
+GICR_CTLR holds neither. Two or more of them can drain the same cache
+concurrently, and if each one observes the same entry, erases it and then
+puts it, the single reference the cache holds on that entry is dropped
+more than once. The entry can then be freed while an ITE still maps it.
+
+xa_erase() is atomic and returns the previous entry, so put only the entry
+that this context actually removed. The cache reference is then dropped
+exactly once per entry even when the invalidations run concurrently, and
+the behavior is unchanged when only one context runs.
+
+Fixes: 8201d1028caa ("KVM: arm64: vgic-its: Maintain a translation cache per ITS")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Reviewed-by: Oliver Upton <oupton@kernel.org>
+Link: https://patch.msgid.link/ah2c5lu4JbUg7dj-@v4bel
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+
+diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
+index 1d7e5d560af4..1e3706ac3b8e 100644
+--- a/arch/arm64/kvm/vgic/vgic-its.c
++++ b/arch/arm64/kvm/vgic/vgic-its.c
+@@ -597,8 +597,10 @@ static void vgic_its_invalidate_cache(struct vgic_its *its)
+ 	unsigned long idx;
+ 
+ 	xa_for_each(&its->translation_cache, idx, irq) {
+-		xa_erase(&its->translation_cache, idx);
+-		vgic_put_irq(kvm, irq);
++		/* Only the context that erases the entry drops its cache ref. */
++		irq = xa_erase(&its->translation_cache, idx);
++		if (irq)
++			vgic_put_irq(kvm, irq);
+ 	}
+ }
+ 
+-- 
+2.50.1 (Apple Git-155)
+

SPECS/kernel.spec

@@ -1189,6 +1189,7 @@ Patch1308: 1308-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.pat
 Patch1309: 1309-scsi-qla2xxx-completely-fix-fcport-double-free.patch
 Patch1310: 1310-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch
 Patch1311: 1311-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch
+Patch1312: 1312-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch
 # END OF PATCH DEFINITIONS
 
 %description
@@ -2145,6 +2146,7 @@ ApplyPatch 1308-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.pat
 ApplyPatch 1309-scsi-qla2xxx-completely-fix-fcport-double-free.patch
 ApplyPatch 1310-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch
 ApplyPatch 1311-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch
+ApplyPatch 1312-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch
 # END OF PATCH APPLICATIONS
 
 # Any further pre-build tree manipulations happen here.
@@ -4219,6 +4221,9 @@ fi
 #
 #
 %changelog
+* Tue Jun 23 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-687.17.1
+- Add fix for CVE-2026-46316 (KVM arm64 vgic-its translation-cache use-after-free) ahead of RHEL (1312)
+
 * Mon Jun 22 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-687.17.1
 - Recreate RHEL 5.14.0-687.17.1 from CentOS Stream 9 and upstream stable backports (1285-1311)
 - RHEL changelog for 687.16.1..687.17.1 follows: