diff --git a/SOURCES/1312-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch b/SOURCES/1312-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch new file mode 100644 index 000000000..84bd1aab5 --- /dev/null +++ b/SOURCES/1312-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch @@ -0,0 +1,51 @@ +From 13031fb6b8357fbbcded2a7f4cba73e4781ee594 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Mon, 1 Jun 2026 23:53:26 +0900 +Subject: [PATCH] KVM: arm64: vgic-its: Drop the translation cache reference + only for the erased entry + +vgic_its_invalidate_cache() walks the per-ITS translation cache with +xa_for_each() and drops the cache's reference on each entry with +vgic_put_irq(). It puts the iterated pointer, though, rather than the +value returned by xa_erase(). + +The function is called from contexts that do not exclude one another: the +ITS command handlers hold its_lock, the GITS_CTLR write path holds +cmd_lock, and the path that clears EnableLPIs in a redistributor's +GICR_CTLR holds neither. Two or more of them can drain the same cache +concurrently, and if each one observes the same entry, erases it and then +puts it, the single reference the cache holds on that entry is dropped +more than once. The entry can then be freed while an ITE still maps it. + +xa_erase() is atomic and returns the previous entry, so put only the entry +that this context actually removed. The cache reference is then dropped +exactly once per entry even when the invalidations run concurrently, and +the behavior is unchanged when only one context runs. + +Fixes: 8201d1028caa ("KVM: arm64: vgic-its: Maintain a translation cache per ITS") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Oliver Upton +Link: https://patch.msgid.link/ah2c5lu4JbUg7dj-@v4bel +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org + +diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c +index 1d7e5d560af4..1e3706ac3b8e 100644 +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -597,8 +597,10 @@ static void vgic_its_invalidate_cache(struct vgic_its *its) + unsigned long idx; + + xa_for_each(&its->translation_cache, idx, irq) { +- xa_erase(&its->translation_cache, idx); +- vgic_put_irq(kvm, irq); ++ /* Only the context that erases the entry drops its cache ref. */ ++ irq = xa_erase(&its->translation_cache, idx); ++ if (irq) ++ vgic_put_irq(kvm, irq); + } + } + +-- +2.50.1 (Apple Git-155) + diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index ef3e48315..572657858 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -1189,6 +1189,7 @@ Patch1308: 1308-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.pat Patch1309: 1309-scsi-qla2xxx-completely-fix-fcport-double-free.patch Patch1310: 1310-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch Patch1311: 1311-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch +Patch1312: 1312-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch # END OF PATCH DEFINITIONS %description @@ -2145,6 +2146,7 @@ ApplyPatch 1308-nvmet-tcp-fix-race-between-icreq-handling-and-queue-teardown.pat ApplyPatch 1309-scsi-qla2xxx-completely-fix-fcport-double-free.patch ApplyPatch 1310-rbd-eliminate-a-race-in-lock-dwork-draining-on-unmap.patch ApplyPatch 1311-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch +ApplyPatch 1312-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -4219,6 +4221,9 @@ fi # # %changelog +* Tue Jun 23 2026 Andrew Lukoshko - 5.14.0-687.17.1 +- Add fix for CVE-2026-46316 (KVM arm64 vgic-its translation-cache use-after-free) ahead of RHEL (1312) + * Mon Jun 22 2026 Andrew Lukoshko - 5.14.0-687.17.1 - Recreate RHEL 5.14.0-687.17.1 from CentOS Stream 9 and upstream stable backports (1285-1311) - RHEL changelog for 687.16.1..687.17.1 follows: