Add fix for CVE-2026-46316 (KVM arm64 vgic-its UAF) ahead of RHEL

1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch

@@ -0,0 +1,54 @@
+From b7b72e88046328c9fdc638fe887d4240257dd5dc Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Mon, 1 Jun 2026 23:53:26 +0900
+Subject: [PATCH] KVM: arm64: vgic-its: Drop the translation cache reference
+ only for the erased entry
+
+commit 13031fb6b8357fbbcded2a7f4cba73e4781ee594 upstream.
+
+vgic_its_invalidate_cache() walks the per-ITS translation cache with
+xa_for_each() and drops the cache's reference on each entry with
+vgic_put_irq(). It puts the iterated pointer, though, rather than the
+value returned by xa_erase().
+
+The function is called from contexts that do not exclude one another: the
+ITS command handlers hold its_lock, the GITS_CTLR write path holds
+cmd_lock, and the path that clears EnableLPIs in a redistributor's
+GICR_CTLR holds neither. Two or more of them can drain the same cache
+concurrently, and if each one observes the same entry, erases it and then
+puts it, the single reference the cache holds on that entry is dropped
+more than once. The entry can then be freed while an ITE still maps it.
+
+xa_erase() is atomic and returns the previous entry, so put only the entry
+that this context actually removed. The cache reference is then dropped
+exactly once per entry even when the invalidations run concurrently, and
+the behavior is unchanged when only one context runs.
+
+Fixes: 8201d1028caa ("KVM: arm64: vgic-its: Maintain a translation cache per ITS")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Reviewed-by: Oliver Upton <oupton@kernel.org>
+Link: https://patch.msgid.link/ah2c5lu4JbUg7dj-@v4bel
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
+index 5f6583b9abe3..dcd6b23ad2e1 100644
+--- a/arch/arm64/kvm/vgic/vgic-its.c
++++ b/arch/arm64/kvm/vgic/vgic-its.c
+@@ -590,8 +590,10 @@ static void vgic_its_invalidate_cache(struct vgic_its *its)
+ 	unsigned long idx;
+ 
+ 	xa_for_each(&its->translation_cache, idx, irq) {
+-		xa_erase(&its->translation_cache, idx);
+-		vgic_put_irq(kvm, irq);
++		/* Only the context that erases the entry drops its cache ref. */
++		irq = xa_erase(&its->translation_cache, idx);
++		if (irq)
++			vgic_put_irq(kvm, irq);
+ 	}
+ }
+ 
+-- 
+2.50.1 (Apple Git-155)
+

kernel.spec

@@ -1408,6 +1408,7 @@ Patch1370: 1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch
 Patch1371: 1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch
 Patch1372: 1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch
 Patch1373: 1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch
+Patch1374: 1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch
 # END OF PATCH DEFINITIONS
 
 %description
@@ -2538,6 +2539,7 @@ ApplyPatch 1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch
 ApplyPatch 1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch
 ApplyPatch 1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch
 ApplyPatch 1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch
+ApplyPatch 1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch
 # END OF PATCH APPLICATIONS
 
 # Any further pre-build tree manipulations happen here.
@@ -5042,6 +5044,9 @@ fi\
 #
 #
 %changelog
+* Tue Jun 23 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.26.1
+- Add fix for CVE-2026-46316 (KVM arm64 vgic-its translation-cache use-after-free) ahead of RHEL (1374)
+
 * Mon Jun 22 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.26.1
 - Recreate RHEL 6.12.0-211.26.1 from CentOS Stream 10 and upstream stable backports (1352-1373)
 - Enable watchdog pretimeout panic functionality for x86 via kernel config (RHEL-182299)