From cf80f214d32f6c2af0659fdc7b14f992417e6c30 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 23 Jun 2026 13:31:43 +0000 Subject: [PATCH] Add fix for CVE-2026-46316 (KVM arm64 vgic-its UAF) ahead of RHEL --- ...-translation-cache-ref-only-for-eras.patch | 54 +++++++++++++++++++ kernel.spec | 5 ++ 2 files changed, 59 insertions(+) create mode 100644 1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch diff --git a/1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch b/1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch new file mode 100644 index 000000000..ceabba226 --- /dev/null +++ b/1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch @@ -0,0 +1,54 @@ +From b7b72e88046328c9fdc638fe887d4240257dd5dc Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Mon, 1 Jun 2026 23:53:26 +0900 +Subject: [PATCH] KVM: arm64: vgic-its: Drop the translation cache reference + only for the erased entry + +commit 13031fb6b8357fbbcded2a7f4cba73e4781ee594 upstream. + +vgic_its_invalidate_cache() walks the per-ITS translation cache with +xa_for_each() and drops the cache's reference on each entry with +vgic_put_irq(). It puts the iterated pointer, though, rather than the +value returned by xa_erase(). + +The function is called from contexts that do not exclude one another: the +ITS command handlers hold its_lock, the GITS_CTLR write path holds +cmd_lock, and the path that clears EnableLPIs in a redistributor's +GICR_CTLR holds neither. Two or more of them can drain the same cache +concurrently, and if each one observes the same entry, erases it and then +puts it, the single reference the cache holds on that entry is dropped +more than once. The entry can then be freed while an ITE still maps it. + +xa_erase() is atomic and returns the previous entry, so put only the entry +that this context actually removed. The cache reference is then dropped +exactly once per entry even when the invalidations run concurrently, and +the behavior is unchanged when only one context runs. + +Fixes: 8201d1028caa ("KVM: arm64: vgic-its: Maintain a translation cache per ITS") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Oliver Upton +Link: https://patch.msgid.link/ah2c5lu4JbUg7dj-@v4bel +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c +index 5f6583b9abe3..dcd6b23ad2e1 100644 +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -590,8 +590,10 @@ static void vgic_its_invalidate_cache(struct vgic_its *its) + unsigned long idx; + + xa_for_each(&its->translation_cache, idx, irq) { +- xa_erase(&its->translation_cache, idx); +- vgic_put_irq(kvm, irq); ++ /* Only the context that erases the entry drops its cache ref. */ ++ irq = xa_erase(&its->translation_cache, idx); ++ if (irq) ++ vgic_put_irq(kvm, irq); + } + } + +-- +2.50.1 (Apple Git-155) + diff --git a/kernel.spec b/kernel.spec index 0ce032ae5..d68069115 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1408,6 +1408,7 @@ Patch1370: 1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch Patch1371: 1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch Patch1372: 1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch Patch1373: 1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch +Patch1374: 1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch # END OF PATCH DEFINITIONS %description @@ -2538,6 +2539,7 @@ ApplyPatch 1370-net-mana-fix-use-after-free-in-add-adev-error-path.patch ApplyPatch 1371-crypto-caam-fix-overflow-on-long-hmac-keys.patch ApplyPatch 1372-exit-prevent-preemption-of-oopsing-task-dead-task.patch ApplyPatch 1373-net-sched-fix-pedit-partial-cow-leading-to-page-cache-corrup.patch +ApplyPatch 1374-kvm-arm64-vgic-its-drop-translation-cache-ref-only-for-eras.patch # END OF PATCH APPLICATIONS # Any further pre-build tree manipulations happen here. @@ -5042,6 +5044,9 @@ fi\ # # %changelog +* Tue Jun 23 2026 Andrew Lukoshko - 6.12.0-211.26.1 +- Add fix for CVE-2026-46316 (KVM arm64 vgic-its translation-cache use-after-free) ahead of RHEL (1374) + * Mon Jun 22 2026 Andrew Lukoshko - 6.12.0-211.26.1 - Recreate RHEL 6.12.0-211.26.1 from CentOS Stream 10 and upstream stable backports (1352-1373) - Enable watchdog pretimeout panic functionality for x86 via kernel config (RHEL-182299)