CVE-2026-46141

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/xive: fix kmemleak caused by incorrect chip_data lookup<br /> <br /> The kmemleak reports the following memory leak:<br /> <br /> Unreferenced object 0xc0000002a7fbc640 (size 64):<br /> comm "kworker/8:1", pid 540, jiffies 4294937872<br /> hex dump (first 32 bytes):<br /> 01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ................<br /> 00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ................<br /> backtrace (crc 177d48f6):<br /> __kmalloc_cache_noprof+0x520/0x730<br /> xive_irq_alloc_data.constprop.0+0x40/0xe0<br /> xive_irq_domain_alloc+0xd0/0x1b0<br /> irq_domain_alloc_irqs_parent+0x44/0x6c<br /> pseries_irq_domain_alloc+0x1cc/0x354<br /> irq_domain_alloc_irqs_parent+0x44/0x6c<br /> msi_domain_alloc+0xb0/0x220<br /> irq_domain_alloc_irqs_locked+0x138/0x4d0<br /> __irq_domain_alloc_irqs+0x8c/0xfc<br /> __msi_domain_alloc_irqs+0x214/0x4d8<br /> msi_domain_alloc_irqs_all_locked+0x70/0xf8<br /> pci_msi_setup_msi_irqs+0x60/0x78<br /> __pci_enable_msix_range+0x54c/0x98c<br /> pci_alloc_irq_vectors_affinity+0x16c/0x1d4<br /> nvme_pci_enable+0xac/0x9c0 [nvme]<br /> nvme_probe+0x340/0x764 [nvme]<br /> <br /> This occurs when allocating MSI-X vectors for an NVMe device. During<br /> allocation the XIVE code creates a struct xive_irq_data and stores it<br /> in irq_data-&gt;chip_data.<br /> <br /> When the MSI-X irqdomain is later freed, xive_irq_free_data() is<br /> responsible for retrieving this structure and freeing it. However,<br /> after commit cc0cc23babc9 ("powerpc/xive: Untangle xive from child<br /> interrupt controller drivers"), xive_irq_free_data() retrieves the<br /> chip_data using irq_get_chip_data(), which looks up the data through<br /> the child domain.<br /> <br /> This is incorrect because the XIVE-specific irq data is associated with<br /> the XIVE (parent) domain. As a result the lookup fails and the allocated<br /> struct xive_irq_data is never freed, leading to the kmemleak report<br /> shown above.<br /> <br /> Fix this by retrieving the irq_data from the correct domain using<br /> irq_domain_get_irq_data() and then accessing the chip_data via<br /> irq_data_get_irq_chip_data().