GHSA-R2VF-F3JW-34MM
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-28 12:30In the Linux kernel, the following vulnerability has been resolved:
powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
The kmemleak reports the following memory leak:
Unreferenced object 0xc0000002a7fbc640 (size 64): comm "kworker/8:1", pid 540, jiffies 4294937872 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ................ 00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ................ backtrace (crc 177d48f6): __kmalloc_cache_noprof+0x520/0x730 xive_irq_alloc_data.constprop.0+0x40/0xe0 xive_irq_domain_alloc+0xd0/0x1b0 irq_domain_alloc_irqs_parent+0x44/0x6c pseries_irq_domain_alloc+0x1cc/0x354 irq_domain_alloc_irqs_parent+0x44/0x6c msi_domain_alloc+0xb0/0x220 irq_domain_alloc_irqs_locked+0x138/0x4d0 __irq_domain_alloc_irqs+0x8c/0xfc __msi_domain_alloc_irqs+0x214/0x4d8 msi_domain_alloc_irqs_all_locked+0x70/0xf8 pci_msi_setup_msi_irqs+0x60/0x78 __pci_enable_msix_range+0x54c/0x98c pci_alloc_irq_vectors_affinity+0x16c/0x1d4 nvme_pci_enable+0xac/0x9c0 [nvme] nvme_probe+0x340/0x764 [nvme]
This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.
When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 ("powerpc/xive: Untangle xive from child interrupt controller drivers"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.
This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.
Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().
{
"affected": [],
"aliases": [
"CVE-2026-46141"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:29Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/xive: fix kmemleak caused by incorrect chip_data lookup\n\nThe kmemleak reports the following memory leak:\n\nUnreferenced object 0xc0000002a7fbc640 (size 64):\n comm \"kworker/8:1\", pid 540, jiffies 4294937872\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ................\n 00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ................\n backtrace (crc 177d48f6):\n __kmalloc_cache_noprof+0x520/0x730\n xive_irq_alloc_data.constprop.0+0x40/0xe0\n xive_irq_domain_alloc+0xd0/0x1b0\n irq_domain_alloc_irqs_parent+0x44/0x6c\n pseries_irq_domain_alloc+0x1cc/0x354\n irq_domain_alloc_irqs_parent+0x44/0x6c\n msi_domain_alloc+0xb0/0x220\n irq_domain_alloc_irqs_locked+0x138/0x4d0\n __irq_domain_alloc_irqs+0x8c/0xfc\n __msi_domain_alloc_irqs+0x214/0x4d8\n msi_domain_alloc_irqs_all_locked+0x70/0xf8\n pci_msi_setup_msi_irqs+0x60/0x78\n __pci_enable_msix_range+0x54c/0x98c\n pci_alloc_irq_vectors_affinity+0x16c/0x1d4\n nvme_pci_enable+0xac/0x9c0 [nvme]\n nvme_probe+0x340/0x764 [nvme]\n\nThis occurs when allocating MSI-X vectors for an NVMe device. During\nallocation the XIVE code creates a struct xive_irq_data and stores it\nin irq_data-\u003echip_data.\n\nWhen the MSI-X irqdomain is later freed, xive_irq_free_data() is\nresponsible for retrieving this structure and freeing it. However,\nafter commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child\ninterrupt controller drivers\"), xive_irq_free_data() retrieves the\nchip_data using irq_get_chip_data(), which looks up the data through\nthe child domain.\n\nThis is incorrect because the XIVE-specific irq data is associated with\nthe XIVE (parent) domain. As a result the lookup fails and the allocated\nstruct xive_irq_data is never freed, leading to the kmemleak report\nshown above.\n\nFix this by retrieving the irq_data from the correct domain using\nirq_domain_get_irq_data() and then accessing the chip_data via\nirq_data_get_irq_chip_data().",
"id": "GHSA-r2vf-f3jw-34mm",
"modified": "2026-05-28T12:30:30Z",
"published": "2026-05-28T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46141"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2546fb8c9acc8c7512ed4339ce2a982cb7407065"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6771c54728c278bf1e4bfdab4fddbbb186e33498"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e66ed135cdf23a318e9727dca48f98f7f6142f78"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.