CVE-2026-52959

In the Linux kernel, the following vulnerability has been resolved:

virt: sev-guest: Do not use host-controlled page order in cleanup path

When issuing an extended guest request (SVM VMGEXIT EXT GUEST REQUEST), get ext report() allocates a buffer to retrieve a certificate blob from the host, keeping track of its size in report req->certs len.

However, the host may return SNP GUEST VMM ERR INVALID LEN, indicating an invalid buffer size, as well as the expected length of such buffer. get ext report() subsequently updates report req->certs len with the host-controlled value, and cleans up the buffer by computing a page order from such value. This is incorrect, as the host-provided length may not match the page order of the original allocation, potentially resulting in corruption in the page allocator.

Fix this by using alloc pages exact() instead, and reusing @npages to compute the size passed to free pages exact(). For consistency, also use @npages to compute the size when allocating the pages, even though this last change has no functional effect.