CVE-2026-46141

In the Linux kernel, the following vulnerability has been resolved:

powerpc/xive: fix kmemleak caused by incorrect chip data lookup

The kmemleak reports the following memory leak:

Unreferenced object 0xc0000002a7fbc640 (size 64): comm "kworker/8:1", pid 540, jiffies 4294937872 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ................ 00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ................ backtrace (crc 177d48f6): kmalloc cache noprof+0x520/0x730 xive irq alloc data.constprop.0+0x40/0xe0 xive irq domain alloc+0xd0/0x1b0 irq domain alloc irqs parent+0x44/0x6c pseries irq domain alloc+0x1cc/0x354 irq domain alloc irqs parent+0x44/0x6c msi domain alloc+0xb0/0x220 irq domain alloc irqs locked+0x138/0x4d0 irq domain alloc irqs+0x8c/0xfc msi domain alloc irqs+0x214/0x4d8 msi domain alloc irqs all locked+0x70/0xf8 pci msi setup msi irqs+0x60/0x78 pci enable msix range+0x54c/0x98c pci alloc irq vectors affinity+0x16c/0x1d4 nvme pci enable+0xac/0x9c0 [nvme] nvme probe+0x340/0x764 [nvme]

This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive irq data and stores it in irq data->chip data.

When the MSI-X irqdomain is later freed, xive irq free data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 ("powerpc/xive: Untangle xive from child interrupt controller drivers"), xive irq free data() retrieves the chip data using irq get chip data(), which looks up the data through the child domain.

This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive irq data is never freed, leading to the kmemleak report shown above.

Fix this by retrieving the irq data from the correct domain using irq domain get irq data() and then accessing the chip data via irq data get irq chip data().