CVE-2026-23067

In the Linux kernel, the following vulnerability has been resolved:

iommu/io-pgtable-arm: fix size_t signedness bug in unmap path

__armlpaeunmap() returns sizet but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since sizet is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems).

This corrupted value propagates through the call chain: __armlpaeunmap() returns -ENOENT as sizet -> armlpaeunmappages() returns it -> _iommuunmap() adds it to iova address -> iommupgsize() triggers BUGON due to corrupted iova

This can cause IOVA address overflow in _iommuunmap() loop and trigger BUGON in iommupgsize() from invalid address alignment.

Fix by returning 0 instead of -ENOENT. The WARNON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for sizet return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.