From 416ab94e29979bb4b80ee35439473a143517764a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Feb 2026 13:36:53 +0100 Subject: [PATCH] 6.1-stable patches added patches: iommu-disable-sva-when-config_x86-is-set.patch --- ...u-disable-sva-when-config_x86-is-set.patch | 111 ++++++++++++++++++ queue-6.1/series | 1 + 2 files changed, 112 insertions(+) create mode 100644 queue-6.1/iommu-disable-sva-when-config_x86-is-set.patch diff --git a/queue-6.1/iommu-disable-sva-when-config_x86-is-set.patch b/queue-6.1/iommu-disable-sva-when-config_x86-is-set.patch new file mode 100644 index 0000000000..3e355b7e86 --- /dev/null +++ b/queue-6.1/iommu-disable-sva-when-config_x86-is-set.patch @@ -0,0 +1,111 @@ +From 72f98ef9a4be30d2a60136dd6faee376f780d06c Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Wed, 22 Oct 2025 16:26:27 +0800 +Subject: iommu: disable SVA when CONFIG_X86 is set + +From: Lu Baolu + +commit 72f98ef9a4be30d2a60136dd6faee376f780d06c upstream. + +Patch series "Fix stale IOTLB entries for kernel address space", v7. + +This proposes a fix for a security vulnerability related to IOMMU Shared +Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel +page table entries. When a kernel page table page is freed and +reallocated for another purpose, the IOMMU might still hold stale, +incorrect entries. This can be exploited to cause a use-after-free or +write-after-free condition, potentially leading to privilege escalation or +data corruption. + +This solution introduces a deferred freeing mechanism for kernel page +table pages, which provides a safe window to notify the IOMMU to +invalidate its caches before the page is reused. + + +This patch (of 8): + +In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware +shares and walks the CPU's page tables. The x86 architecture maps the +kernel's virtual address space into the upper portion of every process's +page table. Consequently, in an SVA context, the IOMMU hardware can walk +and cache kernel page table entries. + +The Linux kernel currently lacks a notification mechanism for kernel page +table changes, specifically when page table pages are freed and reused. +The IOMMU driver is only notified of changes to user virtual address +mappings. This can cause the IOMMU's internal caches to retain stale +entries for kernel VA. + +Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when +kernel page table pages are freed and later reallocated. The IOMMU could +misinterpret the new data as valid page table entries. The IOMMU might +then walk into attacker-controlled memory, leading to arbitrary physical +memory DMA access or privilege escalation. This is also a +Write-After-Free issue, as the IOMMU will potentially continue to write +Accessed and Dirty bits to the freed memory while attempting to walk the +stale page tables. + +Currently, SVA contexts are unprivileged and cannot access kernel +mappings. However, the IOMMU will still walk kernel-only page tables all +the way down to the leaf entries, where it realizes the mapping is for the +kernel and errors out. This means the IOMMU still caches these +intermediate page table entries, making the described vulnerability a real +concern. + +Disable SVA on x86 architecture until the IOMMU can receive notification +to flush the paging cache before freeing the CPU kernel page table pages. + +Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com +Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com +Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") +Signed-off-by: Lu Baolu +Suggested-by: Jason Gunthorpe +Reviewed-by: Jason Gunthorpe +Cc: Alistair Popple +Cc: Andy Lutomirski +Cc: Borislav Betkov +Cc: Dave Hansen +Cc: David Hildenbrand +Cc: Ingo Molnar +Cc: Jann Horn +Cc: Jean-Philippe Brucker +Cc: Joerg Roedel +Cc: Kevin Tian +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Matthew Wilcox (Oracle) +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Peter Zijlstra +Cc: Robin Murohy +Cc: Thomas Gleinxer +Cc: "Uladzislau Rezki (Sony)" +Cc: Vasant Hegde +Cc: Vinicius Costa Gomes +Cc: Vlastimil Babka +Cc: Will Deacon +Cc: Yi Lai +Cc: +Signed-off-by: Andrew Morton +[ The context change is due to the commit + be51b1d6bbff ("iommu/sva: Refactoring iommu_sva_bind/unbind_device()") + and the commit 757636ed2607 ("iommu: Rename iommu-sva-lib.{c,h}") + in v6.2 which are irrelevant to the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -2799,6 +2799,9 @@ iommu_sva_bind_device(struct device *dev + if (!group) + return ERR_PTR(-ENODEV); + ++ if (IS_ENABLED(CONFIG_X86)) ++ return ERR_PTR(-EOPNOTSUPP); ++ + /* Ensure device count and domain don't change while we're binding */ + mutex_lock(&group->mutex); + diff --git a/queue-6.1/series b/queue-6.1/series index 2f53b80b59..d88052db54 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -59,3 +59,4 @@ netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch +iommu-disable-sva-when-config_x86-is-set.patch -- 2.47.3