From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Lu Baolu <baolu.lu@linux.intel.com>,
Jason Gunthorpe <jgg@nvidia.com>,
Alistair Popple <apopple@nvidia.com>,
Andy Lutomirski <luto@kernel.org>, Borislav Betkov <bp@alien8.de>,
Dave Hansen <dave.hansen@intel.com>,
David Hildenbrand <david@redhat.com>,
Ingo Molnar <mingo@redhat.com>, Jann Horn <jannh@google.com>,
Jean-Philippe Brucker <jean-philippe@linaro.org>,
Joerg Roedel <joro@8bytes.org>, Kevin Tian <kevin.tian@intel.com>,
Liam Howlett <liam.howlett@oracle.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Michal Hocko <mhocko@kernel.org>, Mike Rapoport <rppt@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Robin Murohy <robin.murphy@arm.com>,
Thomas Gleinxer <tglx@linutronix.de>,
"Uladzislau Rezki (Sony)" <urezki@gmail.com>,
Vasant Hegde <vasant.hegde@amd.com>,
Vinicius Costa Gomes <vinicius.gomes@intel.com>,
Vlastimil Babka <vbabka@suse.cz>, Will Deacon <will@kernel.org>,
Yi Lai <yi1.lai@intel.com>,
Andrew Morton <akpm@linux-foundation.org>,
Rahul Sharma <black.hawk@163.com>
Subject: [PATCH 6.1 62/69] iommu: disable SVA when CONFIG_X86 is set
Date: Mon, 9 Feb 2026 15:24:30 +0100 [thread overview]
Message-ID: <20260209142304.157236543@linuxfoundation.org> (raw)
In-Reply-To: <20260209142301.913348974@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 72f98ef9a4be30d2a60136dd6faee376f780d06c upstream.
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com
Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com
Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Kevin Tian <kevin.tian@intel.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ The context change is due to the commit
be51b1d6bbff ("iommu/sva: Refactoring iommu_sva_bind/unbind_device()")
and the commit 757636ed2607 ("iommu: Rename iommu-sva-lib.{c,h}")
in v6.2 which are irrelevant to the logic of this patch. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -2799,6 +2799,9 @@ iommu_sva_bind_device(struct device *dev
if (!group)
return ERR_PTR(-ENODEV);
+ if (IS_ENABLED(CONFIG_X86))
+ return ERR_PTR(-EOPNOTSUPP);
+
/* Ensure device count and domain don't change while we're binding */
mutex_lock(&group->mutex);
next prev parent reply other threads:[~2026-02-09 14:44 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 14:23 [PATCH 6.1 00/69] 6.1.163-rc1 review Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 01/69] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 02/69] x86/kfence: fix booting on 32bit non-PAE systems Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 03/69] platform/x86: intel_telemetry: Fix swapped arrays in PSS output Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 04/69] rbd: check for EOD after exclusive lock is ensured to be held Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 05/69] ARM: 9468/1: fix memset64() on big-endian Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 06/69] Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 07/69] KVM: Dont clobber irqfd routing type when deassigning irqfd Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 08/69] netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 09/69] binder: fix BR_FROZEN_REPLY error log Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 10/69] binderfs: fix ida_alloc_max() upper bound Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 11/69] pmdomain: imx8mp-blk-ctrl: Keep gpc power domain on for system wakeup Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 12/69] pmdomain: imx8mp-blk-ctrl: Keep usb phy " Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 13/69] pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 14/69] gve: Fix stats report corruption on queue count change Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 15/69] tracing: Fix ftrace event field alignments Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 16/69] gve: Correct ethtool rx_dropped calculation Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 17/69] KVM: selftests: Add -U_FORTIFY_SOURCE to avoid some unpredictable test failures Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 18/69] wifi: mac80211: ocb: skip rx_no_sta when interface is not joined Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 19/69] wifi: wlcore: ensure skb headroom before skb_push Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 20/69] net: usb: sr9700: support devices with virtual driver CD Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 21/69] block,bfq: fix aux stat accumulation destination Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 22/69] smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 23/69] LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 24/69] LoongArch: Enable exception fixup for specific ADE subcode Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 25/69] HID: intel-ish-hid: Update ishtp bus match to support device ID table Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 26/69] HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 27/69] btrfs: fix reservation leak in some error paths when inserting inline extent Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 28/69] HID: intel-ish-hid: Reset enum_devices_done before enumeration Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 29/69] HID: playstation: Center initial joystick axes to prevent spurious events Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 30/69] ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.1 31/69] netfilter: replace -EEXIST with -EBUSY Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 32/69] HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 33/69] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 34/69] HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 35/69] ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 36/69] wifi: mac80211: collect station statistics earlier when disconnect Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 37/69] ASoC: davinci-evm: Fix reference leak in davinci_evm_probe Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 38/69] nvme-fc: release admin tagset if init fails Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 39/69] ASoC: tlv320adcx140: Propagate error codes during probe Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 40/69] wifi: cfg80211: Fix bitrate calculation overflow for HE rates Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 41/69] scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 42/69] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 43/69] scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 44/69] wifi: mac80211: dont increment crypto_tx_tailroom_needed_cnt twice Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 45/69] platform/x86: toshiba_haps: Fix memory leaks in add/remove routines Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 46/69] platform/x86: intel_telemetry: Fix PSS event register mask Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 47/69] smb/client: fix memory leak in smb2_open_file() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 48/69] dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 49/69] net: liquidio: Initialize netdev pointer before queue setup Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 50/69] net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 51/69] net: liquidio: Fix off-by-one error in VF " Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 52/69] dpaa2-switch: add bounds check for if_id in IRQ handler Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 53/69] macvlan: fix error recovery in macvlan_common_newlink() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 54/69] net: dont touch dev->stats in BPF redirect paths Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 55/69] tipc: use kfree_sensitive() for session key material Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 56/69] drm/mgag200: fix mgag200_bmc_stop_scanout() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 57/69] hwmon: (occ) Mark occ_init_attribute() as __printf Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 58/69] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 59/69] ASoC: amd: fix memory leak in acp3x pdm dma ops Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 60/69] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 61/69] riscv: uprobes: Add missing fence.i after building the XOL buffer Greg Kroah-Hartman
2026-02-09 14:24 ` Greg Kroah-Hartman [this message]
2026-02-09 14:24 ` [PATCH 6.1 63/69] spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 64/69] spi: tegra210-quad: Move curr_xfer read inside spinlock Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 65/69] spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 66/69] spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 67/69] spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 68/69] spi: tegra: Fix a memory leak in tegra_slink_probe() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.1 69/69] ALSA: hda/realtek: Really fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-09 16:48 ` [PATCH 6.1 00/69] 6.1.163-rc1 review Francesco Dolcini
2026-02-09 18:16 ` Brett A C Sheffield
2026-02-09 19:49 ` Florian Fainelli
2026-02-09 20:49 ` Hardik Garg
2026-02-09 20:55 ` Jon Hunter
2026-02-09 22:04 ` Peter Schneider
2026-02-10 8:55 ` Ron Economos
2026-02-11 11:34 ` Greg Kroah-Hartman
2026-02-10 13:08 ` Mark Brown
2026-02-11 10:08 ` Jeffrin Thalakkottoor
2026-02-11 13:44 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260209142304.157236543@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=apopple@nvidia.com \
--cc=baolu.lu@linux.intel.com \
--cc=black.hawk@163.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=jannh@google.com \
--cc=jean-philippe@linaro.org \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=liam.howlett@oracle.com \
--cc=lorenzo.stoakes@oracle.com \
--cc=luto@kernel.org \
--cc=mhocko@kernel.org \
--cc=mingo@redhat.com \
--cc=patches@lists.linux.dev \
--cc=peterz@infradead.org \
--cc=robin.murphy@arm.com \
--cc=rppt@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=urezki@gmail.com \
--cc=vasant.hegde@amd.com \
--cc=vbabka@suse.cz \
--cc=vinicius.gomes@intel.com \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=yi1.lai@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox