[SRU][N][PATCH 0/1] Revert "iommu: disable SVA when CONFIG_X86 is set"

Mehmet Basaran mehmet.basaran at canonical.com
Wed Apr 22 17:57:45 UTC 2026 

BugLink: https://bugs.launchpad.net/bugs/2149766

[Impact]
    
The issue has been brought to our attention when questing (6.17)
kernels were unable to load amd_xdna drivers. However, this commit,
in addition to NPUs, also affects PCIe cards which make use of
unified memory (GPUs, Accelerators, NICs). With this commit, PCIe
devices will revert to using legacy method (pinning) instead of
unified memory. As a result,
 - arguably it will be less secure,
 - there can be performance drops.

Currently, this commit is part of an 8 commit patch series:
"Fix stale IOTLB entries for kernel address space", v7.
  [PATCH v7 1/8] iommu: Disable SVA when CONFIG_X86 is set
  [PATCH v7 2/8] mm: Add a ptdesc flag to mark kernel page tables
  [PATCH v7 3/8] mm: Actually mark kernel page table pages
  [PATCH v7 4/8] x86/mm: Use 'ptdesc' when freeing PMD pages
  [PATCH v7 5/8] mm: Introduce pure page table freeing function
  [PATCH v7 6/8] x86/mm: Use pagetable_free()
  [PATCH v7 7/8] mm: Introduce deferred freeing for kernel page tables
  [PATCH v7 8/8] iommu/sva: Invalidate stale IOTLB entries for kernel address space

where "iommu: disable SVA when CONFIG_X86 is set" is undone by
the 8th commit. We only have this commit from the whole patchset.
Ideally we should have the whole patchset applied.

[Fix]

This commit fixes the following issue which is old,
26b25a2b98e4 ("iommu: Bind process address spaces to devices")
and we applied this commit recently. So, reverting this commit
won't be introducing regressions. Affected kernel versions are:
 - 6.8 due to the reasons above.
 - 6.17 due to both the reasons above and the amd_xdna issue.

[Test Plan]

Our regression test suite doesn't catch this issue. However,
we will run it again to see it doesn't cause anything else.

[Where problems could occur]

Reverted commit is a fix for a security vulnerability related to
IOMMU Shared Virtual Addressing (SVA).  In an SVA context, an 
IOMMU can cache kernel page table entries.  When a kernel page 
table page is freed and reallocated for another purpose, the 
IOMMU might still hold stale, incorrect entries.  This can be 
exploited to cause a use-after-free or write-after-free condition,
potentially leading to privilege escalation or data corruption.

Mehmet Basaran (1):
  Revert "iommu: disable SVA when CONFIG_X86 is set"

 drivers/iommu/iommu-sva.c | 3 ---
 1 file changed, 3 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list