NACK: [SRU][N][PATCH 0/1] Revert "iommu: disable SVA when CONFIG_X86 is set"

Mehmet Basaran mehmet.basaran at canonical.com
Wed Apr 22 18:05:50 UTC 2026 

Nacked-by: Mehmet Basaran <mehmet.basaran at canonical.com>

-------------- next part --------------
Mehmet Basaran <mehmet.basaran at canonical.com> writes:

> BugLink: https://bugs.launchpad.net/bugs/2149766
>
> [Impact]
>     
> The issue has been brought to our attention when questing (6.17)
> kernels were unable to load amd_xdna drivers. However, this commit,
> in addition to NPUs, also affects PCIe cards which make use of
> unified memory (GPUs, Accelerators, NICs). With this commit, PCIe
> devices will revert to using legacy method (pinning) instead of
> unified memory. As a result,
>  - arguably it will be less secure,
>  - there can be performance drops.
>
> Currently, this commit is part of an 8 commit patch series:
> "Fix stale IOTLB entries for kernel address space", v7.
>   [PATCH v7 1/8] iommu: Disable SVA when CONFIG_X86 is set
>   [PATCH v7 2/8] mm: Add a ptdesc flag to mark kernel page tables
>   [PATCH v7 3/8] mm: Actually mark kernel page table pages
>   [PATCH v7 4/8] x86/mm: Use 'ptdesc' when freeing PMD pages
>   [PATCH v7 5/8] mm: Introduce pure page table freeing function
>   [PATCH v7 6/8] x86/mm: Use pagetable_free()
>   [PATCH v7 7/8] mm: Introduce deferred freeing for kernel page tables
>   [PATCH v7 8/8] iommu/sva: Invalidate stale IOTLB entries for kernel address space
>
> where "iommu: disable SVA when CONFIG_X86 is set" is undone by
> the 8th commit. We only have this commit from the whole patchset.
> Ideally we should have the whole patchset applied.
>
> [Fix]
>
> This commit fixes the following issue which is old,
> 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
> and we applied this commit recently. So, reverting this commit
> won't be introducing regressions. Affected kernel versions are:
>  - 6.8 due to the reasons above.
>  - 6.17 due to both the reasons above and the amd_xdna issue.
>
> [Test Plan]
>
> Our regression test suite doesn't catch this issue. However,
> we will run it again to see it doesn't cause anything else.
>
> [Where problems could occur]
>
> Reverted commit is a fix for a security vulnerability related to
> IOMMU Shared Virtual Addressing (SVA).  In an SVA context, an 
> IOMMU can cache kernel page table entries.  When a kernel page 
> table page is freed and reallocated for another purpose, the 
> IOMMU might still hold stale, incorrect entries.  This can be 
> exploited to cause a use-after-free or write-after-free condition,
> potentially leading to privilege escalation or data corruption.
>
> Mehmet Basaran (1):
>   Revert "iommu: disable SVA when CONFIG_X86 is set"
>
>  drivers/iommu/iommu-sva.c | 3 ---
>  1 file changed, 3 deletions(-)
>
> -- 
> 2.43.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260422/b42b977d/attachment.sig>

More information about the kernel-team mailing list