ACK: [SRU][Q][PATCH 0/1] Revert "iommu: disable SVA when CONFIG_X86 is set"

Tim Whisonant tim.whisonant at canonical.com
Wed Apr 22 18:22:01 UTC 2026 

On Wed, Apr 22, 2026 at 09:07:52PM +0300, Mehmet Basaran wrote:
> BugLink: https://bugs.launchpad.net/bugs/2149766
> 
> [Impact]
>     
> The issue has been brought to our attention when questing (6.17)
> kernels were unable to load amd_xdna drivers. However, this commit,
> in addition to NPUs, also affects PCIe cards which make use of
> unified memory (GPUs, Accelerators, NICs). With this commit, PCIe
> devices will revert to using legacy method (pinning) instead of
> unified memory. As a result,
>  - arguably it will be less secure,
>  - there can be performance drops.
> 
> Currently, this commit is part of an 8 commit patch series:
> "Fix stale IOTLB entries for kernel address space", v7.
>   [PATCH v7 1/8] iommu: Disable SVA when CONFIG_X86 is set
>   [PATCH v7 2/8] mm: Add a ptdesc flag to mark kernel page tables
>   [PATCH v7 3/8] mm: Actually mark kernel page table pages
>   [PATCH v7 4/8] x86/mm: Use 'ptdesc' when freeing PMD pages
>   [PATCH v7 5/8] mm: Introduce pure page table freeing function
>   [PATCH v7 6/8] x86/mm: Use pagetable_free()
>   [PATCH v7 7/8] mm: Introduce deferred freeing for kernel page tables
>   [PATCH v7 8/8] iommu/sva: Invalidate stale IOTLB entries for kernel address space
> 
> where "iommu: disable SVA when CONFIG_X86 is set" is undone by
> the 8th commit. We only have this commit from the whole patchset.
> Ideally we should have the whole patchset applied.
> 
> [Fix]
> 
> This commit fixes the following issue which is old,
> 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
> and we applied this commit recently. So, reverting this commit
> won't be introducing regressions. Affected kernel versions are:
>  - 6.8 due to the reasons above.
>  - 6.17 due to both the reasons above and the amd_xdna issue.
> 
> [Test Plan]
> 
> Our regression test suite doesn't catch this issue. However,
> we will run it again to see it doesn't cause anything else.
> 
> [Where problems could occur]
> 
> Reverted commit is a fix for a security vulnerability related to
> IOMMU Shared Virtual Addressing (SVA).  In an SVA context, an 
> IOMMU can cache kernel page table entries.  When a kernel page 
> table page is freed and reallocated for another purpose, the 
> IOMMU might still hold stale, incorrect entries.  This can be 
> exploited to cause a use-after-free or write-after-free condition,
> potentially leading to privilege escalation or data corruption.
> 
> Mehmet Basaran (1):
>   Revert "iommu: disable SVA when CONFIG_X86 is set"
> 
>  drivers/iommu/iommu-sva.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> -- 
> 2.43.0
> 

Acked-by: Tim Whisonant <tim.whisonant at canonical.com>

More information about the kernel-team mailing list