Re: [PATCH v6 0/7] Fix stale IOTLB entries for kernel address space

[Baolu Lu]

On 10/15/25 08:43, Andrew Morton wrote:
> On Tue, 14 Oct 2025 21:04:30 +0800 Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx> wrote:
>
> > This proposes a fix for a security vulnerability related to IOMMU Shared
> > Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
> > page table entries. When a kernel page table page is freed and
> > reallocated for another purpose, the IOMMU might still hold stale,
> > incorrect entries. This can be exploited to cause a use-after-free or
> > write-after-free condition, potentially leading to privilege escalation
> > or data corruption.
>
> Is only x86 affected?

RISC-V is potentially another one. The RISC-V IOMMU driver doesn't
support SVA yet, but I believe it will be there soon.

> > This solution introduces a deferred freeing mechanism for kernel page
> > table pages, which provides a safe window to notify the IOMMU to
> > invalidate its caches before the page is reused.
>
> Thanks for working on this.
>
> Can we expect any performance impact from this?  Have any measurements
> been performed?

This change only defers page table page freeing, allows for batch-
freeing of page table pages, and notifies the IOMMU driver to invalidate
the related caches. It doesn't impose any overhead in any critical path;
therefore, I don't see any potential performance impact.

> Only [7/7] has a cc:stable, even though that patch is not at all
> backportable.  Please give some thought and suggestions regarding
> whether you think we should backport this into earlier kernels.

Yes. We should backport this series to stable kernels.

> If "yes" then the size and scope of the series looks problematic.  Is
> it possible to put together something simple and expedient just to plug
> the hole in older kernels?

Squashing some patches is one way. But would it be workable to backport
this series manually? Say, could we send a pull request to the stable
mailing list after this series has landed?

> >   arch/x86/Kconfig              |  1 +
> >   mm/Kconfig                    |  3 ++
> >   include/asm-generic/pgalloc.h | 18 +++++++++
> >   include/linux/iommu.h         |  4 ++
> >   include/linux/mm.h            | 71 ++++++++++++++++++++++++++++++++---
> >   arch/x86/mm/init_64.c         |  2 +-
> >   arch/x86/mm/pat/set_memory.c  |  2 +-
> >   arch/x86/mm/pgtable.c         | 12 +++---
> >   drivers/iommu/iommu-sva.c     | 29 +++++++++++++-
> >   mm/pgtable-generic.c          | 39 +++++++++++++++++++
> >   10 files changed, 167 insertions(+), 14 deletions(-)
>
> It isn't obvious which tree should carry this.  Were you thinking the
> x86 tree?

It could also be through linux-mm tree?

Thanks,
baolu