Linux Kernel IOMMU SVA Stale IOTLB Entry Invalidation Vulnerability

A vulnerability in the Linux kernel's IOMMU SVA (Shared Virtual Addressing) implementation on x86 architecture has been addressed. This vulnerability involved failing to properly invalidate stale IOTLB (Input Output Translation Lookaside Buffer) entries in the kernel address space before certain memory was reused, which could be exploited by unprivileged users. The issue has been resolved by introducing a new IOMMU interface that allows for the flushing of IOTLB caching entries for the CPU kernel address space. This interface is now called before any kernel page table pages are freed and reused, ensuring that the IOTLB entries are properly invalidated. However, it's important to note that this fix does not cover a rare case related to memory unplugging reserved memory from boot, which cannot be triggered by unprivileged users.

Impact

Exploitation of this vulnerability could lead to the improper management of IOTLB entries, potentially allowing for stale entries to remain active when they should be invalidated, which could disrupt the correct functioning of memory management in the kernel.

Reproduction

The vulnerability could be reproduced by enabling IOMMU SVA on an x86 system and then triggering a vfree() operation, which is a common occurrence that can be initiated by unprivileged users. This would result in the failure to properly invalidate the corresponding IOTLB entries for the kernel address space before the memory is reused.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version can be found in the Linux kernel documentation.