CVE-2025-71089

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu: disable SVA when CONFIG_X86 is set<br /> <br /> Patch series "Fix stale IOTLB entries for kernel address space", v7.<br /> <br /> This proposes a fix for a security vulnerability related to IOMMU Shared<br /> Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel<br /> page table entries. When a kernel page table page is freed and<br /> reallocated for another purpose, the IOMMU might still hold stale,<br /> incorrect entries. This can be exploited to cause a use-after-free or<br /> write-after-free condition, potentially leading to privilege escalation or<br /> data corruption.<br /> <br /> This solution introduces a deferred freeing mechanism for kernel page<br /> table pages, which provides a safe window to notify the IOMMU to<br /> invalidate its caches before the page is reused.<br /> <br /> <br /> This patch (of 8):<br /> <br /> In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware<br /> shares and walks the CPU&amp;#39;s page tables. The x86 architecture maps the<br /> kernel&amp;#39;s virtual address space into the upper portion of every process&amp;#39;s<br /> page table. Consequently, in an SVA context, the IOMMU hardware can walk<br /> and cache kernel page table entries.<br /> <br /> The Linux kernel currently lacks a notification mechanism for kernel page<br /> table changes, specifically when page table pages are freed and reused. <br /> The IOMMU driver is only notified of changes to user virtual address<br /> mappings. This can cause the IOMMU&amp;#39;s internal caches to retain stale<br /> entries for kernel VA.<br /> <br /> Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when<br /> kernel page table pages are freed and later reallocated. The IOMMU could<br /> misinterpret the new data as valid page table entries. The IOMMU might<br /> then walk into attacker-controlled memory, leading to arbitrary physical<br /> memory DMA access or privilege escalation. This is also a<br /> Write-After-Free issue, as the IOMMU will potentially continue to write<br /> Accessed and Dirty bits to the freed memory while attempting to walk the<br /> stale page tables.<br /> <br /> Currently, SVA contexts are unprivileged and cannot access kernel<br /> mappings. However, the IOMMU will still walk kernel-only page tables all<br /> the way down to the leaf entries, where it realizes the mapping is for the<br /> kernel and errors out. This means the IOMMU still caches these<br /> intermediate page table entries, making the described vulnerability a real<br /> concern.<br /> <br /> Disable SVA on x86 architecture until the IOMMU can receive notification<br /> to flush the paging cache before freeing the CPU kernel page table pages.