| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BL1PR11MB52719E654E5AE227FE29B75F8C08A@BL1PR11MB5271.namprd11.prod.outlook.com> Date: Fri, 12 Sep 2025 08:14:04 +0000 From: "Tian, Kevin" <kevin.tian@...el.com> To: Lu Baolu <baolu.lu@...ux.intel.com>, Joerg Roedel <joro@...tes.org>, "Will Deacon" <will@...nel.org>, Robin Murphy <robin.murphy@....com>, "Jason Gunthorpe" <jgg@...dia.com>, Jann Horn <jannh@...gle.com>, Vasant Hegde <vasant.hegde@....com>, "Hansen, Dave" <dave.hansen@...el.com>, "Alistair Popple" <apopple@...dia.com>, Peter Zijlstra <peterz@...radead.org>, Uladzislau Rezki <urezki@...il.com>, Jean-Philippe Brucker <jean-philippe@...aro.org>, Andy Lutomirski <luto@...nel.org>, "Lai, Yi1" <yi1.lai@...el.com> CC: "iommu@...ts.linux.dev" <iommu@...ts.linux.dev>, "security@...nel.org" <security@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Dave Hansen <dave.hansen@...ux.intel.com> Subject: RE: [PATCH v4 6/8] mm: Introduce deferred freeing for kernel page tables > From: Lu Baolu <baolu.lu@...ux.intel.com> > Sent: Friday, September 5, 2025 1:51 PM > > From: Dave Hansen <dave.hansen@...ux.intel.com> > > On x86 and other architectures that map the kernel's virtual address space > into the upper portion of every process's page table, the IOMMU's paging > structure caches can become stale when the CPU page table is shared with > IOMMU in the Shared Virtual Address (SVA) context. This occurs when a page > used for the kernel's page tables is freed and reused without the IOMMU > being notified. > > While the IOMMU driver is notified of changes to user virtual address > mappings, there is no similar notification mechanism for kernel page > table changes. This can lead to data corruption or system instability > when Shared Virtual Address (SVA) is enabled, as the IOMMU's internal > caches may retain stale entries for kernel virtual addresses. above could be saved to the last patch. > > This introduces a conditional asynchronous mechanism, enabled by > CONFIG_ASYNC_PGTABLE_FREE. When enabled, this mechanism defers the > freeing > of pages that are used as page tables for kernel address mappings. These > pages are now queued to a work struct instead of being freed immediately. > > This deferred freeing provides a safe context for a future patch to add > an IOMMU-specific callback, which might be expensive on large-scale > systems. This ensures the necessary IOMMU cache invalidation is performed > before the page is finally returned to the page allocator outside of any > critical, non-sleepable path. > > In the current kernel, some page table pages are allocated with an > associated struct ptdesc, while others are not. Those without a ptdesc are > freed using free_pages() and its variants, which bypasses the destructor > that pagetable_dtor_free() would run. While the long-term plan is to > convert all page table pages to use struct ptdesc, this uses a temporary > flag within ptdesc to indicate whether a page needs a destructor, > considering that this aims to fix a potential security issue in IOMMU SVA. > The flag and its associated logic can be removed once the conversion is > complete. stale comment? > > Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com> > Signed-off-by: Lu Baolu <baolu.lu@...ux.intel.com> Reviewed-by: Kevin Tian <kevin.tian@...el.com>
Powered by blists - more mailing lists