Hi Dave,
On Wed, 9 Jul 2025 11:22:34 -0700 Dave Hansen dave.hansen@intel.com wrote:
On 7/9/25 11:15, Jacob Pan wrote:
Is there a use case where a SVA user can access kernel memory in the first place?
No. It should be fully blocked.
Then I don't understand what is the "vulnerability condition" being addressed here. We are talking about KVA range here.
SVA users can't access kernel memory, but they can compel walks of kernel page tables, which the IOMMU caches. The trouble starts if the kernel happens to free that page table page and the IOMMU is using the cache after the page is freed.
According to VT-d spec. 6.2.4 S1 IOTLB caching includes access privilege. "First-stage mappings: — Each of these is a mapping from a input page number in a request to the physical page frame to which it translates (derived from first-stage translation), along with information about access privileges and memory typing (if applicable)."
So you are saying IOMMU can cache user DMA initiated walks and cache with supervisor privilige? Since the SVA PASID is a user PASID, even if IOMMU uses the cache later on, how could it get supervior privilege?