Memory safety / IOMMU TLB synchronization weakness (potential memory corruption)
Description
Memory-safety vulnerability in the IOMMU code: when unmapping, the iotlb_gather may appear empty and the code could elide the iotlb_sync() call, leading to stale TLB state and potential memory corruption, crashes, or hangs. The patch ensures iotlb_sync is invoked even if the gather is effectively empty by forcing a non-empty gather before sync.
Proof of Concept
PoC (high-level reproduction steps; this is a kernel-space issue that requires a controlled test environment with an IOMMU-capable host):
1) Build and boot a kernel containing this patch (v7.0-rc7 or later) with IOMMU enabled (Intel VT-d or AMD-Vi).
2) Use a PCI device that uses DMA through the IOMMU and map a DMA region for testing.
3) Trigger an unmap path that would normally result in iotlb_gather.start == iotlb_gather.end (i.e., an effectively empty gather). This should reach __iommu_unmap in which the fix adds a dummy range to the gather to prevent iotlb_sync from being skipped.
4) Immediately perform a DMA operation from the device to the previously unmapped region (or vice versa) to observe potential memory corruption, misrouting, or a system crash if the TLB synchronization did not occur correctly.
5) Compare behavior with and without the patch: the patched kernel should flush/sync the IOTLB correctly and avoid memory corruption/hangs.
Prerequisites and notes:
- Requires hardware with an IOMMU and a device capable of DMA under Linux (e.g., a PCIe device with DMA capable drivers).
- Reproducing exact conditions may be timing-sensitive; use controlled DMA-benchmark or driver that can orchestrate unmappings followed by DMA access.
- This PoC is conceptual and intended for a lab/test environment to confirm the existence of the vulnerability and the fix; do not run on production systems.
Commit Details
Author: Linus Torvalds
Date: 2026-04-09 15:36 UTC
Message:
Merge tag 'iommu-fixes-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux
Pull IOMMU fix from Will Deacon:
- Fix regression introduced by the empty MMU gather fix in -rc7, where
the ->iotlb_sync() callback can be elided incorrectly, resulting in
boot failures (hangs), crashes and potential memory corruption.
* tag 'iommu-fixes-v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux:
iommu: Ensure .iotlb_sync is called correctly
Triage Assessment
Vulnerability Type: Memory safety issue
Confidence: HIGH
Reasoning:
The patch ensures iotlb_sync is called even when the iotlb_gather is effectively empty, preventing a path that could lead to memory corruption, crashes, or hangs. This addresses a memory-safety issue in the IOMMU code that could have security implications (memory corruption) if left unfixed.
Verification Assessment
Vulnerability Type: Memory safety / IOMMU TLB synchronization weakness (potential memory corruption)
Confidence: HIGH
Affected Versions: v7.0-rc7 (regression introduced in -rc7; fixed by this commit)
Code Diff
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 50718ab810a413..ee83850c70605e 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -2717,6 +2717,12 @@ static size_t __iommu_unmap(struct iommu_domain *domain,
pr_debug("unmapped: iova 0x%lx size 0x%zx\n",
iova, unmapped_page);
+ /*
+ * If the driver itself isn't using the gather, make sure
+ * it looks non-empty so iotlb_sync will still be called.
+ */
+ if (iotlb_gather->start >= iotlb_gather->end)
+ iommu_iotlb_gather_add_range(iotlb_gather, iova, size);
iova += unmapped_page;
unmapped += unmapped_page;