iommu: Add page_ext for IOMMU_DEBUG_PAGEALLOC

Add a new config IOMMU_DEBUG_PAGEALLOC, which registers new data to
page_ext.

This config will be used by the IOMMU API to track pages mapped in
the IOMMU to catch drivers trying to free kernel memory that they
still map in their domains, causing all types of memory corruption.

This behaviour is disabled by default and can be enabled using
kernel cmdline iommu.debug_pagealloc.

Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index a8d0afde7f85a506b827ae31d48fc5d9dbabc095..d484d9d8d0a404610f2ee873cec07c234061a466 100644 (file)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2675,6 +2675,15 @@ Kernel parameters
                        1 - Bypass the IOMMU for DMA.
                        unset - Use value of CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
 
+       iommu.debug_pagealloc=
+                       [KNL,EARLY] When CONFIG_IOMMU_DEBUG_PAGEALLOC is set, this
+                       parameter enables the feature at boot time. By default, it
+                       is disabled and the system behaves the same way as a kernel
+                       built without CONFIG_IOMMU_DEBUG_PAGEALLOC.
+                       Format: { "0" | "1" }
+                       0 - Sanitizer disabled.
+                       1 - Sanitizer enabled, expect runtime overhead.
+
        io7=            [HW] IO7 for Marvel-based Alpha systems
                        See comment before marvel_specify_io7 in
                        arch/alpha/kernel/core_marvel.c.

diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
index 99095645134fac1a3194ec5b4ac21d2a4500544d..f86262b11416d1fe60effb4f5f62cb1a86b935f3 100644 (file)
--- a/drivers/iommu/Kconfig
+++ b/drivers/iommu/Kconfig
@@ -384,6 +384,25 @@ config SPRD_IOMMU
 
          Say Y here if you want to use the multimedia devices listed above.
 
+config IOMMU_DEBUG_PAGEALLOC
+       bool "Debug IOMMU mappings against page allocations"
+       depends on DEBUG_PAGEALLOC && IOMMU_API && PAGE_EXTENSION
+       help
+         This enables a consistency check between the kernel page allocator and
+         the IOMMU subsystem. It verifies that pages being allocated or freed
+         are not currently mapped in any IOMMU domain.
+
+         This helps detect DMA use-after-free bugs where a driver frees a page
+         but forgets to unmap it from the IOMMU, potentially allowing a device
+         to overwrite memory that the kernel has repurposed.
+
+         These checks are best-effort and may not detect all problems.
+
+         Due to performance overhead, this feature is disabled by default.
+         You must enable "iommu.debug_pagealloc" from the kernel command
+         line to activate the runtime checks.
+
+         If unsure, say N.
 endif # IOMMU_SUPPORT
 
 source "drivers/iommu/generic_pt/Kconfig"

diff --git a/drivers/iommu/Makefile b/drivers/iommu/Makefile
index 8e8843316c4bf811a1eb92b9f326c3d092702d77..0275821f4ef985bc2162ca3ce9c75f4452142451 100644 (file)
--- a/drivers/iommu/Makefile
+++ b/drivers/iommu/Makefile
@@ -36,3 +36,4 @@ obj-$(CONFIG_IOMMU_SVA) += iommu-sva.o
 obj-$(CONFIG_IOMMU_IOPF) += io-pgfault.o
 obj-$(CONFIG_SPRD_IOMMU) += sprd-iommu.o
 obj-$(CONFIG_APPLE_DART) += apple-dart.o
+obj-$(CONFIG_IOMMU_DEBUG_PAGEALLOC) += iommu-debug-pagealloc.o

diff --git a/drivers/iommu/iommu-debug-pagealloc.c b/drivers/iommu/iommu-debug-pagealloc.c
new file mode 100644 (file)
index 0000000..4022e9a
--- /dev/null
+++ b/drivers/iommu/iommu-debug-pagealloc.c
@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2025 - Google Inc
+ * Author: Mostafa Saleh <smostafa@google.com>
+ * IOMMU API debug page alloc sanitizer
+ */
+#include <linux/atomic.h>
+#include <linux/iommu-debug-pagealloc.h>
+#include <linux/kernel.h>
+#include <linux/page_ext.h>
+
+static bool needed;
+
+struct iommu_debug_metadata {
+       atomic_t ref;
+};
+
+static __init bool need_iommu_debug(void)
+{
+       return needed;
+}
+
+struct page_ext_operations page_iommu_debug_ops = {
+       .size = sizeof(struct iommu_debug_metadata),
+       .need = need_iommu_debug,
+};
+
+static int __init iommu_debug_pagealloc(char *str)
+{
+       return kstrtobool(str, &needed);
+}
+early_param("iommu.debug_pagealloc", iommu_debug_pagealloc);

diff --git a/include/linux/iommu-debug-pagealloc.h b/include/linux/iommu-debug-pagealloc.h
new file mode 100644 (file)
index 0000000..83e64d7
--- /dev/null
+++ b/include/linux/iommu-debug-pagealloc.h
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2025 - Google Inc
+ * Author: Mostafa Saleh <smostafa@google.com>
+ * IOMMU API debug page alloc sanitizer
+ */
+
+#ifndef __LINUX_IOMMU_DEBUG_PAGEALLOC_H
+#define __LINUX_IOMMU_DEBUG_PAGEALLOC_H
+
+#ifdef CONFIG_IOMMU_DEBUG_PAGEALLOC
+
+extern struct page_ext_operations page_iommu_debug_ops;
+
+#endif /* CONFIG_IOMMU_DEBUG_PAGEALLOC */
+
+#endif /* __LINUX_IOMMU_DEBUG_PAGEALLOC_H */

diff --git a/mm/page_ext.c b/mm/page_ext.c
index d7396a8970e5e3d4174c6cfa3a4d267d14a9cdcc..297e4cd8ce90d18f468cbdb6ff42b6dde4cac970 100644 (file)
--- a/mm/page_ext.c
+++ b/mm/page_ext.c
@@ -11,6 +11,7 @@
 #include <linux/page_table_check.h>
 #include <linux/rcupdate.h>
 #include <linux/pgalloc_tag.h>
+#include <linux/iommu-debug-pagealloc.h>
 
 /*
  * struct page extension
@@ -89,6 +90,9 @@ static struct page_ext_operations *page_ext_ops[] __initdata = {
 #ifdef CONFIG_PAGE_TABLE_CHECK
        &page_table_check_ops,
 #endif
+#ifdef CONFIG_IOMMU_DEBUG_PAGEALLOC
+       &page_iommu_debug_ops,
+#endif
 };
 
 unsigned long page_ext_size;