Add a new config IOMMU_DEBUG_PAGEALLOC, which registers new data to
page_ext.
This config will be used by the IOMMU API to track pages mapped in
the IOMMU to catch drivers trying to free kernel memory that they
still map in their domains, causing all types of memory corruption.
This behaviour is disabled by default and can be enabled using
kernel cmdline iommu.debug_pagealloc.
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
---
.../admin-guide/kernel-parameters.txt | 9 ++++++
drivers/iommu/Kconfig | 19 +++++++++++
drivers/iommu/Makefile | 1 +
drivers/iommu/iommu-debug-pagealloc.c | 32 +++++++++++++++++++
include/linux/iommu-debug-pagealloc.h | 17 ++++++++++
mm/page_ext.c | 4 +++
6 files changed, 82 insertions(+)
create mode 100644 drivers/iommu/iommu-debug-pagealloc.c
create mode 100644 include/linux/iommu-debug-pagealloc.h
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index a8d0afde7f85..d484d9d8d0a4 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2675,6 +2675,15 @@ Kernel parameters
1 - Bypass the IOMMU for DMA.
unset - Use value of CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
+ iommu.debug_pagealloc=
+ [KNL,EARLY] When CONFIG_IOMMU_DEBUG_PAGEALLOC is set, this
+ parameter enables the feature at boot time. By default, it
+ is disabled and the system behaves the same way as a kernel
+ built without CONFIG_IOMMU_DEBUG_PAGEALLOC.
+ Format: { "0" | "1" }
+ 0 - Sanitizer disabled.
+ 1 - Sanitizer enabled, expect runtime overhead.
+
io7= [HW] IO7 for Marvel-based Alpha systems
See comment before marvel_specify_io7 in
arch/alpha/kernel/core_marvel.c.
diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
index 99095645134f..f86262b11416 100644
--- a/drivers/iommu/Kconfig
+++ b/drivers/iommu/Kconfig
@@ -384,6 +384,25 @@ config SPRD_IOMMU
Say Y here if you want to use the multimedia devices listed above.
+config IOMMU_DEBUG_PAGEALLOC
+ bool "Debug IOMMU mappings against page allocations"
+ depends on DEBUG_PAGEALLOC && IOMMU_API && PAGE_EXTENSION
+ help
+ This enables a consistency check between the kernel page allocator and
+ the IOMMU subsystem. It verifies that pages being allocated or freed
+ are not currently mapped in any IOMMU domain.
+
+ This helps detect DMA use-after-free bugs where a driver frees a page
+ but forgets to unmap it from the IOMMU, potentially allowing a device
+ to overwrite memory that the kernel has repurposed.
+
+ These checks are best-effort and may not detect all problems.
+
+ Due to performance overhead, this feature is disabled by default.
+ You must enable "iommu.debug_pagealloc" from the kernel command
+ line to activate the runtime checks.
+
+ If unsure, say N.
endif # IOMMU_SUPPORT
source "drivers/iommu/generic_pt/Kconfig"
diff --git a/drivers/iommu/Makefile b/drivers/iommu/Makefile
index 8e8843316c4b..0275821f4ef9 100644
--- a/drivers/iommu/Makefile
+++ b/drivers/iommu/Makefile
@@ -36,3 +36,4 @@ obj-$(CONFIG_IOMMU_SVA) += iommu-sva.o
obj-$(CONFIG_IOMMU_IOPF) += io-pgfault.o
obj-$(CONFIG_SPRD_IOMMU) += sprd-iommu.o
obj-$(CONFIG_APPLE_DART) += apple-dart.o
+obj-$(CONFIG_IOMMU_DEBUG_PAGEALLOC) += iommu-debug-pagealloc.o
diff --git a/drivers/iommu/iommu-debug-pagealloc.c b/drivers/iommu/iommu-debug-pagealloc.c
new file mode 100644
index 000000000000..4022e9af7f27
--- /dev/null
+++ b/drivers/iommu/iommu-debug-pagealloc.c
@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2025 - Google Inc
+ * Author: Mostafa Saleh <smostafa@google.com>
+ * IOMMU API debug page alloc sanitizer
+ */
+#include <linux/atomic.h>
+#include <linux/iommu-debug-pagealloc.h>
+#include <linux/kernel.h>
+#include <linux/page_ext.h>
+
+static bool needed;
+
+struct iommu_debug_metadata {
+ atomic_t ref;
+};
+
+static __init bool need_iommu_debug(void)
+{
+ return needed;
+}
+
+struct page_ext_operations page_iommu_debug_ops = {
+ .size = sizeof(struct iommu_debug_metadata),
+ .need = need_iommu_debug,
+};
+
+static int __init iommu_debug_pagealloc(char *str)
+{
+ return kstrtobool(str, &needed);
+}
+early_param("iommu.debug_pagealloc", iommu_debug_pagealloc);
diff --git a/include/linux/iommu-debug-pagealloc.h b/include/linux/iommu-debug-pagealloc.h
new file mode 100644
index 000000000000..83e64d70bf6c
--- /dev/null
+++ b/include/linux/iommu-debug-pagealloc.h
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2025 - Google Inc
+ * Author: Mostafa Saleh <smostafa@google.com>
+ * IOMMU API debug page alloc sanitizer
+ */
+
+#ifndef __LINUX_IOMMU_DEBUG_PAGEALLOC_H
+#define __LINUX_IOMMU_DEBUG_PAGEALLOC_H
+
+#ifdef CONFIG_IOMMU_DEBUG_PAGEALLOC
+
+extern struct page_ext_operations page_iommu_debug_ops;
+
+#endif /* CONFIG_IOMMU_DEBUG_PAGEALLOC */
+
+#endif /* __LINUX_IOMMU_DEBUG_PAGEALLOC_H */
diff --git a/mm/page_ext.c b/mm/page_ext.c
index d7396a8970e5..297e4cd8ce90 100644
--- a/mm/page_ext.c
+++ b/mm/page_ext.c
@@ -11,6 +11,7 @@
#include <linux/page_table_check.h>
#include <linux/rcupdate.h>
#include <linux/pgalloc_tag.h>
+#include <linux/iommu-debug-pagealloc.h>
/*
* struct page extension
@@ -89,6 +90,9 @@ static struct page_ext_operations *page_ext_ops[] __initdata = {
#ifdef CONFIG_PAGE_TABLE_CHECK
&page_table_check_ops,
#endif
+#ifdef CONFIG_IOMMU_DEBUG_PAGEALLOC
+ &page_iommu_debug_ops,
+#endif
};
unsigned long page_ext_size;
--
2.52.0.351.gbe84eed79e-googOn 1/6/26 17:21, Mostafa Saleh wrote: > Add a new config IOMMU_DEBUG_PAGEALLOC, which registers new data to > page_ext. > > This config will be used by the IOMMU API to track pages mapped in > the IOMMU to catch drivers trying to free kernel memory that they > still map in their domains, causing all types of memory corruption. > > This behaviour is disabled by default and can be enabled using > kernel cmdline iommu.debug_pagealloc. > > Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com> > Signed-off-by: Mostafa Saleh <smostafa@google.com> > --- I think I acked it, but maybe too late for you to spot it for the MM bits Acked-by: David Hildenbrand (Red Hat) <david@kernel.org> -- Cheers David
On Wed, Jan 07, 2026 at 05:53:50PM +0100, David Hildenbrand (Red Hat) wrote: > On 1/6/26 17:21, Mostafa Saleh wrote: > > Add a new config IOMMU_DEBUG_PAGEALLOC, which registers new data to > > page_ext. > > > > This config will be used by the IOMMU API to track pages mapped in > > the IOMMU to catch drivers trying to free kernel memory that they > > still map in their domains, causing all types of memory corruption. > > > > This behaviour is disabled by default and can be enabled using > > kernel cmdline iommu.debug_pagealloc. > > > > Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com> > > Signed-off-by: Mostafa Saleh <smostafa@google.com> > > --- > > I think I acked it, but maybe too late for you to spot it > > for the MM bits > > Acked-by: David Hildenbrand (Red Hat) <david@kernel.org> Thanks! If my mail client is not acting, it seems that was the same version(v5) also. Thanks, Mostafa > > -- > Cheers > > David
On 1/8/26 11:42, Mostafa Saleh wrote: > On Wed, Jan 07, 2026 at 05:53:50PM +0100, David Hildenbrand (Red Hat) wrote: >> On 1/6/26 17:21, Mostafa Saleh wrote: >>> Add a new config IOMMU_DEBUG_PAGEALLOC, which registers new data to >>> page_ext. >>> >>> This config will be used by the IOMMU API to track pages mapped in >>> the IOMMU to catch drivers trying to free kernel memory that they >>> still map in their domains, causing all types of memory corruption. >>> >>> This behaviour is disabled by default and can be enabled using >>> kernel cmdline iommu.debug_pagealloc. >>> >>> Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com> >>> Signed-off-by: Mostafa Saleh <smostafa@google.com> >>> --- >> >> I think I acked it, but maybe too late for you to spot it >> >> for the MM bits >> >> Acked-by: David Hildenbrand (Red Hat) <david@kernel.org> > > Thanks! If my mail client is not acting, it seems that was the > same version(v5) also. Maybe my client is having problems :) -- Cheers David
On Tue, Jan 06, 2026 at 04:21:57PM +0000, Mostafa Saleh wrote: > Add a new config IOMMU_DEBUG_PAGEALLOC, which registers new data to > page_ext. > > This config will be used by the IOMMU API to track pages mapped in > the IOMMU to catch drivers trying to free kernel memory that they > still map in their domains, causing all types of memory corruption. > > This behaviour is disabled by default and can be enabled using > kernel cmdline iommu.debug_pagealloc. > > Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com> > Signed-off-by: Mostafa Saleh <smostafa@google.com> > --- > .../admin-guide/kernel-parameters.txt | 9 ++++++ > drivers/iommu/Kconfig | 19 +++++++++++ > drivers/iommu/Makefile | 1 + > drivers/iommu/iommu-debug-pagealloc.c | 32 +++++++++++++++++++ > include/linux/iommu-debug-pagealloc.h | 17 ++++++++++ > mm/page_ext.c | 4 +++ > 6 files changed, 82 insertions(+) > create mode 100644 drivers/iommu/iommu-debug-pagealloc.c > create mode 100644 include/linux/iommu-debug-pagealloc.h > Reviewed-by: Pranjal Shrivastava <praan@google.com> Thanks!
On 1/6/26 17:21, Mostafa Saleh wrote:
> Add a new config IOMMU_DEBUG_PAGEALLOC, which registers new data to
> page_ext.
>
> This config will be used by the IOMMU API to track pages mapped in
> the IOMMU to catch drivers trying to free kernel memory that they
> still map in their domains, causing all types of memory corruption.
>
> This behaviour is disabled by default and can be enabled using
> kernel cmdline iommu.debug_pagealloc.
>
> Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
> Signed-off-by: Mostafa Saleh <smostafa@google.com>
> ---
[...]
> +#endif /* __LINUX_IOMMU_DEBUG_PAGEALLOC_H */
> diff --git a/mm/page_ext.c b/mm/page_ext.c
> index d7396a8970e5..297e4cd8ce90 100644
> --- a/mm/page_ext.c
> +++ b/mm/page_ext.c
> @@ -11,6 +11,7 @@
> #include <linux/page_table_check.h>
> #include <linux/rcupdate.h>
> #include <linux/pgalloc_tag.h>
> +#include <linux/iommu-debug-pagealloc.h>
>
> /*
> * struct page extension
> @@ -89,6 +90,9 @@ static struct page_ext_operations *page_ext_ops[] __initdata = {
> #ifdef CONFIG_PAGE_TABLE_CHECK
> &page_table_check_ops,
> #endif
> +#ifdef CONFIG_IOMMU_DEBUG_PAGEALLOC
> + &page_iommu_debug_ops,
> +#endif
> };
>
> unsigned long page_ext_size;
The MM bits LGTM
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
--
Cheers
David
© 2016 - 2026 Red Hat, Inc.