lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <9ce597a0-9df4-4c92-913b-ca75fc028972@huawei.com>
Date: Sat, 18 Oct 2025 16:46:52 +0800
From: Qinxin Xia <xiaqinxin@...wei.com>
To: Mostafa Saleh <smostafa@...gle.com>, <linux-mm@...ck.org>,
	<iommu@...ts.linux.dev>, <linux-kernel@...r.kernel.org>,
	<linux-doc@...r.kernel.org>
CC: <corbet@....net>, <joro@...tes.org>, <will@...nel.org>,
	<robin.murphy@....com>, <akpm@...ux-foundation.org>, <vbabka@...e.cz>,
	<surenb@...gle.com>, <mhocko@...e.com>, <jackmanb@...gle.com>,
	<hannes@...xchg.org>, <ziy@...dia.com>, <david@...hat.com>,
	<lorenzo.stoakes@...cle.com>, <Liam.Howlett@...cle.com>, <rppt@...nel.org>
Subject: Re: [RFC PATCH 0/4] iommu: Add IOMMU_DEBUG_PAGEALLOC sanitizer



在 2025/10/4 1:32, Mostafa Saleh 写道:
> Overview
> --------
> This patch series introduces a new debugging feature,
> IOMMU_DEBUG_PAGEALLOC, designed to catch DMA use-after-free bugs
> and IOMMU mapping leaks from buggy drivers.
> 
> The kernel has powerful sanitizers like KASAN and DEBUG_PAGEALLOC
> for catching CPU-side memory corruption. However, there is limited
> runtime sanitization for DMA mappings managed by the IOMMU. A buggy
> driver can free a page while it is still mapped for DMA, leading to
> memory corruption or use-after-free vulnerabilities when that page is
> reallocated and used for a different purpose.
> 
> Inspired by DEBUG_PAGEALLOC, this sanitizer tracks IOMMU mappings on a
> per-page basis, as it’s not possible to unmap the pages, because it
> requires to lock and walk all domains on every kernel free, instead we
> rely on page_ext to add an IOMMU-specific mapping reference count for
> each page.
> And on each page allocated/freed from the kernel we simply check the
> count and WARN if it is not zero.
> 
> Concurrency
> -----------
> By design this check is racy where one caller can map pages just after
> the check, which can lead to false negatives.
> In my opinion this is acceptable for sanitizers (for ex KCSAN have
> that property).
> Otherwise we have to implement locks in iommu_map/unmap for all domains
> which is not favourable even for a debug feature.
> The sanitizer only guarantees that the refcount itself doesn’t get
> corrupted using atomics. And there are no false positives.
> 
> CPU vs IOMMU Page Size
> ----------------------
> IOMMUs can use different page sizes and which can be non-homogeneous;
> not even all of them have the same page size.
> 
> To solve this, the refcount is always incremented and decremented in
> units of the smallest page size supported by the IOMMU domain. This
> ensures the accounting remains consistent regardless of the size of
> the map or unmap operation, otherwise double counting can happen.
> 
> Testing & Performance
> ---------------------
> This was tested on Morello with Arm64 + SMMUv3
> Also I booted RockPi-4b with Rockchip IOMMU.
> Did some tests on Qemu including different SMMUv3/CPU page size (arm64).
> 
> I also ran dma_map_benchmark on Morello:
> 
> echo dma_map_benchmark > /sys/bus/pci/devices/0000\:06\:00.0/driver_override
> echo 0000:06:00.0 >  /sys/bus/pci/devices/0000\:06\:00.0/driver/unbind
> echo 0000:06:00.0 > /sys/bus/pci/drivers/dma_map_benchmark/bind
> ./dma_map_bechmark -t $threads -g $nr_pages
> 
> CONFIG refers to "CONFIG_IOMMU_DEBUG_PAGEALLOC"
> cmdline refer to "iommu.debug_pagealloc"
> Numbers are (map latency)/(unmap latency), lower is better.
> 
> 			CONFIG=n    CONFIG=y    CONFIG=y
> 			            cmdline=0   cmdline=1
> 4K - 1 thread		0.1/0.6     0.1/0.6     0.1/0.7
> 4K - 4 threads		0.1/1.0     0.1/1.1     0.1/1.1
> 1M - 1 thread		0.8/21.2    0.8/21.2    5.6/42.5
> 1M - 4 threads		1.1/46.3    1.1/46.1    5.9/45.5
> 
> Thanks,
> Mostafa
> 
> Mostafa Saleh (4):
>    drivers/iommu: Add page_ext for IOMMU_DEBUG_PAGEALLOC
>    drivers/iommu: Add calls for iommu debug
>    drivers/iommu-debug: Track IOMMU pages
>    drivers/iommu-debug: Check state of mapped/unmapped kernel memory
> 
>   .../admin-guide/kernel-parameters.txt         |   6 +
>   drivers/iommu/Kconfig                         |  14 ++
>   drivers/iommu/Makefile                        |   1 +
>   drivers/iommu/iommu-debug.c                   | 160 ++++++++++++++++++
>   drivers/iommu/iommu.c                         |  21 ++-
>   include/linux/iommu-debug.h                   |  24 +++
>   include/linux/mm.h                            |   7 +
>   mm/page_ext.c                                 |   4 +
>   8 files changed, 235 insertions(+), 2 deletions(-)
>   create mode 100644 drivers/iommu/iommu-debug.c
>   create mode 100644 include/linux/iommu-debug.h
> 
Hi,

I have tested the patch on kunpeng 920 and it works as expected.

Tested-by: Qinxin Xia <xiaqinxin@...wei.com>

Thanks,
Qinxin Xia

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ