1. Patchew
  2. linux
  3. View series

[PATCH] dma-buf: set SB_I_NOEXEC on the pseudo filesystem

John Hubbard posted 1 patch 3 days, 23 hours ago 
drivers/dma-buf/dma-buf.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] dma-buf: set SB_I_NOEXEC on the pseudo filesystem
Posted by John Hubbard 3 days, 23 hours ago 
The dma-buf pseudo filesystem dispenses S_ANON_INODE inodes via
alloc_anon_inode() but never sets SB_I_NOEXEC on its superblock.
Since commit 1e7ab6f67824 ("anon_inode: rework assertions") in 6.17,
path_noexec() warns on exactly that combination, so an mmap() on any
dma-buf fd trips the warning:

  WARNING: CPU: 11 PID: 121813 at fs/exec.c:118 path_noexec+0x47/0x50
   do_mmap+0x2b5/0x680
   vm_mmap_pgoff+0x129/0x210
   ksys_mmap_pgoff+0x177/0x240
   __x64_sys_mmap+0x33/0x70

dma-bufs have no business being executable, which is the invariant
that the new assertion is enforcing. Set SB_I_NOEXEC on the dmabuf
superblock.

Reproducer on a CONFIG_DEBUG_VFS=y kernel:

  make -C tools/testing/selftests/dmabuf-heaps
  sudo ./tools/testing/selftests/dmabuf-heaps/dmabuf-heap -t system

The selftest allocates from /dev/dma_heap/system and mmaps the
returned fd, which trips the warning without this patch.

Fixes: 1e7ab6f67824 ("anon_inode: rework assertions")
Cc: stable@vger.kernel.org
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
---
 drivers/dma-buf/dma-buf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 71f37544a5c6..d86a99d7b8dc 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -216,6 +216,7 @@ static int dma_buf_fs_init_context(struct fs_context *fc)
 	if (!ctx)
 		return -ENOMEM;
 	ctx->dops = &dma_buf_dentry_ops;
+	fc->s_iflags |= SB_I_NOEXEC;
 	return 0;
 }
 
-- 
2.54.0
Re: [PATCH] dma-buf: set SB_I_NOEXEC on the pseudo filesystem
Posted by Christian Brauner 3 days, 9 hours ago 
On Wed, May 20, 2026 at 02:43:50PM -0700, John Hubbard wrote:
> The dma-buf pseudo filesystem dispenses S_ANON_INODE inodes via
> alloc_anon_inode() but never sets SB_I_NOEXEC on its superblock.
> Since commit 1e7ab6f67824 ("anon_inode: rework assertions") in 6.17,
> path_noexec() warns on exactly that combination, so an mmap() on any
> dma-buf fd trips the warning:
> 
>   WARNING: CPU: 11 PID: 121813 at fs/exec.c:118 path_noexec+0x47/0x50
>    do_mmap+0x2b5/0x680
>    vm_mmap_pgoff+0x129/0x210
>    ksys_mmap_pgoff+0x177/0x240
>    __x64_sys_mmap+0x33/0x70
> 
> dma-bufs have no business being executable, which is the invariant
> that the new assertion is enforcing. Set SB_I_NOEXEC on the dmabuf
> superblock.
> 
> Reproducer on a CONFIG_DEBUG_VFS=y kernel:
> 
>   make -C tools/testing/selftests/dmabuf-heaps
>   sudo ./tools/testing/selftests/dmabuf-heaps/dmabuf-heap -t system
> 
> The selftest allocates from /dev/dma_heap/system and mmaps the
> returned fd, which trips the warning without this patch.
> 
> Fixes: 1e7ab6f67824 ("anon_inode: rework assertions")
> Cc: stable@vger.kernel.org
> Signed-off-by: John Hubbard <jhubbard@nvidia.com>
> ---

Perfect, the asserts are paying off. Thanks!
Reviewed-by: Christian Brauner (Amutable) <brauner@kernel.org>

>  drivers/dma-buf/dma-buf.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index 71f37544a5c6..d86a99d7b8dc 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -216,6 +216,7 @@ static int dma_buf_fs_init_context(struct fs_context *fc)
>  	if (!ctx)
>  		return -ENOMEM;
>  	ctx->dops = &dma_buf_dentry_ops;
> +	fc->s_iflags |= SB_I_NOEXEC;

While you're at it, also raise SB_I_NODEV. You're not creating any
device nodes and this is additional hardening.
Re: [PATCH] dma-buf: set SB_I_NOEXEC on the pseudo filesystem
Posted by John Hubbard 2 days, 22 hours ago 
On 5/21/26 4:54 AM, Christian Brauner wrote:
> On Wed, May 20, 2026 at 02:43:50PM -0700, John Hubbard wrote:
>> The dma-buf pseudo filesystem dispenses S_ANON_INODE inodes via
>> alloc_anon_inode() but never sets SB_I_NOEXEC on its superblock.
>> Since commit 1e7ab6f67824 ("anon_inode: rework assertions") in 6.17,
>> path_noexec() warns on exactly that combination, so an mmap() on any
>> dma-buf fd trips the warning:
>>
>>   WARNING: CPU: 11 PID: 121813 at fs/exec.c:118 path_noexec+0x47/0x50
>>    do_mmap+0x2b5/0x680
>>    vm_mmap_pgoff+0x129/0x210
>>    ksys_mmap_pgoff+0x177/0x240
>>    __x64_sys_mmap+0x33/0x70
>>
>> dma-bufs have no business being executable, which is the invariant
>> that the new assertion is enforcing. Set SB_I_NOEXEC on the dmabuf
>> superblock.
>>
>> Reproducer on a CONFIG_DEBUG_VFS=y kernel:
>>
>>   make -C tools/testing/selftests/dmabuf-heaps
>>   sudo ./tools/testing/selftests/dmabuf-heaps/dmabuf-heap -t system
>>
>> The selftest allocates from /dev/dma_heap/system and mmaps the
>> returned fd, which trips the warning without this patch.
>>
>> Fixes: 1e7ab6f67824 ("anon_inode: rework assertions")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: John Hubbard <jhubbard@nvidia.com>
>> ---
> 
> Perfect, the asserts are paying off. Thanks!
> Reviewed-by: Christian Brauner (Amutable) <brauner@kernel.org>

Thanks for the review!

> 
>>  drivers/dma-buf/dma-buf.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
>> index 71f37544a5c6..d86a99d7b8dc 100644
>> --- a/drivers/dma-buf/dma-buf.c
>> +++ b/drivers/dma-buf/dma-buf.c
>> @@ -216,6 +216,7 @@ static int dma_buf_fs_init_context(struct fs_context *fc)
>>  	if (!ctx)
>>  		return -ENOMEM;
>>  	ctx->dops = &dma_buf_dentry_ops;
>> +	fc->s_iflags |= SB_I_NOEXEC;
> 
> While you're at it, also raise SB_I_NODEV. You're not creating any
> device nodes and this is additional hardening.

OK, I'll add that and send out a v2, after collecting any other
feedback on this one.

thanks,
-- 
John Hubbard

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.