On Fri, Feb 27, 2026 at 11:05:24AM +0100, Christian König wrote:
On 2/26/26 21:22, Matt Evans wrote:
Add a new dma-buf ioctl() op, DMA_BUF_IOCTL_REVOKE, connected to a new (optional) dma_buf_ops callback, revoke(). An exporter receiving this will _permanently_ revoke the DMABUF, meaning it can no longer be mapped/attached/mmap()ed. It also guarantees that existing importers have been detached (e.g. via move_notify) and all mappings made inaccessible.
This is useful for lifecycle management in scenarios where a process has created a DMABUF representing a resource, then delegated it to a client process; access to the resource is revoked when the client is deemed "done", and the resource can be safely re-used elsewhere.
Well that means revoking from the importer side. That absolutely doesn't make sense to me.
Why would you do that?
They are building a "vending process" to wrapper VFIO. They want to send a little bit of MMIO space wrapped in a DMABUF to some other process over a unix FD. At some later point the vending process will want to revoke the MMIO so it will issue this IOCTL to the DMABUF FD it held on to. That will render the FD unusable wherever else it happened to go.
I had a similar discussion about other iommu features where they want to insert security protocols into this vending sequence.
IDK if this should be generic DMABUF or not. Another option is to add a new VFIO ioctl that does the revoke and takes in a DMABUF FD. If it is a VFIO DMABUF FD then it will revoke it as desired here using the VFIO machinery.
Jason