The dma-buf pseudo filesystem dispenses S_ANON_INODE inodes via alloc_anon_inode() but never sets SB_I_NOEXEC on its superblock. Since commit 1e7ab6f67824 ("anon_inode: rework assertions") in 6.17, path_noexec() warns on exactly that combination, so an mmap() on any dma-buf fd trips the warning:
WARNING: CPU: 11 PID: 121813 at fs/exec.c:118 path_noexec+0x47/0x50 do_mmap+0x2b5/0x680 vm_mmap_pgoff+0x129/0x210 ksys_mmap_pgoff+0x177/0x240 __x64_sys_mmap+0x33/0x70
dma-bufs have no business being executable, which is the invariant that the new assertion is enforcing. Set SB_I_NOEXEC. Also set SB_I_NODEV, since the pseudo filesystem creates no device nodes.
Reproducer on a CONFIG_DEBUG_VFS=y kernel:
make -C tools/testing/selftests/dmabuf-heaps sudo ./tools/testing/selftests/dmabuf-heaps/dmabuf-heap -t system
The selftest allocates from /dev/dma_heap/system and mmaps the returned fd, which trips the warning without this patch.
Fixes: 1e7ab6f67824 ("anon_inode: rework assertions") Cc: stable@vger.kernel.org Reviewed-by: Christian Brauner (Amutable) brauner@kernel.org Signed-off-by: John Hubbard jhubbard@nvidia.com ---
Changes since v1:
* Also set SB_I_NODEV (suggested by Christian Brauner). * Added Christian Brauner's Reviewed-by tag (thanks!)
drivers/dma-buf/dma-buf.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 71f37544a5c6..ea1ddd4293b2 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -216,6 +216,8 @@ static int dma_buf_fs_init_context(struct fs_context *fc) if (!ctx) return -ENOMEM; ctx->dops = &dma_buf_dentry_ops; + fc->s_iflags |= SB_I_NOEXEC; + fc->s_iflags |= SB_I_NODEV; return 0; }
base-commit: 6779b50faa562e6cca1aa6a4649a4d764c6c7e28
On Fri, May 22, 2026 at 06:11:17PM -0700, John Hubbard wrote:
The dma-buf pseudo filesystem dispenses S_ANON_INODE inodes via alloc_anon_inode() but never sets SB_I_NOEXEC on its superblock. Since commit 1e7ab6f67824 ("anon_inode: rework assertions") in 6.17, path_noexec() warns on exactly that combination, so an mmap() on any dma-buf fd trips the warning:
Just as last time this came up, we really should set this higher up. There isn't really a reason why pseudofses should not set SB_I_NOEXEC by default.
On 5/24/26 10:55 PM, Christoph Hellwig wrote:
On Fri, May 22, 2026 at 06:11:17PM -0700, John Hubbard wrote:
The dma-buf pseudo filesystem dispenses S_ANON_INODE inodes via alloc_anon_inode() but never sets SB_I_NOEXEC on its superblock. Since commit 1e7ab6f67824 ("anon_inode: rework assertions") in 6.17, path_noexec() warns on exactly that combination, so an mmap() on any dma-buf fd trips the warning:
Just as last time this came up, we really should set this higher up. There isn't really a reason why pseudofses should not set SB_I_NOEXEC by default.
Ha, I see now that there is some history to this.
After looking at the email history and the code, it does seem like the time is right to do that. I'm testing out a tiny series to set these flags in init_pseudo(), and then to *not* redundantly set them elsewhere, I'll post it shortly.
thanks,
linaro-mm-sig@lists.linaro.org
-
Christoph Hellwig -
John Hubbard