On Wed, May 20, 2026 at 02:43:50PM -0700, John Hubbard wrote:
> The dma-buf pseudo filesystem dispenses S_ANON_INODE inodes via
> alloc_anon_inode() but never sets SB_I_NOEXEC on its superblock.
> Since commit 1e7ab6f67824 ("anon_inode: rework assertions") in 6.17,
> path_noexec() warns on exactly that combination, so an mmap() on any
> dma-buf fd trips the warning:
>
> WARNING: CPU: 11 PID: 121813 at fs/exec.c:118 path_noexec+0x47/0x50
> do_mmap+0x2b5/0x680
> vm_mmap_pgoff+0x129/0x210
> ksys_mmap_pgoff+0x177/0x240
> __x64_sys_mmap+0x33/0x70
>
> dma-bufs have no business being executable, which is the invariant
> that the new assertion is enforcing. Set SB_I_NOEXEC on the dmabuf
> superblock.
>
> Reproducer on a CONFIG_DEBUG_VFS=y kernel:
>
> make -C tools/testing/selftests/dmabuf-heaps
> sudo ./tools/testing/selftests/dmabuf-heaps/dmabuf-heap -t system
>
> The selftest allocates from /dev/dma_heap/system and mmaps the
> returned fd, which trips the warning without this patch.
>
> Fixes: 1e7ab6f67824 ("anon_inode: rework assertions")
> Cc: [email protected]
> Signed-off-by: John Hubbard <[email protected]>
> ---
Perfect, the asserts are paying off. Thanks!
Reviewed-by: Christian Brauner (Amutable) <[email protected]>
> drivers/dma-buf/dma-buf.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index 71f37544a5c6..d86a99d7b8dc 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -216,6 +216,7 @@ static int dma_buf_fs_init_context(struct fs_context *fc)
> if (!ctx)
> return -ENOMEM;
> ctx->dops = &dma_buf_dentry_ops;
> + fc->s_iflags |= SB_I_NOEXEC;
While you're at it, also raise SB_I_NODEV. You're not creating any
device nodes and this is additional hardening.
