From: Kees Cook <kees@kernel.org>
To: Christian Brauner <brauner@kernel.org>
Cc: "Kees Cook" <kees@kernel.org>,
syzbot+a9391462075ffb9f77c6@syzkaller.appspotmail.com,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Christian König" <christian.koenig@amd.com>,
linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: [PATCH] dma-buf: use SB_I_NOEXEC and SB_I_NODEV
Date: Tue, 7 Oct 2025 23:10:32 -0700 [thread overview]
Message-ID: <20251008061027.work.515-kees@kernel.org> (raw)
The dma-buf pseudo-filesystem should never have executable mappings nor
device nodes. Set SB_I_NOEXEC and SB_I_NODEV on the superblock to enforce
this at the filesystem level, similar to secretmem, commit 98f99394a104
("secretmem: use SB_I_NOEXEC").
Fix the syzbot-reported warning from the exec code to enforce this
requirement:
> WARNING: CPU: 1 PID: 6000 at fs/exec.c:119 path_noexec+0x1af/0x200 fs/exec.c:118
> Modules linked in:
> CPU: 1 UID: 0 PID: 6000 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
> RIP: 0010:path_noexec+0x1af/0x200 fs/exec.c:118
> Call Trace:
> <TASK>
> do_mmap+0xa43/0x10d0 mm/mmap.c:469
> vm_mmap_pgoff+0x2a6/0x4d0 mm/util.c:580
> ksys_mmap_pgoff+0x51f/0x760 mm/mmap.c:604
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+a9391462075ffb9f77c6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68dc3ade.a70a0220.10c4b.015b.GAE@google.com/
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Christian Brauner <brauner@kernel.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: syzbot+a9391462075ffb9f77c6@syzkaller.appspotmail.com
Cc: <linux-media@vger.kernel.org>
Cc: <dri-devel@lists.freedesktop.org>
Cc: <linaro-mm-sig@lists.linaro.org>
---
drivers/dma-buf/dma-buf.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 2bcf9ceca997..6e2ab1a4560d 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -189,6 +189,8 @@ static int dma_buf_fs_init_context(struct fs_context *fc)
{
struct pseudo_fs_context *ctx;
+ fc->s_iflags |= SB_I_NOEXEC;
+ fc->s_iflags |= SB_I_NODEV;
ctx = init_pseudo(fc, DMA_BUF_MAGIC);
if (!ctx)
return -ENOMEM;
--
2.34.1
next reply other threads:[~2025-10-08 6:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-08 6:10 Kees Cook [this message]
2025-10-08 6:16 ` [PATCH] dma-buf: use SB_I_NOEXEC and SB_I_NODEV Christoph Hellwig
2025-10-10 22:57 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251008061027.work.515-kees@kernel.org \
--to=kees@kernel.org \
--cc=brauner@kernel.org \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=syzbot+a9391462075ffb9f77c6@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.