From: Jason Gunthorpe <jgg@ziepe.ca>
To: Leon Romanovsky <leon@kernel.org>
Cc: "Sumit Semwal" <sumit.semwal@linaro.org>,
"Christian König" <christian.koenig@amd.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Chia-I Wu" <olvaffe@gmail.com>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Lucas De Marchi" <lucas.demarchi@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Rodrigo Vivi" <rodrigo.vivi@intel.com>,
"Kevin Tian" <kevin.tian@intel.com>,
"Joerg Roedel" <joro@8bytes.org>, "Will Deacon" <will@kernel.org>,
"Robin Murphy" <robin.murphy@arm.com>,
"Alex Williamson" <alex@shazbot.org>,
linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
amd-gfx@lists.freedesktop.org, virtualization@lists.linux.dev,
intel-xe@lists.freedesktop.org, linux-rdma@vger.kernel.org,
iommu@lists.linux.dev, kvm@vger.kernel.org
Subject: Re: [PATCH v2 0/4] dma-buf: document revoke mechanism to invalidate shared buffers
Date: Mon, 19 Jan 2026 12:58:43 -0400 [thread overview]
Message-ID: <20260119165843.GH961572@ziepe.ca> (raw)
In-Reply-To: <20260118-dmabuf-revoke-v2-0-a03bb27c0875@nvidia.com>
On Sun, Jan 18, 2026 at 02:08:44PM +0200, Leon Romanovsky wrote:
> Changelog:
> v2:
> * Changed series to document the revoke semantics instead of
> implementing it.
> v1: https://patch.msgid.link/20260111-dmabuf-revoke-v1-0-fb4bcc8c259b@nvidia.com
>
> -------------------------------------------------------------------------
> This series documents a dma-buf “revoke” mechanism: to allow a dma-buf
> exporter to explicitly invalidate (“kill”) a shared buffer after it has
> been distributed to importers, so that further CPU and device access is
> prevented and importers reliably observe failure.
>
> The change in this series is to properly document and use existing core
> “revoked” state on the dma-buf object and a corresponding exporter-triggered
> revoke operation. Once a dma-buf is revoked, new access paths are blocked so
> that attempts to DMA-map, vmap, or mmap the buffer fail in a consistent way.
I think it would help to explain the bigger picture in the cover letter:
DMABUF has quietly allowed calling move_notify on pinned DMABUFs, even
though legacy importers using dma_buf_attach() would simply ignore
these calls.
RDMA saw this and needed to use allow_peer2peer=true, so implemented a
new-style pinned importer with an explicitly non-working move_notify()
callback.
This has been tolerable because the existing exporters are thought to
only call move_notify() on a pinned DMABUF under RAS events and we
have been willing to tolerate the UAF that results by allowing the
importer to continue to use the mapping in this rare case.
VFIO wants to implement a pin supporting exporter that will issue a
revoking move_notify() around FLRs and a few other user triggerable
operations. Since this is much more common we are not willing to
tolerate the security UAF caused by interworking with
non-move_notify() supporting drivers. Thus till now VFIO has required
dynamic importers, even though it never actually moves the buffer
location.
To allow VFIO to work with pinned importers, according to how DMABUF
was intended, we need to allow VFIO to detect if an importer is legacy
or RDMA and does not actually implement move_notify().
Introduce a new function that exporters can call to detect these less
capable importers. VFIO can then refuse to accept them during attach.
In theory all exporters that call move_notify() on pinned DMABUF's
should call this function, however that would break a number of widely
used NIC/GPU flows. Thus for now do not spread this further than VFIO
until we can understand how much of RDMA can implement the full
semantic.
In the process clarify how move_notify is intended to be used with
pinned DMABUFs.
Jason
prev parent reply other threads:[~2026-01-19 16:58 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-18 12:08 [PATCH v2 0/4] dma-buf: document revoke mechanism to invalidate shared buffers Leon Romanovsky
2026-01-18 12:08 ` [PATCH v2 1/4] dma-buf: Rename .move_notify() callback to a clearer identifier Leon Romanovsky
2026-01-19 10:22 ` Christian König
2026-01-19 11:38 ` Leon Romanovsky
2026-01-19 12:00 ` Christian König
2026-01-19 12:39 ` Leon Romanovsky
2026-01-18 12:08 ` [PATCH v2 2/4] dma-buf: Document revoke semantics Leon Romanovsky
2026-01-18 14:29 ` Thomas Hellström
2026-01-19 9:04 ` Leon Romanovsky
2026-01-19 16:46 ` Jason Gunthorpe
2026-01-18 21:40 ` John Hubbard
2026-01-19 7:25 ` Leon Romanovsky
2026-01-19 7:32 ` John Hubbard
2026-01-19 8:04 ` Leon Romanovsky
2026-01-19 10:56 ` Christian König
2026-01-19 11:39 ` Leon Romanovsky
2026-01-19 16:44 ` Jason Gunthorpe
2026-01-20 9:45 ` Leon Romanovsky
2026-01-18 12:08 ` [PATCH v2 3/4] iommufd: Require DMABUF " Leon Romanovsky
2026-01-19 16:59 ` Jason Gunthorpe
2026-01-19 18:23 ` Leon Romanovsky
2026-01-19 19:54 ` Jason Gunthorpe
2026-01-20 13:10 ` Leon Romanovsky
2026-01-20 13:15 ` Jason Gunthorpe
2026-01-20 13:33 ` Leon Romanovsky
2026-01-18 12:08 ` [PATCH v2 4/4] vfio: Add pinned interface to perform " Leon Romanovsky
2026-01-19 12:12 ` Christian König
2026-01-19 13:02 ` Leon Romanovsky
2026-01-19 14:21 ` Christian König
2026-01-19 17:03 ` Jason Gunthorpe
2026-01-18 14:16 ` [PATCH v2 0/4] dma-buf: document revoke mechanism to invalidate shared buffers Thomas Hellström
2026-01-19 7:52 ` Leon Romanovsky
2026-01-19 9:27 ` Thomas Hellström
2026-01-19 10:20 ` Leon Romanovsky
2026-01-19 10:20 ` Christian König
2026-01-19 10:53 ` Leon Romanovsky
2026-01-19 12:05 ` Christian König
2026-01-19 16:24 ` Jason Gunthorpe
2026-01-19 17:24 ` Thomas Hellström
2026-01-19 16:20 ` Jason Gunthorpe
2026-01-19 16:58 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260119165843.GH961572@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=airlied@gmail.com \
--cc=alex@shazbot.org \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=dmitry.osipenko@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gurchetansingh@chromium.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kraxel@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=leon@kernel.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=lucas.demarchi@intel.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=olvaffe@gmail.com \
--cc=robin.murphy@arm.com \
--cc=rodrigo.vivi@intel.com \
--cc=simona@ffwll.ch \
--cc=sumit.semwal@linaro.org \
--cc=thomas.hellstrom@linux.intel.com \
--cc=tzimmermann@suse.de \
--cc=virtualization@lists.linux.dev \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox