From: Leon Romanovsky <leon@kernel.org>
To: "Christian König" <christian.koenig@amd.com>
Cc: "Jason Gunthorpe" <jgg@ziepe.ca>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Alex Deucher" <alexander.deucher@amd.com>,
"David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Chia-I Wu" <olvaffe@gmail.com>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Lucas De Marchi" <lucas.demarchi@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Rodrigo Vivi" <rodrigo.vivi@intel.com>,
"Kevin Tian" <kevin.tian@intel.com>,
"Joerg Roedel" <joro@8bytes.org>, "Will Deacon" <will@kernel.org>,
"Robin Murphy" <robin.murphy@arm.com>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
"Alex Williamson" <alex@shazbot.org>,
"Ankit Agrawal" <ankita@nvidia.com>,
"Vivek Kasireddy" <vivek.kasireddy@intel.com>,
linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
linaro-mm-sig@lists.linaro.org, linux-kernel@vger.kernel.org,
amd-gfx@lists.freedesktop.org, virtualization@lists.linux.dev,
intel-xe@lists.freedesktop.org, linux-rdma@vger.kernel.org,
iommu@lists.linux.dev, kvm@vger.kernel.org
Subject: Re: [PATCH v3 3/7] dma-buf: Document RDMA non-ODP invalidate_mapping() special case
Date: Wed, 21 Jan 2026 16:31:50 +0200 [thread overview]
Message-ID: <20260121143150.GD13201@unreal> (raw)
In-Reply-To: <8689345b-241a-47f4-8e9a-61cde285bf8b@amd.com>
On Wed, Jan 21, 2026 at 03:15:46PM +0100, Christian König wrote:
> On 1/21/26 14:59, Jason Gunthorpe wrote:
> > On Wed, Jan 21, 2026 at 02:52:53PM +0100, Christian König wrote:
> >> On 1/21/26 14:18, Jason Gunthorpe wrote:
> >>> On Wed, Jan 21, 2026 at 10:17:16AM +0100, Christian König wrote:
> >>>> The whole idea is to make invalidate_mappings truly optional.
> >>>
> >>> But it's not really optional! It's absence means we are ignoring UAF
> >>> security issues when the exporters do their move_notify() and nothing
> >>> happens.
> >>
> >> No that is unproblematic.
> >>
> >> See the invalidate_mappings callback just tells the importer that
> >> the mapping in question can't be relied on any more.
> >>
> >> But the mapping is truly freed only by the importer calling
> >> dma_buf_unmap_attachment().
> >>
> >> In other words the invalidate_mappings give the signal to the
> >> importer to disable all operations and the
> >> dma_buf_unmap_attachment() is the signal from the importer that the
> >> housekeeping structures can be freed and the underlying address
> >> space or backing object re-used.
> >
> > I see
> >
> > Can we document this please, I haven't seen this scheme described
> > anyhwere.
> >
> > And let's clarify what I said in my other email that this new revoke
> > semantic is not just a signal to maybe someday unmap but a hard
> > barrier that it must be done once the fences complete, similar to
> > non-pinned importers.
>
> Well, I would avoid that semantics.
>
> Even when the exporter requests the mapping to be invalidated it does not mean that the mapping can go away immediately.
>
> It's fine when accesses initiated after an invalidation and then waiting for fences go into nirvana and have undefined results, but they should not trigger PCI AER, warnings from the IOMMU or even worse end up in some MMIO BAR of a newly attached devices.
>
> So if the exporter wants to be 100% sure that nobody is using the mapping any more then it needs to wait for the importer to call dma_buf_unmap_attachment().
>
> > The cover letter should be clarified with this understanding too.
>
> Yeah, completely agree. We really need to flash out that semantics in the documentation.
Someone knowledgeable needs to document this properly, either in the code
or in the official documentation. A cover letter is not the right place for
subtle design decisions.
Thanks
>
> Regards,
> Christian.
>
> >
> > Jason
>
next prev parent reply other threads:[~2026-01-21 14:31 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 14:07 [PATCH v3 0/7] dma-buf: Use revoke mechanism to invalidate shared buffers Leon Romanovsky
2026-01-20 14:07 ` [PATCH v3 1/7] dma-buf: Rename .move_notify() callback to a clearer identifier Leon Romanovsky
2026-01-21 8:33 ` Christian König
2026-01-21 8:41 ` Leon Romanovsky
2026-01-20 14:07 ` [PATCH v3 2/7] dma-buf: Always build with DMABUF_MOVE_NOTIFY Leon Romanovsky
2026-01-21 8:55 ` Christian König
2026-01-21 10:14 ` Leon Romanovsky
2026-01-21 10:57 ` Christian König
2026-01-20 14:07 ` [PATCH v3 3/7] dma-buf: Document RDMA non-ODP invalidate_mapping() special case Leon Romanovsky
2026-01-21 8:59 ` Christian König
2026-01-21 9:14 ` Leon Romanovsky
2026-01-21 9:17 ` Christian König
2026-01-21 13:18 ` Jason Gunthorpe
2026-01-21 13:52 ` Christian König
2026-01-21 13:59 ` Jason Gunthorpe
2026-01-21 14:15 ` Christian König
2026-01-21 14:31 ` Leon Romanovsky [this message]
2026-01-21 15:39 ` Jason Gunthorpe
2026-01-20 14:07 ` [PATCH v3 4/7] dma-buf: Add check function for revoke semantics Leon Romanovsky
2026-01-20 14:07 ` [PATCH v3 5/7] iommufd: Pin dma-buf importer " Leon Romanovsky
2026-01-21 9:01 ` Christian König
2026-01-20 14:07 ` [PATCH v3 6/7] vfio: Wait for dma-buf invalidation to complete Leon Romanovsky
2026-01-20 20:44 ` Matthew Brost
2026-01-21 7:59 ` Leon Romanovsky
2026-01-21 10:41 ` Christian König
2026-01-21 10:44 ` Leon Romanovsky
2026-01-21 17:18 ` Matthew Brost
2026-01-21 9:20 ` Christian König
2026-01-21 9:36 ` Thomas Hellström
2026-01-21 10:55 ` Christian König
2026-01-21 13:31 ` Jason Gunthorpe
2026-01-21 15:28 ` Christian König
2026-01-21 16:01 ` Jason Gunthorpe
2026-01-21 19:45 ` Leon Romanovsky
2026-01-22 11:32 ` Christian König
2026-01-22 23:44 ` Jason Gunthorpe
2026-01-23 14:11 ` Jason Gunthorpe
2026-01-23 16:23 ` Christian König
2026-01-23 16:31 ` Jason Gunthorpe
2026-01-20 14:07 ` [PATCH v3 7/7] vfio: Validate dma-buf revocation semantics Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260121143150.GD13201@unreal \
--to=leon@kernel.org \
--cc=Felix.Kuehling@amd.com \
--cc=airlied@gmail.com \
--cc=alex@shazbot.org \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=ankita@nvidia.com \
--cc=christian.koenig@amd.com \
--cc=dmitry.osipenko@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gurchetansingh@chromium.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kraxel@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=lucas.demarchi@intel.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=olvaffe@gmail.com \
--cc=robin.murphy@arm.com \
--cc=rodrigo.vivi@intel.com \
--cc=simona@ffwll.ch \
--cc=sumit.semwal@linaro.org \
--cc=thomas.hellstrom@linux.intel.com \
--cc=tzimmermann@suse.de \
--cc=virtualization@lists.linux.dev \
--cc=vivek.kasireddy@intel.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox