Re: [PATCH 3/9] vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA

From: Matt Evans

Date: Wed May 06 2026 - 15:04:01 EST

Hi again Jason,

On 05/05/2026 19:13, Matt Evans wrote:
Hi Jason,

On 30/04/2026 18:11, Jason Gunthorpe wrote:

On Thu, Apr 30, 2026 at 05:47:49PM +0100, Matt Evans wrote:
On Thu, Apr 16, 2026 at 06:17:46AM -0700, Matt Evans wrote:
+int vfio_pci_core_mmap_prep_dmabuf(struct vfio_pci_core_device *vdev,
+                   struct vm_area_struct *vma,
+                   u64 phys_start, u64 req_len,
+                   unsigned int res_index)
+{
+    struct vfio_pci_dma_buf *priv;
+    const unsigned int nr_ranges = 1;
+    int ret;
+
+    priv = kzalloc_obj(*priv);
+    if (!priv)
+        return -ENOMEM;
+
+    priv->phys_vec = kzalloc_obj(*priv->phys_vec);
+    if (!priv->phys_vec) {
+        ret = -ENOMEM;
+        goto err_free_priv;
+    }
+
+    /*
+     * The mmap() request's vma->vm_offs might be non-zero, but
+     * the DMABUF is created from _offset zero_ of the BAR.  The
+     * portion between zero and the vm_offs is inaccessible
+     * through this VMA, but this approach keeps the
+     * /proc/<pid>/maps offset somewhat consistent with the
+     * pre-DMABUF code.  Size includes the offset portion.

I'm not sure I understand this comment?

For the old path vm_pgoff for byte 0 of the bar starts at some large
offset

For the new path vm_pgoff for byte 0 of the first range starts at 0

Glad you asked.  :)

This is trying to achieve keeping /proc/<pid>/maps (or similar) somewhat
as informative as pre-DMABUF BAR mmap, in terms of keeping the VMA
vm_offs column useful.  Before this patch, say you mmap() two slices A
and B of the same BAR:

  struct vfio_region_info bar_region;

  vm_a = mmap(0, 0x1000, ..., device_fd, bar_region.offset + 0);
  vm_b = mmap(0, 0x1000, ..., device_fd, bar_region.offset + 0x4000);

...you'd see something like this in /proc/blah/maps:

fffff4000000-fffff4001000 rw-s 10000000000 00:07 148     /dev/vfio/ devices/vfio0
fffff5000000-fffff5001000 rw-s 10000004000 00:07 148     /dev/vfio/ devices/vfio0

Looking at this again, I/we got this backwards and I mixed up two things:

The goal of this patch _is already_ to make sure the VMA's vm_pgoff (whether viewed in /proc/<pid>/maps or elsewhere) still matches the mmap()'s offset.

(For a mo, ignore the resource index encoded into the offset. Consider just the offset into the BAR itself, inside the VFIO_PCI_OFFSET_MASK. I'll come back to the index encoded into the upper bits.)

then the VMA's vm_offs would need to be thunked back down to 0 (since
the fault handler then treats vm_b + 0 as the first byte of the DMABUF).
That works/adds up, but then the vm_offs of both VMAs A & B both have
offset 0, and it's harder to differentiate in /proc/blah/maps.

Yes, and that would be correct.

Why? This paragraph was outlining a hypothetical alternative implementation that creates the DMABUF the size of the VMA and starting from an offset into the BAR based on vm_pgoff, and then compensates by setting vma->vm_pgoff = 0 so that the fault doesn't re-apply the offset again. That would make byte 0 of the VMA access correct:

BAR_start + (vma->vm_pgoff << PAGE_SHIFT) [1]

But it would...

The VMA output of lspci should show the exact pgoff passed to mmap and
nothing else. Do not mangle it for "debugging".
>>>> pgoff is not to be used to show random internal FD details..

...definitely break this property, no?

This patch is supporting that property by instead creating the DMABUF so that the VMA's vm_pgoff (which is maintained and the same* as passed from mmap()!) indexes the DMABUF so that byte 0 of the VMA accesses the same address above in [1]. The DMABUF spans from the start of the BAR so the fault handler maths (which indexes the DMABUF by vm_pgoffs) is common for all buffers.

a = mmap(0, 0x10000, ..., device_fd, 0x4000);

+0 +0x4000
+------------v------------------------------------------+
| BAR |
| |
+------------^------------------------------------------+
. .
. +--------------------------+
. | VMA |
. | vma->vm_pgoff = 4 |
. +--------------------------+
. . .
+------------+--------------------------+
| invisible | DMABUF |
| | |
+------------+--------------------------+

Same* externally-observable behaviour as the old mmap().

We could possibly stash the original offset somewhere and then render it
in the name string, but the name's already about the max size and using
the existing vm_offs column is nicer IMO, doesn't need a new field, etc.

I need to work on this comment then!  What this is trying to say is that
the DMABUF is made artificially larger than the part that is visible
through the VMA.

Yuk, that's another reason not to do this.
Apart from the yuk part, do we have a specific concern with the invisible portion? Perhaps if one could fish out a DMABUF fd somehow (it's a file, but no scalar fd is returned to userspace) then the lower BAR addresses could get mmap()ed. Isn't that at worst as permissive as a "closed" VFIO device fd which could get fished out, e.g. /proc/<pid>/map_files, and mmap()ed again?

I went through other approaches, but they either need special-casing in the fault handler or DMABUF-to-PFN helper, or as above would modify the vma->vm_offs. This seemed best overall though, as ever, open to ideas.


*: Region offset:

OK, so this patch strips out the high bits of the offset early, so that's disappeared from /proc/<pid>/maps etc. You're right to point out that the resource index could be carried such that the vma->vm_pgoff really is identical throughout. I'll restore that so that the VMA's vm_offs is identical to that passed via mmap().

Does that seem reasonable?


Thanks,


Matt