Re: [PATCH v5 7/9] vfio: Enable cdev noiommu mode under iommufd

[Jacob Pan]

Hi Yi,

On Wed, 20 May 2026 15:20:26 +0800
Yi Liu <yi.l.liu@xxxxxxxxx> wrote:

> >>   
> >> -#ifdef CONFIG_VFIO_GROUP_NOIOMMU
> >> +#if IS_ENABLED(CONFIG_VFIO_GROUP_NOIOMMU) ||
> >> IS_ENABLED(CONFIG_VFIO_CDEV_NOIOMMU)  
> > 
> > Have you considered what happens when these are y/n or n/y?
> > 
> > I think in the former case we can create cdev devices for
> > group-noiommu devices that are not labeled noiommu, skip the
> > CAP_SYS_RAWIO test, but will fail to bind.  In the latter case, I
> > think we fail to setup an iommufd_device and unbind will segfault.
> > 
> > We really don't need to support independently setting GROUP vs CDEV
> > NOIOMMU, the suggestion was to try to get NOIOMMU from depending on
> > VFIO_GROUP.  We can do that other ways though and I think we can do
> > it without the rename in patch 1 that will inevitably result in
> > some lost config options for NOIOMMU on upgrade.
> > 
> > The Kconfig may get messy, perhaps something like:
> > 
> > config VFIO_NOIOMMU
> > 	bool "VFIO No-IOMMU support"
> > 	depends on VFIO_GROUP || VFIO_DEVICE_CDEV
> > 	depends on !VFIO_GROUP || VFIO_CONTAINER ||
> > IOMMUFD_VFIO_CONTAINER depends on !VFIO_DEVICE_CDEV ||
> > !GENERIC_ATOMIC64 select IOMMUFD_NOIOMMU if VFIO_DEVICE_CDEV
> > 
> > Sorry if the previous suggestion sent us astray, but the subtleties
> > of independent support look tricky.  Thanks,  
> 
> this also looks better to me. Less kconfigs. :)

Just to recap our discussions, we agreed with Alex's Kconfig
and the breakdown cases are as follows:

Container = VFIO_CONTAINER || IOMMUFD_VFIO_CONTAINER

#  GROUP  Container  CDEV  NOIOMMU  Notes
-  -----  ---------  ----  -------  -----------------------
1    y       y        n     yes     Group noiommu works
2    y       n        n      no     Blocked - no container
3    y       y        y     yes     Both paths work
4    y       n        y      no     Blocked - no container
5    n       -        y     yes     Cdev-only works
6    n       -        n      no     No access path

Note that we sacrifice #4.  The tradeoff: case 4
sacrifices cdev noiommu to avoid the useless group node
problem purely in Kconfig.  The practical impact is small -
if someone wants cdev noiommu without container, they just
set GROUP=n.  This greatly simplifies the code since NULL
group checks are not needed.

OTOH, if we want #4, we can loosen the Kconfig:

	depends on !VFIO_GROUP || VFIO_DEVICE_CDEV || \
		VFIO_CONTAINER || IOMMUFD_VFIO_CONTAINER

but that would allow creating useless group nodes without a
container backend.  Enforcing VFIO_GROUP=n purely via Kconfig
is not possible since it would cause a circular dependency
(CONTAINER depends on GROUP).

I will send v6 shortly.

Thanks,
Jacob