Re: [PATCH] vfio/pci: Don't export DMABUFs for unmappable BARs
From: Matt Evans
Date: Thu Apr 16 2026 - 14:03:53 EST
Hi Leon,
On 16/04/2026 14:14, Leon Romanovsky wrote:
On Thu, Apr 16, 2026 at 02:05:30PM +0100, Matt Evans wrote:
Hi Leon,
On 16/04/2026 09:11, Leon Romanovsky wrote:
On Wed, Apr 15, 2026 at 11:16:23AM -0700, Matt Evans wrote:
Although vfio_pci_core_feature_dma_buf() validates that both requested
DMABUF ranges and the PCI resources being referenced are page-aligned,
there may be reasons other than alignment that cause a BAR to be
unmappable.
Add a check for vdev->bar_mmap_supported[index], similar to the VFIO
mmap path.
Fixes: 5d74781ebc86c ("vfio/pci: Add dma-buf export support for MMIO regions")
Signed-off-by: Matt Evans <mattev@xxxxxxxx>
---
drivers/vfio/pci/vfio_pci_dmabuf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci_dmabuf.c b/drivers/vfio/pci/vfio_pci_dmabuf.c
index f87fd32e4a01..4ccaf3531e02 100644
--- a/drivers/vfio/pci/vfio_pci_dmabuf.c
+++ b/drivers/vfio/pci/vfio_pci_dmabuf.c
@@ -249,6 +249,9 @@ int vfio_pci_core_feature_dma_buf(struct vfio_pci_core_device *vdev, u32 flags,
if (get_dma_buf.region_index >= VFIO_PCI_ROM_REGION_INDEX)
return -ENODEV;
+ if (!vdev->bar_mmap_supported[get_dma_buf.region_index])
+ return -EINVAL;
+
And it looks like AI has valid concern about this line too.
https://urldefense.com/v3/__https://sashiko.dev/*/patchset/20260415181623.1021090-1-mattev@meta.com__;Iw!!Bt8RZUm9aw!5DxsN8cDUviPIZqEjG0pZ_VYYbl_RdmWucTGdTZ3ZzlVP_Ysb0n7ykr0eXwFXdpuqvZH2FK3$
Ah, Sashiko has a point, and I think its suggestion of checking lower down
in the default .get_dmabuf_phys (vfio_pci_core_get_dmabuf_phys()) and
preserving driver overrides is decent. Will revisit.
To your other question:
I noticed this check in vfio_pci_core_mmap(). Isn't that sufficient?
The scenario in mind is doing a DMABUF-export for BARs that you haven't
necessarily noticed can't be mmap()ed, and both paths should be checking.
I added the validation checks that matter on the kernel side, but mmap is
primarily important for callers. What I am missing is an explanation of
why the kernel should impose this restriction on itself.
I don't understand your question, really sorry! Can you rephrase it please? I want to make sure I answer it fully.
Although mmap() fails for BARs that are unmappable (for whatever reason), a DMABUF export for the same ones could in some slim cases succeed -- because the checks aren't identical. If export succeeds, it could potentially allow P2P (or CPU via a future DMABUF mmap()) access to something possibly unmappable, no?
For the checks that vfio_pci_probe_mmaps() does (leading to bar_mmap_supported[] = false), most have corresponding-but-different checks reachable from DMABUF export:
If a BAR is: Then DMABUF export...:
size < pagesize vfio_pci_core_fill_phys_vec() catches it
Not IORESOURCE_MEM pcim_p2pdma_provider() rejects it
non_mappable_bars ... nothing? Export allowed
As a quick test, if I hack in non_mappable_bars=1 for my function, it appears exporting a DMABUF from it works.
We could add another check for non_mappable_bars, but my thinking was that we don't want to keep adding to an independent set of DMABUF checks, especially if a future quirk/etc. could create another scenario where BARs aren't mappable. I.e. we should reject DMABUF export in exactly the same scenarios as mmap() would be rejected, symmetrically, by testing bar_mmap_supported[].
Hope that goes some way to answering the Q, hopefully I haven't missed something!
Thanks,
Matt
Thanks
Cheers,
Matt
Thanks
dma_ranges = memdup_array_user(&arg->dma_ranges, get_dma_buf.nr_ranges,
sizeof(*dma_ranges));
if (IS_ERR(dma_ranges))
--
2.47.3