Re: [PATCH] vfio/pci: Don't export DMABUFs for unmappable BARs

[Alex Williamson]

On Thu, 16 Apr 2026 19:03:40 +0100
Matt Evans <mattev@xxxxxxxx> wrote:

> Hi Leon,
> 
> On 16/04/2026 14:14, Leon Romanovsky wrote:
> > 
> > On Thu, Apr 16, 2026 at 02:05:30PM +0100, Matt Evans wrote:  
> >> Hi Leon,
> >>
> >> On 16/04/2026 09:11, Leon Romanovsky wrote:  
> >>>> On Wed, Apr 15, 2026 at 11:16:23AM -0700, Matt Evans wrote:
> >>>> Although vfio_pci_core_feature_dma_buf() validates that both requested
> >>>> DMABUF ranges and the PCI resources being referenced are page-aligned,
> >>>> there may be reasons other than alignment that cause a BAR to be
> >>>> unmappable.
> >>>>
> >>>> Add a check for vdev->bar_mmap_supported[index], similar to the VFIO
> >>>> mmap path.
> >>>>
> >>>> Fixes: 5d74781ebc86c ("vfio/pci: Add dma-buf export support for MMIO regions")
> >>>> Signed-off-by: Matt Evans <mattev@xxxxxxxx>
> >>>> ---
> >>>>    drivers/vfio/pci/vfio_pci_dmabuf.c | 3 +++
> >>>>    1 file changed, 3 insertions(+)
> >>>>
> >>>> diff --git a/drivers/vfio/pci/vfio_pci_dmabuf.c b/drivers/vfio/pci/vfio_pci_dmabuf.c
> >>>> index f87fd32e4a01..4ccaf3531e02 100644
> >>>> --- a/drivers/vfio/pci/vfio_pci_dmabuf.c
> >>>> +++ b/drivers/vfio/pci/vfio_pci_dmabuf.c
> >>>> @@ -249,6 +249,9 @@ int vfio_pci_core_feature_dma_buf(struct vfio_pci_core_device *vdev, u32 flags,
> >>>>    	if (get_dma_buf.region_index >= VFIO_PCI_ROM_REGION_INDEX)
> >>>>    		return -ENODEV;
> >>>> +	if (!vdev->bar_mmap_supported[get_dma_buf.region_index])
> >>>> +		return -EINVAL;
> >>>> +  
> >>>
> >>> And it looks like AI has valid concern about this line too.
> >>> https://urldefense.com/v3/__https://sashiko.dev/*/patchset/20260415181623.1021090-1-mattev@meta.com__;Iw!!Bt8RZUm9aw!5DxsN8cDUviPIZqEjG0pZ_VYYbl_RdmWucTGdTZ3ZzlVP_Ysb0n7ykr0eXwFXdpuqvZH2FK3$  
> >>
> >> Ah, Sashiko has a point, and I think its suggestion of checking lower down
> >> in the default .get_dmabuf_phys (vfio_pci_core_get_dmabuf_phys()) and
> >> preserving driver overrides is decent.  Will revisit.
> >>
> >> To your other question:  
> >>> I noticed this check in vfio_pci_core_mmap(). Isn't that sufficient?  
> >>
> >> The scenario in mind is doing a DMABUF-export for BARs that you haven't
> >> necessarily noticed can't be mmap()ed, and both paths should be checking.  
> > 
> > I added the validation checks that matter on the kernel side, but mmap is
> > primarily important for callers. What I am missing is an explanation of
> > why the kernel should impose this restriction on itself.  
> 
> I don't understand your question, really sorry!  Can you rephrase it 
> please?  I want to make sure I answer it fully.
> 
> Although mmap() fails for BARs that are unmappable (for whatever 
> reason), a DMABUF export for the same ones could in some slim cases 
> succeed -- because the checks aren't identical.  If export succeeds, it 
> could potentially allow P2P (or CPU via a future DMABUF mmap()) access 
> to something possibly unmappable, no?
> 
> For the checks that vfio_pci_probe_mmaps() does (leading to 
> bar_mmap_supported[] = false), most have corresponding-but-different 
> checks reachable from DMABUF export:
> 
> If a BAR is:		Then DMABUF export...:
> 
>   size < pagesize	vfio_pci_core_fill_phys_vec() catches it
>   Not IORESOURCE_MEM	pcim_p2pdma_provider() rejects it
>   non_mappable_bars	... nothing?  Export allowed
> 
> As a quick test, if I hack in non_mappable_bars=1 for my function, it 
> appears exporting a DMABUF from it works.
> 
> We could add another check for non_mappable_bars, but my thinking was 
> that we don't want to keep adding to an independent set of DMABUF 
> checks, especially if a future quirk/etc. could create another scenario 
> where BARs aren't mappable.  I.e. we should reject DMABUF export in 
> exactly the same scenarios as mmap() would be rejected, symmetrically, 
> by testing bar_mmap_supported[].
> 
> Hope that goes some way to answering the Q, hopefully I haven't missed 
> something!

That's the concern as I see it as well, it's a choice whether to
attempt to support sub-PAGE_SIZE mappings, but if a device is reporting
non_mappable_bars are we're exporting those BARs through dma-buf for
mmap, that's a problem.  Should pcim_p2pdma_provider() test this flag
rather than vfio_pci_dmabuf though?  Thanks,

Alex