Re: [PATCH] vfio/pci: Don't export DMABUFs for unmappable BARs

[Matt Evans <mattev@meta.com>]

Hi Leon,

On 16/04/2026 14:14, Leon Romanovsky wrote:
> 
> On Thu, Apr 16, 2026 at 02:05:30PM +0100, Matt Evans wrote:
>> Hi Leon,
>>
>> On 16/04/2026 09:11, Leon Romanovsky wrote:
>>>> On Wed, Apr 15, 2026 at 11:16:23AM -0700, Matt Evans wrote:
>>>> Although vfio_pci_core_feature_dma_buf() validates that both requested
>>>> DMABUF ranges and the PCI resources being referenced are page-aligned,
>>>> there may be reasons other than alignment that cause a BAR to be
>>>> unmappable.
>>>>
>>>> Add a check for vdev->bar_mmap_supported[index], similar to the VFIO
>>>> mmap path.
>>>>
>>>> Fixes: 5d74781ebc86c ("vfio/pci: Add dma-buf export support for MMIO regions")
>>>> Signed-off-by: Matt Evans <mattev@meta.com>
>>>> ---
>>>>    drivers/vfio/pci/vfio_pci_dmabuf.c | 3 +++
>>>>    1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/drivers/vfio/pci/vfio_pci_dmabuf.c b/drivers/vfio/pci/vfio_pci_dmabuf.c
>>>> index f87fd32e4a01..4ccaf3531e02 100644
>>>> --- a/drivers/vfio/pci/vfio_pci_dmabuf.c
>>>> +++ b/drivers/vfio/pci/vfio_pci_dmabuf.c
>>>> @@ -249,6 +249,9 @@ int vfio_pci_core_feature_dma_buf(struct vfio_pci_core_device *vdev, u32 flags,
>>>>    	if (get_dma_buf.region_index >= VFIO_PCI_ROM_REGION_INDEX)
>>>>    		return -ENODEV;
>>>> +	if (!vdev->bar_mmap_supported[get_dma_buf.region_index])
>>>> +		return -EINVAL;
>>>> +
>>>
>>> And it looks like AI has valid concern about this line too.
>>> https://urldefense.com/v3/__https://sashiko.dev/*/patchset/20260415181623.1021090-1-mattev@meta.com__;Iw!!Bt8RZUm9aw!5DxsN8cDUviPIZqEjG0pZ_VYYbl_RdmWucTGdTZ3ZzlVP_Ysb0n7ykr0eXwFXdpuqvZH2FK3$
>>
>> Ah, Sashiko has a point, and I think its suggestion of checking lower down
>> in the default .get_dmabuf_phys (vfio_pci_core_get_dmabuf_phys()) and
>> preserving driver overrides is decent.  Will revisit.
>>
>> To your other question:
>>> I noticed this check in vfio_pci_core_mmap(). Isn't that sufficient?
>>
>> The scenario in mind is doing a DMABUF-export for BARs that you haven't
>> necessarily noticed can't be mmap()ed, and both paths should be checking.
> 
> I added the validation checks that matter on the kernel side, but mmap is
> primarily important for callers. What I am missing is an explanation of
> why the kernel should impose this restriction on itself.

I don't understand your question, really sorry!  Can you rephrase it 
please?  I want to make sure I answer it fully.

Although mmap() fails for BARs that are unmappable (for whatever 
reason), a DMABUF export for the same ones could in some slim cases 
succeed -- because the checks aren't identical.  If export succeeds, it 
could potentially allow P2P (or CPU via a future DMABUF mmap()) access 
to something possibly unmappable, no?

For the checks that vfio_pci_probe_mmaps() does (leading to 
bar_mmap_supported[] = false), most have corresponding-but-different 
checks reachable from DMABUF export:

If a BAR is:		Then DMABUF export...:

  size < pagesize	vfio_pci_core_fill_phys_vec() catches it
  Not IORESOURCE_MEM	pcim_p2pdma_provider() rejects it
  non_mappable_bars	... nothing?  Export allowed

As a quick test, if I hack in non_mappable_bars=1 for my function, it 
appears exporting a DMABUF from it works.

We could add another check for non_mappable_bars, but my thinking was 
that we don't want to keep adding to an independent set of DMABUF 
checks, especially if a future quirk/etc. could create another scenario 
where BARs aren't mappable.  I.e. we should reject DMABUF export in 
exactly the same scenarios as mmap() would be rejected, symmetrically, 
by testing bar_mmap_supported[].

Hope that goes some way to answering the Q, hopefully I haven't missed 
something!

Thanks,


Matt

> 
> Thanks
> 
>>
>> Cheers,
>>
>>
>> Matt
>>
>>
>>>
>>> Thanks
>>>
>>>>    	dma_ranges = memdup_array_user(&arg->dma_ranges, get_dma_buf.nr_ranges,
>>>>    				       sizeof(*dma_ranges));
>>>>    	if (IS_ERR(dma_ranges))
>>>> -- 
>>>> 2.47.3
>>>>
>>