Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

53 participants
6627 discussions

[PATCH 00/15] accel/qda: Qualcomm DSP Accelerator driver

by Ekansh Gupta via B4 Relay

This patch series introduces the Qualcomm DSP Accelerator (QDA) driver, a DRM-based accelerator driver for Qualcomm DSPs. The driver provides a standardized interface for offloading computational tasks to DSPs found on Qualcomm SoCs, supporting all DSP domains. The QDA driver implements the FastRPC protocol over the DRM accel subsystem. It uses the same device-tree node structure as the existing fastrpc driver in drivers/misc/. The approach for binding the QDA driver to device-tree nodes while coexisting with the fastrpc driver is an open item described below. RFC thread: https://lore.kernel.org/dri-devel/20260224-qda-firstpost-v1-0-fe46a9c1a046@… User-space staging branch ========================= https://github.com/qualcomm/fastrpc/tree/accel/staging Key Features ============ * Standard DRM accelerator interface via /dev/accel/accelN * GEM-based buffer management with DMA-BUF import/export (PRIME) * IOMMU-based memory isolation using per-process context banks * FastRPC protocol implementation for DSP communication * RPMsg transport layer for reliable message passing * Support for all DSP domains (ADSP, CDSP, SDSP, GDSP) * DRM IOCTL interface for DSP session management, buffer allocation, and remote procedure invocation Architecture ============ 1. DRM Accelerator Framework Integration The driver registers as a DRM accel device, exposing a standard /dev/accel/accelN character device node. This provides established DRM infrastructure for device management, file operations, and IOCTL dispatch. 2. Memory Management Buffers are managed as GEM objects with full PRIME support for DMA-BUF import/export. This enables seamless buffer sharing with other DRM drivers (GPU, camera, video) using standard kernel mechanisms. 3. IOMMU Context Bank Management IOMMU context banks (CBs) are represented as proper struct device instances on a custom virtual bus (qda-compute-cb). Each CB device is registered with the IOMMU subsystem and receives its own IOMMU domain, enabling per-session address space isolation. The custom bus was introduced because IOMMU context banks are synthetic constructs — not real platform devices — and to ensure CB device lifetime is strictly subordinate to the parent QDA device. See also: https://lore.kernel.org/all/245d602f-3037-4ae3-9af9-d98f37258aae@oss.qualco… 4. Memory Manager Architecture A pluggable memory manager coordinates IOMMU device assignment and buffer allocation. The current implementation uses a DMA-coherent backend with SID-prefixed DMA addresses for DSP firmware compatibility. 5. Transport Layer RPMsg communication is handled in a dedicated transport layer (qda_rpmsg.c), separate from the core DRM driver logic. 6. Code Organization The driver is organized across multiple files (~4600 lines total): * qda_drv.c: Core driver and DRM integration * qda_rpmsg.c: RPMsg transport layer * qda_cb.c: Context bank device management * qda_compute_bus.c: Custom virtual bus for CB devices * qda_gem.c: GEM object management * qda_prime.c: DMA-BUF import (PRIME) * qda_memory_manager.c: IOMMU device registry and allocation * qda_memory_dma.c: DMA-coherent allocation backend * qda_fastrpc.c: FastRPC protocol implementation * qda_ioctl.c: IOCTL dispatch 7. UAPI Design The driver exposes DRM-style IOCTLs defined in include/uapi/drm/qda_accel.h, following DRM UAPI conventions (__u32/__u64 types, C++ guard, GPL-2.0-only WITH Linux-syscall-note). Patch Series Organization ========================== Patch 01: MAINTAINERS entry Patch 02: Driver documentation (Documentation/accel/qda/) Patches 03-04: Core driver skeleton and compute bus Patch 05: iommu: Register qda-compute-cb bus with IOMMU subsystem Patches 06-07: CB device enumeration and memory manager Patch 08: QUERY IOCTL and UAPI header Patches 09-11: GEM buffer management and PRIME import Patches 12-15: FastRPC protocol (invoke, session create/release, map/unmap) Open Items =========== 1. Device-Tree Compatible String The QDA driver uses the same device-tree node structure and properties as the existing fastrpc driver in drivers/misc/. A mechanism is needed to allow the QDA driver to bind to its device node independently of the fastrpc driver. The intended coexistence model is: platforms that require the complete fastrpc feature set continue to use "qcom,fastrpc"; new platforms where a feature available only in QDA takes priority, or where QDA's current feature set is sufficient, use a QDA-specific compatible string. New feature development is directed toward QDA rather than the existing fastrpc driver. As QDA matures toward feature parity with fastrpc, platforms can adopt the QDA-specific compatible string exclusively. The options under consideration are: a) Add a new "qcom,qda" compatible string to the existing qcom,fastrpc.yaml binding, since the DT node structure and properties are identical. This avoids a separate binding file but adds a QDA-specific string to a fastrpc binding. b) Introduce a separate qcom,qda.yaml binding that references or inherits the fastrpc binding properties. Seeking guidance from DT binding maintainers on the preferred approach. 2. Privilege Level Management Currently, daemon processes and user processes have the same access level as both use the same accel device node. This needs to be addressed as daemons attach to privileged DSP protection domains and require higher privilege levels for system-level operations. Seeking guidance on the best approach: separate device nodes, capability-based checks, or DRM master/authentication mechanisms. 3. UAPI Compatibility Layer A compatibility layer is needed to facilitate migration of client applications from the existing FastRPC UAPI to the new QDA UAPI, ensuring a smooth transition for existing userspace code. Seeking guidance on the preferred implementation approach: in-kernel translation layer, userspace wrapper library, or hybrid solution. An initial evaluation of an in-kernel translation shim was performed, where legacy FastRPC device nodes (/dev/fastrpc-*) are exposed and requests are internally routed to the QDA accel driver. The goal was to keep the compatibility layer minimal, reuse existing QDA helper paths (attach, buffer allocation, mapping, etc.), and avoid duplication of GEM and buffer management logic. However, the following challenges were identified: a) Dependency on drm_file for QDA helpers QDA relies on GEM-backed allocations and per-client handle namespaces, which require a valid struct drm_file. Since GEM handles are scoped per drm_file, the compatibility layer cannot directly reuse QDA helper paths without establishing a proper drm_file context for each client. b) Lack of public API for drm_file creation Creating a drm_file directly (similar to mock_drm_getfile()-style approaches) is not feasible, as the required helpers (drm_file_alloc(), drm_file_free(), etc.) are internal to the DRM core and not exported. This prevents external drivers from safely constructing and managing drm_file instances. c) VFS-based open is not a viable solution Opening the underlying accel device (/dev/accel/accelN) from the compatibility driver via filp_open() does provide a valid drm_file, but introduces reliance on userspace-visible device paths, lack of stability in containerized or chroot environments, and no clean mapping between legacy device nodes and accel devices. d) Userspace proxy limitations (CUSE) A CUSE-based userspace proxy was evaluated. However, DMA-buf file descriptors passed by legacy applications cannot be directly reused in the CUSE daemon (file descriptors are process-specific), which breaks buffer sharing semantics. e) drm_client-based approaches do not match requirements drm_client APIs (used for fbdev emulation) rely on a shared drm_file and do not provide the per-client isolation required by FastRPC semantics. Due to the above constraints, it is currently unclear how to implement an in-kernel compatibility layer that correctly handles per-client drm_file contexts without relying on VFS paths or non-exported DRM internals. 4. Documentation Improvements Add detailed IOCTL usage examples, document DSP firmware interface requirements, and create a migration guide from the existing FastRPC driver. 5. Per-Session Memory Allocation Develop a userspace API to support memory allocation on a per-session basis, enabling session-specific memory management. 6. Audio and Sensors PD Support The current series does not handle Audio PD and Sensors PD functionalities. These specialized protection domains require additional support for real-time constraints and power management. Interface Compatibility ======================== The QDA driver uses the same device-tree node structure and child node layout (including "qcom,fastrpc-compute-cb" child nodes) as the existing fastrpc driver. The underlying FastRPC protocol and DSP firmware interface are compatible with the existing fastrpc driver, ensuring that DSP firmware and libraries continue to work without modification. References ========== Previous discussions on this migration: - https://lkml.org/lkml/2024/6/24/479 - https://lkml.org/lkml/2024/6/21/1252 Testing ======= The driver has been tested on Qualcomm platforms with: - Basic FastRPC attach/release operations - DSP process creation and initialization - Memory mapping/unmapping operations - Dynamic invocation with various buffer types - GEM buffer allocation and mmap - PRIME buffer import from other subsystems Signed-off-by: Ekansh Gupta <ekansh.gupta(a)oss.qualcomm.com> --- Ekansh Gupta (15): MAINTAINERS: Add entry for Qualcomm DSP Accelerator (QDA) driver accel/qda: Add QDA driver documentation accel/qda: Add initial QDA DRM accelerator driver accel/qda: Add compute bus for QDA context banks iommu: Add QDA compute context bank bus to iommu_buses accel/qda: Create compute context bank devices on QDA compute bus accel/qda: Add memory manager for CB devices accel/qda: Add QUERY IOCTL and QDA UAPI header accel/qda: Add DMA-backed GEM objects and memory manager integration accel/qda: Add GEM_CREATE and GEM_MMAP_OFFSET IOCTLs accel/qda: Add PRIME DMA-BUF import support accel/qda: Add FastRPC invocation support accel/qda: Add DSP process creation and release accel/qda: Add remote memory mapping to DSP address space accel/qda: Add remote memory unmap from DSP address space Documentation/accel/index.rst | 1 + Documentation/accel/qda/index.rst | 13 + Documentation/accel/qda/qda.rst | 146 +++++ MAINTAINERS | 9 + drivers/accel/Kconfig | 1 + drivers/accel/Makefile | 2 + drivers/accel/qda/Kconfig | 34 + drivers/accel/qda/Makefile | 19 + drivers/accel/qda/qda_cb.c | 146 +++++ drivers/accel/qda/qda_cb.h | 32 + drivers/accel/qda/qda_compute_bus.c | 68 ++ drivers/accel/qda/qda_drv.c | 192 ++++++ drivers/accel/qda/qda_drv.h | 91 +++ drivers/accel/qda/qda_fastrpc.c | 1058 ++++++++++++++++++++++++++++++++ drivers/accel/qda/qda_fastrpc.h | 390 ++++++++++++ drivers/accel/qda/qda_gem.c | 177 ++++++ drivers/accel/qda/qda_gem.h | 62 ++ drivers/accel/qda/qda_ioctl.c | 296 +++++++++ drivers/accel/qda/qda_ioctl.h | 19 + drivers/accel/qda/qda_memory_dma.c | 110 ++++ drivers/accel/qda/qda_memory_dma.h | 17 + drivers/accel/qda/qda_memory_manager.c | 380 ++++++++++++ drivers/accel/qda/qda_memory_manager.h | 75 +++ drivers/accel/qda/qda_prime.c | 184 ++++++ drivers/accel/qda/qda_prime.h | 18 + drivers/accel/qda/qda_rpmsg.c | 248 ++++++++ drivers/accel/qda/qda_rpmsg.h | 30 + drivers/iommu/iommu.c | 4 + include/linux/qda_compute_bus.h | 32 + include/uapi/drm/qda_accel.h | 229 +++++++ 30 files changed, 4083 insertions(+) --- base-commit: 80dd246accce631c328ea43294e53b2b2dd2aa32 change-id: 20260519-qda-series-78c2bf0ed78b Best regards, -- Ekansh Gupta <ekansh.gupta(a)oss.qualcomm.com>

4 hours, 36 minutes

[PATCH v6 1/2] accel/rocket: Fix error path handling in rocket_job_run()

by ZhaoJinming

In rocket_job_run(), after taking an extra fence reference for job->done_fence via dma_fence_get(), the error paths have three bugs: - The dma_fence reference held by job->done_fence is never released, causing a reference leak. - pm_runtime_get_sync() increments the usage counter even on failure, but the error path does not decrement it, leaking the runtime PM reference and preventing the NPU from suspending. - A valid but unsignaled fence is returned to the DRM scheduler, which triggers WARN("Fence ... released with pending signals!") when the scheduler drops its reference. Fix by replacing pm_runtime_get_sync() with pm_runtime_resume_and_get() which auto-balances the usage counter on failure, releasing both fence references on error, and returning ERR_PTR(ret) instead of the unsignaled fence. Cc: stable(a)vger.kernel.org Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL") Signed-off-by: ZhaoJinming <zhaojinming(a)uniontech.com> --- drivers/accel/rocket/rocket_job.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/accel/rocket/rocket_job.c b/drivers/accel/rocket/rocket_job.c index ac51bff39833..e8a073e22ac2 100644 --- a/drivers/accel/rocket/rocket_job.c +++ b/drivers/accel/rocket/rocket_job.c @@ -310,13 +310,22 @@ static struct dma_fence *rocket_job_run(struct drm_sched_job *sched_job) dma_fence_put(job->done_fence); job->done_fence = dma_fence_get(fence); - ret = pm_runtime_get_sync(core->dev); - if (ret < 0) - return fence; + ret = pm_runtime_resume_and_get(core->dev); + if (ret < 0) { + dma_fence_put(job->done_fence); + job->done_fence = NULL; + dma_fence_put(fence); + return ERR_PTR(ret); + } ret = iommu_attach_group(job->domain->domain, core->iommu_group); - if (ret < 0) - return fence; + if (ret < 0) { + pm_runtime_put(core->dev); + dma_fence_put(job->done_fence); + job->done_fence = NULL; + dma_fence_put(fence); + return ERR_PTR(ret); + } scoped_guard(mutex, &core->job_lock) { core->in_flight_job = job; -- 2.20.1

7 hours, 3 minutes

[PATCH net-next 0/4] net: devmem: allow rx-buf-size > PAGE_SIZE per binding

by Bobby Eshleman

Every devmem dmabuf binding hands the page_pool PAGE_SIZE niovs today. On NICs that consume one descriptor per netmem, this caps a single RX descriptor at PAGE_SIZE and burns CPU on buffer churn. In this series, we add a bind-time netlink attribute, NETDEV_A_DMABUF_RX_BUF_SIZE, that lets userspace request a larger niov size (power of two >= PAGE_SIZE). Drivers must opt in via queue_mgmt_ops.QCFG_RX_PAGE_SIZE. Selftests use udmabuf, but udmabuf sgtables were previously hardcoded to PAGE_SIZE. This series modifies udmabuf to respect folio sizes in its exported sgtable. The result is that when backing udmabuf with MFD_HUGETLB 2MB pages, the sgtable is populated with 2MB entries, allowing devmem's gen_pool to carve out large (eg. 64K) niovs. Measurements ------------ Setup: kperf devmem RX/TX cuda, 4 flows, 64 MB messages, 60s, dctcp, num-rx-queues=4, dmabuf-rx/tx-size-mb=2048, 10 runs per niov size, mlx5. niov RX dev Gbps RX flow avg Gbps app sys % ----- ---------------- ----------------- ---------------- 4K 300.63 +/- 53.21 75.16 +/- 13.30 54.15 +/- 10.23 16K 321.35 +/- 28.20 80.34 +/- 7.05 41.05 +/- 8.87 32K 347.63 +/- 2.20 86.91 +/- 0.55 44.54 +/- 3.51 64K 332.11 +/- 14.26 83.03 +/- 3.56 35.47 +/- 3.11 RX app sys % drops ~19% from 4K to 64K. kperf support (not yet merged): https://github.com/facebookexperimental/kperf/commit/8837577f920876bce6986e… Signed-off-by: Bobby Eshleman <bobbyeshleman(a)meta.com> --- Bobby Eshleman (4): net: devmem: allow rx-buf-size > PAGE_SIZE per dmabuf binding udmabuf: emit one sg entry per pinned folio selftests/net: ncdevmem: add -b option to set rx-buf-size on bind selftests/net: devmem.py: add check_rx_large_niov Documentation/netlink/specs/netdev.yaml | 8 ++++ drivers/dma-buf/udmabuf.c | 47 ++++++++++++++++--- include/uapi/linux/netdev.h | 1 + net/core/devmem.c | 52 +++++++++++++--------- net/core/devmem.h | 13 ++++-- net/core/netdev-genl-gen.c | 5 ++- net/core/netdev-genl.c | 18 +++++++- tools/include/uapi/linux/netdev.h | 1 + tools/testing/selftests/drivers/net/hw/config | 1 + tools/testing/selftests/drivers/net/hw/devmem.py | 12 ++++- .../testing/selftests/drivers/net/hw/devmem_lib.py | 46 ++++++++++++++++++- tools/testing/selftests/drivers/net/hw/ncdevmem.c | 49 ++++++++++++++++++-- .../testing/selftests/drivers/net/hw/nk_devmem.py | 11 ++++- 13 files changed, 220 insertions(+), 44 deletions(-) --- base-commit: dfcc2ff12925d99e858eaf539eaa4aaaf81fe2a6 change-id: 20260602-tcpdm-large-niovs-56523a3a1077 Best regards, -- Bobby Eshleman <bobbyeshleman(a)meta.com>

7 hours, 10 minutes

[PATCH v5 1/2] accel/rocket: Fix error path handling in rocket_job_run()

by ZhaoJinming

8 hours, 13 minutes

[PATCH v4 1/2] accel/rocket: Fix error path handling in rocket_job_run()

by ZhaoJinming

11 hours, 11 minutes

[PATCH v19 0/4] Rust bindings for gem shmem

by Lyude Paul

Most of this patch series has already been pushed upstream, this is just the second half of the patch series that has not been pushed yet + some additional changes which were required to implement changes requested by the mailing list. This patch series is originally from Asahi, previously posted by Daniel Almeida. The previous version of the patch series can be found here: https://patchwork.freedesktop.org/series/164580/ Branch with patches applied available here: https://gitlab.freedesktop.org/lyudess/linux/-/commits/rust/gem-shmem This patch series applies on top of drm-rust-next Patch-series wide changes since V15: * Fix some major rebasing errors I somehow didn't notice :( * Drop the dependency on LazyInit, use the trick that Alice suggested instead. * Fix dependency ordering so that Tyr can get the vmap stuff first without the other bits. Patch-series wide changes since V16: * Fix ordering one more time (SetOnce::reset() doesn't need to come before adding vmap functions) * Rebase against the latest DeviceContext changes from me that got pushed. Lyude Paul (4): rust: drm: gem: shmem: Add DmaResvGuard helper rust: drm: gem: shmem: Add vmap functions rust: faux: Allow retrieving a bound Device rust: drm: gem: Introduce shmem::Object::sg_table() rust/kernel/drm/gem/shmem.rs | 524 ++++++++++++++++++++++++++++++++++- rust/kernel/faux.rs | 16 +- 2 files changed, 524 insertions(+), 16 deletions(-) base-commit: fea3a2dd7d3fc1936211ced5f84420e610435730 -- 2.54.0

13 hours, 54 minutes

[PATCH v2 0/9] vfio/pci: Add mmap() for DMABUFs

by Matt Evans

Hi all, This series is based on previous RFCs/discussions: Tech topic: https://lore.kernel.org/linux-iommu/20250918214425.2677057-1-amastro@fb.com/ RFCv1: https://lore.kernel.org/all/20260226202211.929005-1-mattev@meta.com/ RFCv2: https://lore.kernel.org/kvm/20260312184613.3710705-1-mattev@meta.com/ The background/rationale is covered in more detail in the RFC cover letters. The TL;DR is: The goal is to enable userspace driver designs that use VFIO to export DMABUFs representing subsets of PCI device BARs, and "vend" those buffers from a primary process to other subordinate processes by fd. These processes then mmap() the buffers and their access to the device is isolated to the exported ranges. This is an improvement on sharing the VFIO device fd to subordinate processes, which would allow unfettered access. This is achieved by enabling mmap() of vfio-pci DMABUFs, passed by fd to subordinate processes. Second, a new ioctl()-based revocation mechanism is added to allow the primary process to forcibly revoke access to previously-shared BAR spans, even if the subordinate processes haven't cleanly exited. (The related topic of safe delegation of iommufd control to the subordinate processes is not addressed here, and is follow-up work.) As well as isolation and revocation, another advantage to accessing a BAR through a VMA backed by a DMABUF is that it's straightforward to mmap() the buffer with access attributes, such as write-combining. Feedback from the RFCs requested that, instead of creating DMABUF-specific vm_ops and .fault paths, to go the whole way and migrate the existing VFIO PCI BAR mmap() to be backed by a DMABUF too, resulting in a common vm_ops and fault handler for mmap()s of both the VFIO device and explicitly-exported DMABUFs. This will help future iommufd emulation of VFIO Type1 peer-to-peer, making it easier to get a DMABUF for a VFIO BAR as a DMA target. mmap() conversion to use DMABUF underneath has been done for vfio-pci, but not sub-drivers: nvgrace-gpu's mmap() override path is unchanged; I kept this out of scope for now not least because I don't have a thorough test setup for this system. I would prefer to help the nvgrace-gpu maintainers enable BAR mmap() DMABUFs themselves. Notes on patches ================ PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE Later in the series, vfio-pci's mmap() is going to depend on pcim_p2pdma_provider() which depended on CONFIG_PCI_P2PDMA, which in turn depended on ZONE_DEVICE (which isn't available on 32-bit and some archs, because they lack MEMORY_HOTPLUG and friends). VFIO does _not_ require actual P2P to be present for basic mmap() functionality, only for the optional CONFIG_DMA_SHARED_BUFFER feature. This splits P2PDMA into a CONFIG_PCI_P2PDMA_CORE (which currently contains pcim_p2pdma_provider()) and an optional CONFIG_PCI_P2PDMA (which depends on ZONE_DEVICE etc., and provides P2P functionality). vfio/pci: Add a helper to look up PFNs for DMABUFs vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA The first is for a DMABUF VMA fault handler to determine arbitrary-sized PFNs from ranges in DMABUF. Secondly, refactor DMABUF export for use by the existing export feature and add a new helper that creates a DMABUF corresponding to a VFIO BAR mmap() request. vfio/pci: Convert BAR mmap() to use a DMABUF The vfio-pci core mmap() creates a DMABUF with the helper, and the vm_ops fault handler uses the other helper to resolve the fault. Because this depends on DMABUF structs/code, CONFIG_VFIO_PCI_CORE needs to depend on CONFIG_DMA_SHARED_BUFFER. The CONFIG_VFIO_PCI_DMABUF still conditionally enables the export support code. NOTE: The user mmap()s a device fd, but the resulting VMA's vm_file becomes that of the DMABUF which takes ownership of the device and puts it on release. This maintains the existing behaviour of a VMA keeping the VFIO device open. BAR zapping then happens via the existing vfio_pci_dma_buf_move() path, which now needs to unmap PTEs in the DMABUF's address_space. vfio/pci: Provide a user-facing name for BAR mappings There was a request for decent debug naming in /proc/<pid>/maps etc. comparable to the existing VFIO names: since the VMAs are DMABUFs, they have a "dmabuf:" prefix and can't be 100% identical to before. This is a user-visible change, but this patch at least now gives us extra info on the BDF & BAR being mapped. vfio/pci: Clean up BAR zap and revocation In general (see NOTE!) the vfio_pci_zap_bars() is now obsolete, since it unmaps PTEs in the VFIO device address_space which is now unused. This consolidates all calls (e.g. around reset) with the neighbouring vfio_pci_dma_buf_move()s into new functions, to revoke-zap/unrevoke. !!! NOTE: the nvgrace-gpu driver continues to use its own private vm_ops, fault handler, etc. for its special memregions, and these DO still add PTEs to the VFIO device address_space. So, a temporary flag, vdev->bar_needs_zap, maintains the old behaviour for this use. At least this patch's consolidation makes it easy to remove the remaining zap when this need goes away; a FIXME reminds that this can be removed when nvgrace-gpu is converted. vfio/pci: Support mmap() of a VFIO DMABUF Adds mmap() for a DMABUF fd exported from vfio-pci. It was a goal to keep the VFIO device fd lifetime behaviour unchanged with respect to the DMABUFs. An application can close all device fds, and this will revoke/clean up all DMABUFs; no mappings or other access can be performed now. When enabling mmap() of the DMABUFs, this means access through the VMA is also revoked. This complicates the fault handler because whilst the DMABUF exists, it has no guarantee that the corresponding VFIO device is still alive. Adds synchronisation ensuring the vdev is available before vdev->memory_lock is touched; this holds the device registration so that even if the buffer has been cleaned up, vdev hasn't been freed and so the lock can be safely taken. (I decided against the alternative of preventing cleanup by holding the VFIO device open if any DMABUFs exist, because it's both a change of behaviour and less clean overall.) I've added a chonky comment in place, happy to clarify more if you have ideas. This commit makes VFIO_PCI_CORE depend on PCI_P2PDMA_CORE (commit 1) to bring in (only) the P2PDMA provider code. vfio/pci: Permanently revoke a DMABUF on request By weight, this is mostly a rename of revoked to an enum, status. There are now 3 states for a buffer, usable and revoked temporary/permanent. A new VFIO device ioctl is added, VFIO_DEVICE_PCI_DMABUF_REVOKE, which passes a DMABUF (exported from that device) and permanently revokes it. Thus a userspace driver can guarantee any downstream consumers of a shared fd are prevented from accessing a BAR range, and that range can be reused. The code doing revocation in vfio_pci_dma_buf_move() is moved, unchanged, to a common function for use by _move() and the new ioctl path. Q: I can't think of a good reason to temporarily revoke/unrevoke buffers from userspace, so didn't add a 'flags' field to the ioctl struct. Easy to add if people think it's worthwhile for future use. vfio/pci: Add mmap() attributes to DMABUF feature Adds a new VFIO feature, VFIO_DEVICE_FEATURE_DMA_BUF_MEMATTR. After a DMABUF is exported, this feature ioctl() isused to set a memory attribute that will be used by future mmap()s of the DMABUF fd (i.e. it does nothing for any existing maps). The default is UC, and via the feature one can specify CPU access as WC. The attribute is an enum/scalar rather than bitmap/cumulative. The attributes follow a "try-fail" model where a client can request an attribute and either succeed or fail with ENOTSUPP if it's unknown; if future attributes are platform-specific then their support can be probed. (Since it's just UC/WC for now, there is no reservation or numeric structure to the namespace yet, but we could support system/arch-specific values in future by carving out base + arch-specific + IMPDEF ranges.) Testing ======= (The [RFC ONLY] userspace test program, for QEMU edu-plus, has been dropped from the series, but can be found in the GitHub branch below. It at least illustrates the export, map, revoke, attribute, and close semantics interoperate.) This code has been tested in mapping DMABUFs of single/multiple ranges, aliasing mmap()s, aliasing ranges across DMABUFs, vm_pgoff > 0, revocation, shutdown/cleanup scenarios, and hugepage mappings seem to work correctly. I've lightly tested WC mappings also (by observing resulting PTEs as having the correct attributes...). No regressions observed on the VFIO selftests, or on our internal vfio-pci applications. End === This is based on VFIO next (e.g. at b9285405c5f6). These commits are on GitHub for easier browsing, along with "[RFC ONLY] selftests: vfio: Add standalone vfio_dmabuf_mmap_test": https://github.com/metamev/linux/compare/b9285405c5f6...metamev:linux:dev/m… Thanks for reading, Matt ================================================================================ Change log: v2: - Rebase on VFIO next, picking up Alex's vfio_pci_dma_buf_move()/vfio_pci_dma_buf_cleanup() fixes, and dropping "vfio/pci: Fix vfio_pci_dma_buf_cleanup() double-put" - Added "PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE" so that the newly-added vfio-pci hard dependency on the P2PDMA provider instead pulls in the _CORE variant and not the full-fat CONFIG_PCI_P2PDMA. This means that the core of vfio-pci does not need ZONE_DEVICE, but if it's available then enabling P2PDMA in turn enables DMABUF export. Fixes basic VFIO operation on 32b or other platforms without ZONE_DEVICE. - Fixed comment inaccuracy in vfio_pci_dma_buf_revoke() and cleaned up vdev validity test. - vfio_pci_dma_buf_find_pfn(): use PAGE_ALIGN(), better span variable naming, OVF check - Made vm_pgoffs use consistent (keeping the resource index at the top and masking where offset is used). For BAR mmap, use new vma_pgoff_adjust to create the DMABUF with the exact mmap()ed span instead of from the start of the BAR with an invisible portion before the mapping. - Added VFIO_DEVICE_FEATURE_DMA_BUF_MEMATTR to set memory attributes, instead of using the export `flags` field. - vfio_pci_ioctl_reset: Moved vfio_pci_zap_revoke_bars() (effectively, vfio_pci_dma_buf_move()) back after D0 transition. Note, if a BAR zap is needed, it's done in this function so now happens after this D0 transition with the _move; it was done before it at the time of the memory_lock taking. - Minimised vfio_pci_dma_buf_mmap() (removed redundant span check), added READ_ONCE for memattr - Misc fixes: comment in DMABUF name generation, removed superfluous READ_ONCE from faulthandler v1: https://lore.kernel.org/kvm/20260416131815.2729131-1-mattev@meta.com/ - Cleanup of the common DMABUF-aware VMA vm_ops fault handler and export code. - Fixed a lot of races, particularly faults racing with DMABUF cleanup (if the VFIO device fds close, for example). - Added nicer human-readable names for VFIO mmap() VMAs RFCv2: Respin based on the feedback/suggestions: https://lore.kernel.org/kvm/20260312184613.3710705-1-mattev@meta.com/ - Transform the existing VFIO BAR mmap path to also use DMABUFs behind the scenes, and then simply share that code for explicitly-mapped DMABUFs. Jason wanted to go that direction to enable iommufd VFIO type 1 emulation to pick up a DMABUF for an IO mapping. - Revoke buffers using a VFIO device fd ioctl RFCv1: https://lore.kernel.org/all/20260226202211.929005-1-mattev@meta.com/ Matt Evans (9): PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE vfio/pci: Add a helper to look up PFNs for DMABUFs vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA vfio/pci: Convert BAR mmap() to use a DMABUF vfio/pci: Provide a user-facing name for BAR mappings vfio/pci: Clean up BAR zap and revocation vfio/pci: Support mmap() of a VFIO DMABUF vfio/pci: Permanently revoke a DMABUF on request vfio/pci: Add mmap() attributes to DMABUF feature drivers/pci/Kconfig | 10 +- drivers/pci/Makefile | 2 +- drivers/pci/p2pdma.c | 16 + drivers/vfio/pci/Kconfig | 4 +- drivers/vfio/pci/Makefile | 3 +- drivers/vfio/pci/nvgrace-gpu/main.c | 5 + drivers/vfio/pci/vfio_pci_config.c | 30 +- drivers/vfio/pci/vfio_pci_core.c | 225 +++++++++--- drivers/vfio/pci/vfio_pci_dmabuf.c | 548 ++++++++++++++++++++++++---- drivers/vfio/pci/vfio_pci_priv.h | 57 ++- include/linux/pci-p2pdma.h | 24 +- include/linux/pci.h | 2 +- include/linux/vfio_pci_core.h | 1 + include/uapi/linux/vfio.h | 57 +++ 14 files changed, 815 insertions(+), 169 deletions(-) -- 2.47.3

15 hours, 28 minutes

MUYERN TRUST HACKER || Private Digital Security

by priyankaragade6＠gmail.com

It is 2026. Cryptocurrency is no longer just an investment; it is the backbone of a new global financial system. Millions of people now manage their wealth through digital assets like Bitcoin, Ethereum, and USDT. This shift has brought unprecedented financial freedom, but it has also opened the door to a new era of cybercrime. From sophisticated phishing attacks and fake investment platforms to direct wallet hacks, the methods used by scammers have become increasingly complex. Every day, victims lose access to their hard-earned digital assets. The feeling of helplessness is overwhelming—but it is not the end of the story. At MUYERN TRUST HACKER, we turn that helplessness into action. Recognized as the Best, Top, and Most Trusted Cryptocurrency Recovery Company in 2026, we have been fighting crypto crime since 2010. With over $990 Million recovered and a reported 99% success rate, we don’t just promise results; we deliver them. But how exactly do we recover what seems lost? Here is a look at our proven methodology. The Myth of "Untraceable" Crypto Many victims believe that once crypto is stolen, it is gone forever because blockchain is anonymous. This is a misconception. Blockchain is pseudonymous, not anonymous. Every transaction leaves a permanent, public footprint. While scammers use mixers and bridges to hide their tracks, they eventually need to cash out. That is where they make mistakes—and where we step in. Our 4-Step Recovery Process We combine cutting-edge technology with legal expertise to trace, freeze, and return your assets. 1. Forensic Case Assessment Recovery begins with intelligence. When you contact us, our experts conduct a deep-dive analysis of your case. We review transaction hashes, wallet addresses, and communication logs to identify the type of fraud (e.g., romance scam, investment fraud, or hack). We determine the viability of recovery before proceeding, ensuring transparency and honesty from day one. 2. Advanced Blockchain Tracing Using proprietary forensic tools, we trace the movement of your funds across multiple blockchains. Even if scammers attempt to launder money through decentralized exchanges (DEXs) or privacy protocols, our algorithms identify patterns and link illicit addresses to known entities. We follow the money trail until it reaches a point of vulnerability—usually a centralized exchange or a regulated financial institution. 3. Strategic Legal Intervention Tracing is only half the battle. To recover funds, we must act where the criminals cash out. We collaborate with: Global Exchanges: Providing irrefutable forensic evidence to freeze accounts holding stolen funds. Law Enforcement: Assisting cybercrime units with detailed investigation reports. Legal Networks: Navigating international jurisdictions to secure asset returns through legal channels. This multi-pronged approach puts immense pressure on bad actors and compliant platforms to return the assets. 4. Secure Asset Return & Protection Once funds are recovered, we facilitate their secure transfer back to your personal wallet. But our job doesn’t end there. We provide a post-recovery security audit, helping you strengthen your digital defenses to prevent future attacks. We believe in empowering our clients, not just rescuing them. Why MUYERN TRUST HACKER is the Leader in 2026 In an industry rife with secondary scams, trust is everything. Here is why thousands of victims choose us: Proven Longevity: Operating since 2010, we have evolved alongside the technology, giving us unmatched experience. Massive Impact: We have recovered over $990 Million in digital assets for individuals and businesses worldwide. High Success Rate: Our rigorous vetting process ensures a reported 99% Crypto Recovery Rate for accepted cases. Global Reach: Cybercrime has no borders, and neither do we. Our network spans major financial hubs across the globe. Don’t Let Scammers Win If you have lost cryptocurrency to fraud, hacks, or scams, time is critical. The faster you act, the higher the chance of recovery. You do not have to face this alone. Join the thousands of clients who have reclaimed their financial freedom with MUYERN TRUST HACKER. Ready to Start Your Recovery? Contact our specialist team today for a confidential, no-obligation case assessment. Email: [ muyerntrusted(at)mail-me(.)c o m ] What App: [ +1.2.0.2.7.0.3.2.2.3.9 ]

16 hours, 26 minutes

[PATCH v7] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

In case MMIO size is bigger than 4G and peer2peer DMA goes through host bridge, we trigger a code path that assigns the total linked IOVA (which is greater than 4G) to mapped_len. Previously, `mapped_len` was declared as 32-bit `unsigned int`. When accumulating `size_t` lengths, this leads to a silent wrap-around. This truncation causes truncated lengths to be passed to functions like `fill_sg_entry()`. Fix this by changing `mapped_len` to `size_t` (64-bit). While at it, fix similar potential overflow issues in `calc_sg_nents` by using `check_add_overflow()` for `nents` and using `unsigned int` for the loop iterator in `fill_sg_entry` to match. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Cc: stable(a)vger.kernel.org Cc: iommu(a)lists.linux.dev Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Reviewed-by: Kevin Tian <kevin.tian(a)intel.com> Reviewed-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: David Hu <xuehaohu(a)google.com> --- Changes in v7: - Added a missing blank line after local variable declaration in `calc_sg_nents()` (Leon). - Collected Reviewed-by from Leon Romanovsky. Changes in v6: - Used `check_add_overflow()` in `calc_sg_nents()` for safer accumulation (Leon). - Dropped explicit `!nents` check and added a comment noting that `sg_alloc_table` handles `nents == 0` (Leon). - Collected Reviewed-by from Kevin Tian. Changes in v5: - Removed WARN_ON_ONCE from calc_sg_nents() to avoid log noise (Jason). - Added explicit check for `!nents` in dma_buf_phys_vec_to_sgt() to cleanly return -EINVAL on overflow (Jason). Changes in v4: - Added WARN_ON_ONCE() to the nents overflow check to prevent silent failures (Claude Bot). Changes in v3: - Removed leftover sentence fragment from the commit message. - Kept `nents = 0` initialization (previously stated as removed in the v2 changelog) as it is strictly required for the `+=` accumulation loop in `calc_sg_nents()`. Changes in v2: - Fixed 'IVOA' -> 'IOVA' typo and expanded commit message (Claude Bot). - Added Reverse Xmas tree formatting (Pranjal). - Folded in extra bounds checking for calc_sg_nents() (Pranjal). - Folded in type consistency fix for fill_sg_entry() (Pranjal). - Collected Reviewed-by from Pranjal Shrivastava. drivers/dma-buf/dma-buf-mapping.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..80f6ab2f4809 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -5,12 +5,13 @@ */ #include <linux/dma-buf-mapping.h> #include <linux/dma-resv.h> +#include <linux/overflow.h> static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, dma_addr_t addr) { unsigned int len, nents; - int i; + unsigned int i; nents = DIV_ROUND_UP(length, UINT_MAX); for (i = 0; i < nents; i++) { @@ -40,8 +41,12 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, size_t i; if (!state || !dma_use_iova(state)) { - for (i = 0; i < nr_ranges; i++) - nents += DIV_ROUND_UP(phys_vec[i].len, UINT_MAX); + for (i = 0; i < nr_ranges; i++) { + unsigned int added = DIV_ROUND_UP(phys_vec[i].len, UINT_MAX); + + if (check_add_overflow(nents, added, &nents)) + return 0; + } } else { /* * In IOVA case, there is only one SG entry which spans @@ -95,9 +100,10 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len = 0; + unsigned int nents; dma_addr_t addr; size_t i; int ret; @@ -133,6 +139,8 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, } nents = calc_sg_nents(dma->state, phys_vec, nr_ranges, size); + + /* sg_alloc_table will cleanly fail and return -EINVAL if nents == 0 */ ret = sg_alloc_table(&dma->sgt, nents, GFP_KERNEL | __GFP_ZERO); if (ret) goto err_free_state; -- 2.54.0.1064.gd145956f57-goog

21 hours, 33 minutes

[PATCH v6] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

In case MMIO size is bigger than 4G and peer2peer DMA goes through host bridge, we trigger a code path that assigns the total linked IOVA (which is greater than 4G) to mapped_len. Previously, `mapped_len` was declared as 32-bit `unsigned int`. When accumulating `size_t` lengths, this leads to a silent wrap-around. This truncation causes truncated lengths to be passed to functions like `fill_sg_entry()`. Fix this by changing `mapped_len` to `size_t` (64-bit). While at it, fix similar potential overflow issues in `calc_sg_nents` by using `check_add_overflow()` for `nents` and using `unsigned int` for the loop iterator in `fill_sg_entry` to match. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Cc: stable(a)vger.kernel.org Cc: iommu(a)lists.linux.dev Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Reviewed-by: Kevin Tian <kevin.tian(a)intel.com> Signed-off-by: David Hu <xuehaohu(a)google.com> --- Changes in v6: - Used `check_add_overflow()` in `calc_sg_nents()` for safer accumulation (Leon). - Dropped explicit `!nents` check and added a comment noting that `sg_alloc_table` handles `nents == 0` (Leon). - Collected Reviewed-by from Kevin Tian. Changes in v5: - Removed WARN_ON_ONCE from calc_sg_nents() to avoid log noise (Jason). - Added explicit check for `!nents` in dma_buf_phys_vec_to_sgt() to cleanly return -EINVAL on overflow (Jason). Changes in v4: - Added WARN_ON_ONCE() to the nents overflow check to prevent silent failures (Claude Bot). Changes in v3: - Removed leftover sentence fragment from the commit message. - Kept `nents = 0` initialization (previously stated as removed in the v2 changelog) as it is strictly required for the `+=` accumulation loop in `calc_sg_nents()`. Changes in v2: - Fixed 'IVOA' -> 'IOVA' typo and expanded commit message (Claude Bot). - Added Reverse Xmas tree formatting (Pranjal). - Folded in extra bounds checking for calc_sg_nents() (Pranjal). - Folded in type consistency fix for fill_sg_entry() (Pranjal). - Collected Reviewed-by from Pranjal Shrivastava. drivers/dma-buf/dma-buf-mapping.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..67a8ff52fb8f 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -5,12 +5,13 @@ */ #include <linux/dma-buf-mapping.h> #include <linux/dma-resv.h> +#include <linux/overflow.h> static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, dma_addr_t addr) { unsigned int len, nents; - int i; + unsigned int i; nents = DIV_ROUND_UP(length, UINT_MAX); for (i = 0; i < nents; i++) { @@ -40,8 +41,11 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, size_t i; if (!state || !dma_use_iova(state)) { - for (i = 0; i < nr_ranges; i++) - nents += DIV_ROUND_UP(phys_vec[i].len, UINT_MAX); + for (i = 0; i < nr_ranges; i++) { + unsigned int added = DIV_ROUND_UP(phys_vec[i].len, UINT_MAX); + if (check_add_overflow(nents, added, &nents)) + return 0; + } } else { /* * In IOVA case, there is only one SG entry which spans @@ -95,9 +99,10 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len = 0; + unsigned int nents; dma_addr_t addr; size_t i; int ret; @@ -133,6 +138,8 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, } nents = calc_sg_nents(dma->state, phys_vec, nr_ranges, size); + + /* sg_alloc_table will cleanly fail and return -EINVAL if nents == 0 */ ret = sg_alloc_table(&dma->sgt, nents, GFP_KERNEL | __GFP_ZERO); if (ret) goto err_free_state; -- 2.54.0.1064.gd145956f57-goog

21 hours, 54 minutes

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig