Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

91 participants
6567 discussions

[PATCH v3] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

In case MMIO size is bigger than 4G and peer2peer DMA goes through host bridge, we trigger a code path that assigns the total linked IOVA (which is greater than 4G) to mapped_len. Previously, `mapped_len` was declared as 32-bit `unsigned int`. When accumulating `size_t` lengths, this leads to a silent wrap-around. This truncation causes truncated lengths to be passed to functions like `fill_sg_entry()`. Fix this by changing `mapped_len` to `size_t` (64-bit). While at it, fix similar potential overflow issues in `calc_sg_nents` by using `size_t` for `nents` and checking against `UINT_MAX` and using `unsigned int` for the loop iterator in `fill_sg_entry` to match. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Cc: stable(a)vger.kernel.org Cc: iommu(a)lists.linux.dev Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Signed-off-by: David Hu <xuehaohu(a)google.com> --- Changes in v3: - Removed leftover sentence fragment from the commit message. - Kept `nents = 0` initialization (previously stated as removed in the v2 changelog) as it is strictly required for the `+=` accumulation loop in `calc_sg_nents()`. Changes in v2: - Fixed 'IVOA' -> 'IOVA' typo and expanded commit message (Claude Bot). - Added Reverse Xmas tree formatting (Pranjal). - Folded in extra bounds checking for calc_sg_nents() (Pranjal). - Folded in type consistency fix for fill_sg_entry() (Pranjal). drivers/dma-buf/dma-buf-mapping.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..5bc769fc42ea 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -10,7 +10,7 @@ static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, dma_addr_t addr) { unsigned int len, nents; - int i; + unsigned int i; nents = DIV_ROUND_UP(length, UINT_MAX); for (i = 0; i < nents; i++) { @@ -36,7 +36,7 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, struct phys_vec *phys_vec, size_t nr_ranges, size_t size) { - unsigned int nents = 0; + size_t nents = 0; size_t i; if (!state || !dma_use_iova(state)) { @@ -51,6 +51,9 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, nents = DIV_ROUND_UP(size, UINT_MAX); } + if (nents > UINT_MAX) + return 0; + return nents; } @@ -95,9 +98,10 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len = 0; + unsigned int nents; dma_addr_t addr; size_t i; int ret; -- 2.54.0.794.g4f17f83d09-goog

1 hour, 32 minutes

[PATCH] dma-buf: fix UAF in dma_buf_fd() tracepoint

by David Carlier

Once FD_ADD() returns, the fd is live in the file descriptor table and a thread sharing that table can close() it before DMA_BUF_TRACE() runs. The close drops the last reference, __fput() frees the dma_buf, and the tracepoint then dereferences dmabuf to take dmabuf->name_lock -- slab-use-after-free. Split FD_ADD() back into get_unused_fd_flags() + fd_install() and emit the tracepoint between them. While the fdtable slot is reserved with a NULL file pointer, a racing close() returns -EBADF without entering __fput(), so the dma_buf stays alive across the trace. Same approach as commit 2d76319c4cbb ("dma-buf: fix UAF in dma_buf_put() tracepoint"). This undoes the FD_ADD() conversion done in commit 34dfce523c90 ("dma: convert dma_buf_fd() to FD_ADD()"); FD_ADD() has no place to hook the tracepoint safely. Reported-by: syzbot+7f4987d0afb97dd090cb(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7f4987d0afb97dd090cb Fixes: 281a22631423 ("dma-buf: add some tracepoints to debug.") Cc: stable(a)vger.kernel.org # 7.0.x Signed-off-by: David Carlier <devnexen(a)gmail.com> --- drivers/dma-buf/dma-buf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 71f37544a5c6..d504c636dc29 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -792,9 +792,13 @@ int dma_buf_fd(struct dma_buf *dmabuf, int flags) if (!dmabuf || !dmabuf->file) return -EINVAL; - fd = FD_ADD(flags, dmabuf->file); + fd = get_unused_fd_flags(flags); + if (fd < 0) + return fd; + DMA_BUF_TRACE(trace_dma_buf_fd, dmabuf, fd); + fd_install(fd, dmabuf->file); return fd; } EXPORT_SYMBOL_NS_GPL(dma_buf_fd, "DMA_BUF"); -- 2.53.0

2 hours, 38 minutes

Re: [PATCH v2] drm/prime: fix dangling dmabuf entries after handle release

by Christian König

On 5/28/26 15:29, w15303746062(a)163.com wrote: > From: Mingyu Wang <25181214217(a)stu.xidian.edu.cn> > > When a GEM handle already exists in the drm_prime_file_private, repeated > calls to DRM_IOCTL_PRIME_HANDLE_TO_FD can cause drm_prime_add_buf_handle() > to insert multiple entries with the same handle into the handles rb_tree. > Because the insertion walk moves left on equality, duplicate keys are > structurally accepted by the tree. That should never happen and would be a major bug. All callers should check if a handler exists before calling drm_prime_add_buf_handle(). How do you see that a handle is added twice? Regards, Christian. > > Later, when the handle is released via drm_gem_release() -> > drm_gem_object_release_handle() -> drm_prime_remove_buf_handle(), the > latter iterates the handles tree, removes the first matching node, and > breaks out of the loop. Any remaining duplicate nodes that share the > same handle are left orphaned in the dmabufs tree - they are no longer > reachable through the handles tree and are never freed. > > When the drm file is finally closed, drm_prime_destroy_file_private() > triggers: > > WARN_ON(!RB_EMPTY_ROOT(&prime_fpriv->dmabufs)); > > because the dmabufs tree is still non-empty. With CONFIG_PANIC_ON_WARN > this becomes a kernel panic: > > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 19739 at drivers/gpu/drm/drm_prime.c:223 drm_prime_destroy_file_private+0x43/0x60 > ... > Kernel panic - not syncing: kernel: panic_on_warn set ... > > Fix this by restarting the lookup from the root of the handles tree > after each successful removal, so that all duplicate nodes for the given > handle are erased. The caller (drm_gem_object_release_handle) already > holds prime_fpriv->lock, so this does not change the locking strategy. > > Signed-off-by: Mingyu Wang <25181214217(a)stu.xidian.edu.cn> > --- > Changes in v2: > - Drop the unnecessary mutex_lock addition, as the caller (drm_gem_object_release_handle) already holds the lock. > - Rewrite the commit message to accurately reflect the root cause (duplicate handle insertions) rather than an assumed lack of synchronization. > - Restart the rb_tree lookup from the root instead of breaking the loop to ensure all orphaned duplicate nodes are thoroughly removed. > > drivers/gpu/drm/drm_prime.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c > index 9b44c78cd77f..dc28df1c6698 100644 > --- a/drivers/gpu/drm/drm_prime.c > +++ b/drivers/gpu/drm/drm_prime.c > @@ -202,7 +202,10 @@ void drm_prime_remove_buf_handle(struct drm_prime_file_private *prime_fpriv, > > dma_buf_put(member->dma_buf); > kfree(member); > - break; > + /* Duplicate handles may exist; restart search from root > + * to guarantee removal of all matching entries. > + */ > + rb = prime_fpriv->handles.rb_node; > } else if (member->handle < handle) { > rb = rb->rb_right; > } else { > -- > 2.34.1 >

4 hours

Whatsapp: +33 754.090.961, How get location in Abou Dhabi, UAE read full story .

by brekkea78＠gmail.com

Whatsapp: +33 754.090.961, How i buy Dispensary in Dubai, read full story . Order the free ebook on Whatsapp: +33 754.090.961 of how i buy 70mg lyrica in #jeddah. For those wondering where to buy #THC vapes in UAE, it’s important to find a provider that values purity, potency, and customer confidentiality go on: https://uaetherapist.com/ the online drop. I like spent my holiday In United Arab Emirates , the streets are amazing most in the night one day inside a uber the driver who take me from #Al_wahda ask me if he can play music i told him ‘’ YOU ARE WELCOME BRO ’’ then i heard 50cent in window shopper i get a small smile in the corner of my face. At that moment i don’t know why, suddenly i started to think about Coffee Sh0p how i can roll a split , but DAMMN MAN YOU ARE CLEAN OVER 3 YEARS!! You are in Dubai, is like Bahrain, as Saudi , like Oman it’s impossible to get a coffee shop here anyway you risk to go through huge problem with arabic country law !! I was saw my pregnant girlfiend who are waiting me at Charjah, my new work who permit me to travel as i want with my family all the life i have for , no man stay focus on your job in MANAMA ... FOLLOW HAPPENED STORY ON Whatsapp: +33 754.090.961 and you will know where i bought THC gummies in Dubai. Contacts: Telegram: Go0dTherapist Gmail: uaetherapist(a)gmail.com Signal: addsilkroad.47 Whatsapp: https://whatsapp.com/channel/0029VbCcd6PLCoX7L05OeX3a Tik Tok: https://vm.tiktok.com/ZS9R3Cn5sdvLu-YwLbv/ https://uaetherapist.com/how-to-order/ https://uaetherapist.com/shop/ https://uaetherapist.com/faqs/ https://uaetherapist.com/policies/ https://uaetherapist.com/contact/ #uaetherapist.com #uaetherapistdotcom #dubaidispensary #uaemedicated

7 hours, 19 minutes

Whatsapp: +33 754.090.961, How i get location in Abou Dabi, UAE.read full story .

by brekkea78＠gmail.com

7 hours, 21 minutes

Re: [PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle

by Christian König

On 5/28/26 10:29, w15303746062(a)163.com wrote: > From: Mingyu Wang <25181214217(a)stu.xidian.edu.cn> > > Syzkaller fuzzer triggered a kernel panic via a WARNING in > drm_prime_destroy_file_private() due to a non-empty prime rb_tree. > > The root cause is a complete lack of synchronization in the teardown > path. While the import path (drm_gem_prime_fd_to_handle) holds the > &file_priv->prime.lock during lookup and insertion, the deletion path > (drm_prime_remove_buf_handle) traverses and mutates both the 'handles' > and 'dmabufs' rb_trees without acquiring any mutex. That's just simply incorrect, drm_prime_remove_buf_handle() is called with the lock already held. See drm_gem_object_release_handle(): mutex_lock(&file_priv->prime.lock); drm_prime_remove_buf_handle(&file_priv->prime, id); mutex_unlock(&file_priv->prime.lock); So the patch you propose here is just nonsense. What tree are you working on? Could it be that this is something specific to a certain version. Regards, Christian. > > When multiple threads concurrently close GEM handles or interleave import > and close operations, the pointers and balance states of the rb_tree > nodes get corrupted. As a result, certain members are erased from one > tree but remain orphaned in the other. Upon process exit, the final > sanity check triggers the WARNING. > > [ 448.919314][T19739] ------------[ cut here ]------------ > [ 448.945387][T19739] WARNING: CPU: 0 PID: 19739 at drivers/gpu/drm/drm_prime.c:223 drm_prime_destroy_file_private+0x43/0x60 > ... > [ 449.056535][T19739] Call Trace: > [ 449.056544][T19739] <TASK> > [ 449.056553][T19739] drm_file_free.part.0+0x805/0xcf0 > [ 449.056652][T19739] drm_close_helper.isra.0+0x183/0x1f0 > [ 449.056677][T19739] drm_release+0x1ab/0x360 > [ 449.056719][T19739] __fput+0x402/0xb50 > [ 449.056783][T19739] task_work_run+0x16b/0x260 > [ 449.056883][T19739] exit_to_user_mode_loop+0xf9/0x130 > [ 449.056931][T19739] do_syscall_64+0x424/0xfa0 > [ 449.056977][T19739] entry_SYSCALL_64_after_hwframe+0x77/0x7f > [ 449.057268][T19739] </TASK> > [ 449.057295][T19739] Kernel panic - not syncing: kernel: panic_on_warn set ... > > Fix this by acquiring the prime_fpriv->lock mutex around the rb_tree > lookup and erasure logic. To respect the locking rules and avoid potential > deadlocks with driver-specific memory cleanups, assign the target node to > a temporary pointer and defer the dma_buf_put() and kfree() operations > until after the mutex is safely dropped. > > Fixes: ea2aa97ca37a ("drm/gem: Fix GEM handle release errors") > Cc: stable(a)vger.kernel.org > Signed-off-by: Mingyu Wang <25181214217(a)stu.xidian.edu.cn> > --- > drivers/gpu/drm/drm_prime.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/drm_prime.c b/drivers/gpu/drm/drm_prime.c > index 9b44c78cd77f..26319c638e0f 100644 > --- a/drivers/gpu/drm/drm_prime.c > +++ b/drivers/gpu/drm/drm_prime.c > @@ -190,6 +190,9 @@ void drm_prime_remove_buf_handle(struct drm_prime_file_private *prime_fpriv, > uint32_t handle) > { > struct rb_node *rb; > + struct drm_prime_member *found = NULL; > + > + mutex_lock(&prime_fpriv->lock); > > rb = prime_fpriv->handles.rb_node; > while (rb) { > @@ -200,8 +203,7 @@ void drm_prime_remove_buf_handle(struct drm_prime_file_private *prime_fpriv, > rb_erase(&member->handle_rb, &prime_fpriv->handles); > rb_erase(&member->dmabuf_rb, &prime_fpriv->dmabufs); > > - dma_buf_put(member->dma_buf); > - kfree(member); > + found = member; > break; > } else if (member->handle < handle) { > rb = rb->rb_right; > @@ -209,6 +211,13 @@ void drm_prime_remove_buf_handle(struct drm_prime_file_private *prime_fpriv, > rb = rb->rb_left; > } > } > + mutex_unlock(&prime_fpriv->lock); > + > + /* Defer resource release outside the mutex to prevent deadlocks */ > + if (found) { > + dma_buf_put(found->dma_buf); > + kfree(found); > + } > } > > void drm_prime_init_file_private(struct drm_prime_file_private *prime_fpriv) > -- > 2.34.1 >

8 hours, 18 minutes

Unleash Your Inner Blade: A Guide to the Satisfying World of Slice Master

by profound.cheetah.kect＠hidingmail.net

Ever found yourself in a moment of boredom, scrolling aimlessly, and wishing for something simple yet utterly satisfying to engage your mind? Look no further than the delightful genre of slicing games, and specifically, the incredibly addictive Slice Master. These games offer a unique blend of precision, timing, and visual gratification, making them a perfect pick-up-and-play experience for anyone looking to unwind. https://slicemasterfree.com What is Slice Master, and Why Should You Try It? At its core, Slice Master is a game about, well, slicing! Imagine a canvas filled with various shapes and objects, and your goal is to meticulously cut them into smaller, designated pieces using a virtual blade. It sounds deceptively simple, but the genius lies in its execution. The game's intuitive controls and satisfying physics make each slice feel impactful, and the challenge gradually increases, keeping you hooked. Think of it as a digital meditation, where the act of carefully dissecting objects becomes a strangely calming and rewarding experience. The visual feedback of cleanly cut shapes, often accompanied by satisfying sound effects, creates a positive loop that encourages you to keep playing. Getting Started: A Glimpse into the Gameplay Playing Slice Master is incredibly straightforward, making it accessible to gamers of all ages and skill levels. Here's a basic rundown of what you can expect: The Objective: Each level presents you with a set of objects. Your goal is to slice them into a specific number of smaller pieces, often along indicated lines or into particular shapes. The Blade: You control a virtual blade, usually by dragging your finger or mouse across the screen. The key is to make smooth, precise movements to achieve clean cuts. Precision is Key: Hitting the target lines perfectly often yields higher scores or unlocks bonus points. Messy cuts might mean restarting a section or losing points. Varying Challenges: As you progress, you'll encounter different materials that require more careful slicing, moving objects, or even time limits, adding layers of complexity to the core mechanic. Tips for Becoming a Slice Master While the game is easy to pick up, mastering it requires a bit of finesse. Here are a few friendly tips to enhance your slicing skills: Practice Makes Perfect: Don't be discouraged by imperfect cuts at first. The more you play, the better your hand-eye coordination and precision will become. Observe the Target: Before you make your first cut, take a moment to analyze the object and the desired outcome. Visualize your cut path. Smooth and Steady Wins the Race: Avoid jerky movements. A slow, deliberate drag of your blade is often more effective than a quick, frantic swipe. Utilize the Edges: Sometimes, using the edges of the object as a guide for your cuts can help you achieve straighter and more accurate slices. Don't Be Afraid to Restart: If a cut goes horribly wrong, many levels allow you to restart that particular segment. It's better to restart and achieve a perfect score than to muddle through with a subpar cut. Conclusion: A Simple Joy Slice Master and similar slicing games offer a delightful escape from the hustle and bustle of everyday life. Their uncomplicated yet engaging gameplay provides a sense of accomplishment and a unique form of digital satisfaction. Whether you have five minutes to spare or an hour to unwind, diving into the world of precise cuts and satisfying visuals is a worthwhile endeavor. So, grab your virtual blade and prepare to experience the quiet joy of becoming a true Slice Master!

9 hours, 49 minutes

[PATCH v2] dma-buf: set SB_I_NOEXEC and SB_I_NODEV on the pseudo filesystem

by John Hubbard

The dma-buf pseudo filesystem dispenses S_ANON_INODE inodes via alloc_anon_inode() but never sets SB_I_NOEXEC on its superblock. Since commit 1e7ab6f67824 ("anon_inode: rework assertions") in 6.17, path_noexec() warns on exactly that combination, so an mmap() on any dma-buf fd trips the warning: WARNING: CPU: 11 PID: 121813 at fs/exec.c:118 path_noexec+0x47/0x50 do_mmap+0x2b5/0x680 vm_mmap_pgoff+0x129/0x210 ksys_mmap_pgoff+0x177/0x240 __x64_sys_mmap+0x33/0x70 dma-bufs have no business being executable, which is the invariant that the new assertion is enforcing. Set SB_I_NOEXEC. Also set SB_I_NODEV, since the pseudo filesystem creates no device nodes. Reproducer on a CONFIG_DEBUG_VFS=y kernel: make -C tools/testing/selftests/dmabuf-heaps sudo ./tools/testing/selftests/dmabuf-heaps/dmabuf-heap -t system The selftest allocates from /dev/dma_heap/system and mmaps the returned fd, which trips the warning without this patch. Fixes: 1e7ab6f67824 ("anon_inode: rework assertions") Cc: stable(a)vger.kernel.org Reviewed-by: Christian Brauner (Amutable) <brauner(a)kernel.org> Signed-off-by: John Hubbard <jhubbard(a)nvidia.com> --- Changes since v1: * Also set SB_I_NODEV (suggested by Christian Brauner). * Added Christian Brauner's Reviewed-by tag (thanks!) drivers/dma-buf/dma-buf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 71f37544a5c6..ea1ddd4293b2 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -216,6 +216,8 @@ static int dma_buf_fs_init_context(struct fs_context *fc) if (!ctx) return -ENOMEM; ctx->dops = &dma_buf_dentry_ops; + fc->s_iflags |= SB_I_NOEXEC; + fc->s_iflags |= SB_I_NODEV; return 0; } base-commit: 6779b50faa562e6cca1aa6a4649a4d764c6c7e28 -- 2.54.0

14 hours, 53 minutes

Wordle Unlimited Game Guide for Endless Word Puzzle Fun

by thoughtless.stork.wxrl＠hidingmail.net

Introduction to Wordle Unlimited Experience Wordle Unlimited is an online word puzzle game that expands the classic word guessing concept into an endless format. Instead of waiting for a daily puzzle, players can enjoy continuous gameplay with unlimited attempts and unlimited rounds. This format makes it appealing for players who enjoy vocabulary challenges, logic thinking, and casual gaming without time restrictions. https://wordleunlimitedgame.org/ The main objective remains simple. Players try to guess a hidden five letter word within a limited number of attempts. After each guess, feedback is provided through color indicators that help narrow down the correct answer. This simple design combined with endless replay value makes Wordle Unlimited highly engaging for both beginners and experienced puzzle players. How Wordle Unlimited Gameplay Works Wordle Unlimited follows a straightforward set of rules that are easy to understand. Each round begins with a hidden word that players must discover. Players enter a five letter word as a guess, and the system responds with color coded hints. Green indicates a correct letter in the correct position. Yellow indicates a correct letter in the wrong position. Gray indicates a letter that is not part of the hidden word. These feedback signals guide players toward the correct answer step by step. Unlike traditional daily word puzzles, Wordle Unlimited allows continuous play without waiting periods. Players can restart instantly after finishing a round, making it suitable for practice, entertainment, or improving vocabulary skills. This unlimited structure also allows experimentation with different guessing strategies. Key Features of Wordle Unlimited One of the most important features of Wordle Unlimited is unlimited gameplay. Players are not restricted to a single puzzle per day, which increases engagement and learning opportunities. This feature is especially useful for users who enjoy repetitive practice or competitive improvement. Another key feature is accessibility. The game runs directly in a web browser, meaning no installation is required. It works on desktop computers, tablets, and mobile devices, making it convenient for users in different environments. Wordle Unlimited also maintains a simple interface. There are no complicated menus or distractions. The focus remains entirely on word solving. This minimal design helps players concentrate and improves the overall puzzle solving experience. Additionally, the game supports learning and vocabulary development. Players are exposed to different word patterns and letter combinations, which can help improve language skills over time. Effective Strategies for Winning Wordle Unlimited A strong strategy in Wordle Unlimited begins with choosing a good starting word. Many players select words that contain common vowels and frequently used consonants. This approach increases the chance of identifying correct letters early in the game. Another effective strategy is to avoid repeating incorrect letters. Once a letter is marked as gray, it is usually best to exclude it from future guesses. This helps narrow down possibilities more efficiently. Players also benefit from analyzing letter placement carefully. When a letter is marked yellow, it should be repositioned in the next guess. This process of elimination is essential for solving puzzles in fewer attempts. It is also helpful to think in word patterns rather than random guesses. English words often follow predictable structures, and recognizing these patterns can significantly improve success rates. Finally, patience plays an important role. Rushing guesses can lead to repeated mistakes. Taking time to evaluate feedback from each attempt leads to more accurate solutions. Benefits of Playing Wordle Unlimited Regularly Playing Wordle Unlimited regularly offers several cognitive benefits. One major advantage is vocabulary improvement. Players are exposed to a wide range of words, which helps expand language knowledge over time. Another benefit is mental exercise. Word puzzle games stimulate logical thinking, pattern recognition, and memory recall. These skills are useful in both academic and professional contexts. Wordle Unlimited also provides stress relief for many players. The simple structure and short gameplay sessions make it a relaxing activity that can be enjoyed during breaks or free time. In addition, the unlimited nature of the game allows continuous practice. This is especially beneficial for players who want to improve performance or challenge themselves with faster solving times. Social interaction is another indirect benefit. Many players enjoy sharing results or competing with friends, which adds a fun and competitive element to the experience. Why Wordle Unlimited Remains Popular The popularity of Wordle Unlimited comes from its balance of simplicity and challenge. It does not require advanced gaming skills, yet it still offers a satisfying mental challenge. This combination makes it accessible to a wide audience. The unlimited format also contributes to its popularity. Players are no longer restricted by daily limits, which means they can engage with the game whenever they want. This flexibility aligns well with modern digital habits. Another reason for its popularity is its quick gameplay loop. Each round can be completed in a short time, making it ideal for casual entertainment. Despite its simplicity, the game continues to offer new challenges with every hidden word. Conclusion on Wordle Unlimited Experience Wordle Unlimited delivers a simple yet highly engaging word puzzle experience that appeals to players of all ages. With unlimited gameplay, easy rules, and strong cognitive benefits, it stands out as an effective and enjoyable word game.

14 hours, 55 minutes

[PATCH v2 0/9] vfio/pci: Add mmap() for DMABUFs

by Matt Evans

Hi all, This series is based on previous RFCs/discussions: Tech topic: https://lore.kernel.org/linux-iommu/20250918214425.2677057-1-amastro@fb.com/ RFCv1: https://lore.kernel.org/all/20260226202211.929005-1-mattev@meta.com/ RFCv2: https://lore.kernel.org/kvm/20260312184613.3710705-1-mattev@meta.com/ The background/rationale is covered in more detail in the RFC cover letters. The TL;DR is: The goal is to enable userspace driver designs that use VFIO to export DMABUFs representing subsets of PCI device BARs, and "vend" those buffers from a primary process to other subordinate processes by fd. These processes then mmap() the buffers and their access to the device is isolated to the exported ranges. This is an improvement on sharing the VFIO device fd to subordinate processes, which would allow unfettered access. This is achieved by enabling mmap() of vfio-pci DMABUFs, passed by fd to subordinate processes. Second, a new ioctl()-based revocation mechanism is added to allow the primary process to forcibly revoke access to previously-shared BAR spans, even if the subordinate processes haven't cleanly exited. (The related topic of safe delegation of iommufd control to the subordinate processes is not addressed here, and is follow-up work.) As well as isolation and revocation, another advantage to accessing a BAR through a VMA backed by a DMABUF is that it's straightforward to mmap() the buffer with access attributes, such as write-combining. Feedback from the RFCs requested that, instead of creating DMABUF-specific vm_ops and .fault paths, to go the whole way and migrate the existing VFIO PCI BAR mmap() to be backed by a DMABUF too, resulting in a common vm_ops and fault handler for mmap()s of both the VFIO device and explicitly-exported DMABUFs. This will help future iommufd emulation of VFIO Type1 peer-to-peer, making it easier to get a DMABUF for a VFIO BAR as a DMA target. mmap() conversion to use DMABUF underneath has been done for vfio-pci, but not sub-drivers: nvgrace-gpu's mmap() override path is unchanged; I kept this out of scope for now not least because I don't have a thorough test setup for this system. I would prefer to help the nvgrace-gpu maintainers enable BAR mmap() DMABUFs themselves. Notes on patches ================ PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE Later in the series, vfio-pci's mmap() is going to depend on pcim_p2pdma_provider() which depended on CONFIG_PCI_P2PDMA, which in turn depended on ZONE_DEVICE (which isn't available on 32-bit and some archs, because they lack MEMORY_HOTPLUG and friends). VFIO does _not_ require actual P2P to be present for basic mmap() functionality, only for the optional CONFIG_DMA_SHARED_BUFFER feature. This splits P2PDMA into a CONFIG_PCI_P2PDMA_CORE (which currently contains pcim_p2pdma_provider()) and an optional CONFIG_PCI_P2PDMA (which depends on ZONE_DEVICE etc., and provides P2P functionality). vfio/pci: Add a helper to look up PFNs for DMABUFs vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA The first is for a DMABUF VMA fault handler to determine arbitrary-sized PFNs from ranges in DMABUF. Secondly, refactor DMABUF export for use by the existing export feature and add a new helper that creates a DMABUF corresponding to a VFIO BAR mmap() request. vfio/pci: Convert BAR mmap() to use a DMABUF The vfio-pci core mmap() creates a DMABUF with the helper, and the vm_ops fault handler uses the other helper to resolve the fault. Because this depends on DMABUF structs/code, CONFIG_VFIO_PCI_CORE needs to depend on CONFIG_DMA_SHARED_BUFFER. The CONFIG_VFIO_PCI_DMABUF still conditionally enables the export support code. NOTE: The user mmap()s a device fd, but the resulting VMA's vm_file becomes that of the DMABUF which takes ownership of the device and puts it on release. This maintains the existing behaviour of a VMA keeping the VFIO device open. BAR zapping then happens via the existing vfio_pci_dma_buf_move() path, which now needs to unmap PTEs in the DMABUF's address_space. vfio/pci: Provide a user-facing name for BAR mappings There was a request for decent debug naming in /proc/<pid>/maps etc. comparable to the existing VFIO names: since the VMAs are DMABUFs, they have a "dmabuf:" prefix and can't be 100% identical to before. This is a user-visible change, but this patch at least now gives us extra info on the BDF & BAR being mapped. vfio/pci: Clean up BAR zap and revocation In general (see NOTE!) the vfio_pci_zap_bars() is now obsolete, since it unmaps PTEs in the VFIO device address_space which is now unused. This consolidates all calls (e.g. around reset) with the neighbouring vfio_pci_dma_buf_move()s into new functions, to revoke-zap/unrevoke. !!! NOTE: the nvgrace-gpu driver continues to use its own private vm_ops, fault handler, etc. for its special memregions, and these DO still add PTEs to the VFIO device address_space. So, a temporary flag, vdev->bar_needs_zap, maintains the old behaviour for this use. At least this patch's consolidation makes it easy to remove the remaining zap when this need goes away; a FIXME reminds that this can be removed when nvgrace-gpu is converted. vfio/pci: Support mmap() of a VFIO DMABUF Adds mmap() for a DMABUF fd exported from vfio-pci. It was a goal to keep the VFIO device fd lifetime behaviour unchanged with respect to the DMABUFs. An application can close all device fds, and this will revoke/clean up all DMABUFs; no mappings or other access can be performed now. When enabling mmap() of the DMABUFs, this means access through the VMA is also revoked. This complicates the fault handler because whilst the DMABUF exists, it has no guarantee that the corresponding VFIO device is still alive. Adds synchronisation ensuring the vdev is available before vdev->memory_lock is touched; this holds the device registration so that even if the buffer has been cleaned up, vdev hasn't been freed and so the lock can be safely taken. (I decided against the alternative of preventing cleanup by holding the VFIO device open if any DMABUFs exist, because it's both a change of behaviour and less clean overall.) I've added a chonky comment in place, happy to clarify more if you have ideas. This commit makes VFIO_PCI_CORE depend on PCI_P2PDMA_CORE (commit 1) to bring in (only) the P2PDMA provider code. vfio/pci: Permanently revoke a DMABUF on request By weight, this is mostly a rename of revoked to an enum, status. There are now 3 states for a buffer, usable and revoked temporary/permanent. A new VFIO device ioctl is added, VFIO_DEVICE_PCI_DMABUF_REVOKE, which passes a DMABUF (exported from that device) and permanently revokes it. Thus a userspace driver can guarantee any downstream consumers of a shared fd are prevented from accessing a BAR range, and that range can be reused. The code doing revocation in vfio_pci_dma_buf_move() is moved, unchanged, to a common function for use by _move() and the new ioctl path. Q: I can't think of a good reason to temporarily revoke/unrevoke buffers from userspace, so didn't add a 'flags' field to the ioctl struct. Easy to add if people think it's worthwhile for future use. vfio/pci: Add mmap() attributes to DMABUF feature Adds a new VFIO feature, VFIO_DEVICE_FEATURE_DMA_BUF_MEMATTR. After a DMABUF is exported, this feature ioctl() isused to set a memory attribute that will be used by future mmap()s of the DMABUF fd (i.e. it does nothing for any existing maps). The default is UC, and via the feature one can specify CPU access as WC. The attribute is an enum/scalar rather than bitmap/cumulative. The attributes follow a "try-fail" model where a client can request an attribute and either succeed or fail with ENOTSUPP if it's unknown; if future attributes are platform-specific then their support can be probed. (Since it's just UC/WC for now, there is no reservation or numeric structure to the namespace yet, but we could support system/arch-specific values in future by carving out base + arch-specific + IMPDEF ranges.) Testing ======= (The [RFC ONLY] userspace test program, for QEMU edu-plus, has been dropped from the series, but can be found in the GitHub branch below. It at least illustrates the export, map, revoke, attribute, and close semantics interoperate.) This code has been tested in mapping DMABUFs of single/multiple ranges, aliasing mmap()s, aliasing ranges across DMABUFs, vm_pgoff > 0, revocation, shutdown/cleanup scenarios, and hugepage mappings seem to work correctly. I've lightly tested WC mappings also (by observing resulting PTEs as having the correct attributes...). No regressions observed on the VFIO selftests, or on our internal vfio-pci applications. End === This is based on VFIO next (e.g. at b9285405c5f6). These commits are on GitHub for easier browsing, along with "[RFC ONLY] selftests: vfio: Add standalone vfio_dmabuf_mmap_test": https://github.com/metamev/linux/compare/b9285405c5f6...metamev:linux:dev/m… Thanks for reading, Matt ================================================================================ Change log: v2: - Rebase on VFIO next, picking up Alex's vfio_pci_dma_buf_move()/vfio_pci_dma_buf_cleanup() fixes, and dropping "vfio/pci: Fix vfio_pci_dma_buf_cleanup() double-put" - Added "PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE" so that the newly-added vfio-pci hard dependency on the P2PDMA provider instead pulls in the _CORE variant and not the full-fat CONFIG_PCI_P2PDMA. This means that the core of vfio-pci does not need ZONE_DEVICE, but if it's available then enabling P2PDMA in turn enables DMABUF export. Fixes basic VFIO operation on 32b or other platforms without ZONE_DEVICE. - Fixed comment inaccuracy in vfio_pci_dma_buf_revoke() and cleaned up vdev validity test. - vfio_pci_dma_buf_find_pfn(): use PAGE_ALIGN(), better span variable naming, OVF check - Made vm_pgoffs use consistent (keeping the resource index at the top and masking where offset is used). For BAR mmap, use new vma_pgoff_adjust to create the DMABUF with the exact mmap()ed span instead of from the start of the BAR with an invisible portion before the mapping. - Added VFIO_DEVICE_FEATURE_DMA_BUF_MEMATTR to set memory attributes, instead of using the export `flags` field. - vfio_pci_ioctl_reset: Moved vfio_pci_zap_revoke_bars() (effectively, vfio_pci_dma_buf_move()) back after D0 transition. Note, if a BAR zap is needed, it's done in this function so now happens after this D0 transition with the _move; it was done before it at the time of the memory_lock taking. - Minimised vfio_pci_dma_buf_mmap() (removed redundant span check), added READ_ONCE for memattr - Misc fixes: comment in DMABUF name generation, removed superfluous READ_ONCE from faulthandler v1: https://lore.kernel.org/kvm/20260416131815.2729131-1-mattev@meta.com/ - Cleanup of the common DMABUF-aware VMA vm_ops fault handler and export code. - Fixed a lot of races, particularly faults racing with DMABUF cleanup (if the VFIO device fds close, for example). - Added nicer human-readable names for VFIO mmap() VMAs RFCv2: Respin based on the feedback/suggestions: https://lore.kernel.org/kvm/20260312184613.3710705-1-mattev@meta.com/ - Transform the existing VFIO BAR mmap path to also use DMABUFs behind the scenes, and then simply share that code for explicitly-mapped DMABUFs. Jason wanted to go that direction to enable iommufd VFIO type 1 emulation to pick up a DMABUF for an IO mapping. - Revoke buffers using a VFIO device fd ioctl RFCv1: https://lore.kernel.org/all/20260226202211.929005-1-mattev@meta.com/ Matt Evans (9): PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE vfio/pci: Add a helper to look up PFNs for DMABUFs vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA vfio/pci: Convert BAR mmap() to use a DMABUF vfio/pci: Provide a user-facing name for BAR mappings vfio/pci: Clean up BAR zap and revocation vfio/pci: Support mmap() of a VFIO DMABUF vfio/pci: Permanently revoke a DMABUF on request vfio/pci: Add mmap() attributes to DMABUF feature drivers/pci/Kconfig | 10 +- drivers/pci/Makefile | 2 +- drivers/pci/p2pdma.c | 16 + drivers/vfio/pci/Kconfig | 4 +- drivers/vfio/pci/Makefile | 3 +- drivers/vfio/pci/nvgrace-gpu/main.c | 5 + drivers/vfio/pci/vfio_pci_config.c | 30 +- drivers/vfio/pci/vfio_pci_core.c | 225 +++++++++--- drivers/vfio/pci/vfio_pci_dmabuf.c | 548 ++++++++++++++++++++++++---- drivers/vfio/pci/vfio_pci_priv.h | 57 ++- include/linux/pci-p2pdma.h | 24 +- include/linux/pci.h | 2 +- include/linux/vfio_pci_core.h | 1 + include/uapi/linux/vfio.h | 57 +++ 14 files changed, 815 insertions(+), 169 deletions(-) -- 2.47.3

18 hours, 33 minutes

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig