Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

53 participants
6531 discussions

by sarahcolter＠wshu.net

Have you ever felt the exhilarating rush of speed, the focus demanded by precision, and the utter satisfaction of overcoming a seemingly impossible challenge? If so, then you might just be ready to tackle Slope. This deceptively simple online game has captivated players with its addictive gameplay and endless potential for improvement. It's a perfect little escape for a quick break or a dedicated practice session. Let's dive into how to play and, more importantly, how to experience the thrill of Slope. Introduction: What is Slope? At its core, Slope is a rolling ball game. You control a ball that’s constantly moving downhill, navigating a procedurally generated landscape of interconnected platforms. Sounds straightforward, right? Don’t be fooled! The platforms narrow, the speed increases relentlessly, and the gaps between platforms widen as you progress. One wrong move and you’re plummeting into the abyss. https://slopegame-online.com The brilliance of Slope lies in its accessibility and its learning curve. It's incredibly easy to pick up and play, yet fiendishly difficult to master. You don't need complicated controllers or extensive tutorials. Just a keyboard, a steady hand, and a determined spirit. It's a perfect example of a simple concept executed brilliantly. Gameplay: Navigating the Perilous Path The controls are as minimal as the aesthetic: the left and right arrow keys are all you need to guide your ball. Use the left arrow key to steer the ball left, and the right arrow key to steer it right. That's it! But mastering those two keys is the key to survival. Your objective is to stay on the platforms for as long as possible. As you roll further down the slope, your speed increases, and the environment becomes increasingly challenging. Red blocks appear, acting as obstacles that instantly end your run if touched. The platforms themselves will start to shift and move, adding another layer of complexity to the game. The game ends when your ball falls off the platform. Your score is determined by the distance you travelled before your demise. The higher the score, the better! The goal is to constantly improve your score, pushing yourself to see just how far you can go. Tips and Tricks for Conquering the Slope While the controls are simple, mastering Slope requires practice and a good understanding of the game's mechanics. Here are a few tips to help you improve your game: Smooth Movements Are Key: Avoid jerky, panicked movements. Small, controlled adjustments are far more effective than large, sweeping ones. Think less about reacting and more about anticipating. Look Ahead: Try to focus a little further down the slope. Anticipating the next turn or gap will give you more time to react and adjust your trajectory. This is easier said than done when the speed is high, but it's a crucial skill to develop. Embrace the Momentum: Understand how your ball's momentum affects its movement. Learn how to use the slight curve of the platforms to your advantage, especially when approaching tight turns. Don't Fear the Edges: Sometimes, the safest route is to ride along the edge of the platform. This allows you to make small corrections and avoid potential obstacles in the center. Practice, Practice, Practice: There's no substitute for practice. The more you play, the better you'll become at anticipating the challenges and reacting accordingly. Don't get discouraged by early failures. Everyone starts somewhere. You can visit Slope to begin practicing! Learn from Your Mistakes: Analyze your failures. What caused you to fall off the platform? Were you too slow to react? Did you misjudge the turn? Understanding your mistakes will help you avoid them in the future. Conclusion: The Enduring Appeal of an Endless Game Slope isn't about complicated storylines, stunning graphics, or intricate controls. It's about the pure, unadulterated challenge of pushing your skills to the limit. It's about the satisfaction of mastering a seemingly impossible task. It's about the addictive loop of playing, failing, learning, and improving. And its accessible nature means anyone can jump in and experience that thrill. So, go ahead, give it a try. You might just find yourself hooked on the endless decline. The simple controls and challenging gameplay make it a strangely addictive experience. It's a testament to the idea that sometimes, the simplest games are the most engaging.

12 minutes

Re: [PATCH 4/8] drm/panthor: Add support for protected memory allocation in panthor

by Boris Brezillon

On Thu, 7 May 2026 11:02:26 +0200 Marcin Ślusarz <marcin.slusarz(a)arm.com> wrote: > On Tue, May 05, 2026 at 06:15:23PM +0200, Boris Brezillon wrote: > > > @@ -277,9 +286,21 @@ int panthor_device_init(struct panthor_device *ptdev) > > > return ret; > > > } > > > > > > + /* If a protected heap name is specified but not found, defer the probe until created */ > > > + if (protected_heap_name && strlen(protected_heap_name)) { > > > > Do we really need this strlen() > 0? Won't dma_heap_find() fail is the > > name is "" already? > > If dma_heap_find() will fail, then the whole probe with fail too. > This check prevents that. Yeah, that's also a questionable design choice. I mean, we can currently probe and boot the FW even though we never setup the protected FW sections, so why should we defer the probe here? Can't we just retry the next time a group with the protected bit is created and fail if we can find a protected heap? > I'm not sure why it's needed at all, but if > it is really needed, then s/strlen(protected_heap_name)/protected_heap_name[0]/ > would simplify this. It's not so much about how you do the test, and more about the case you're trying to protect against. I guess here you assume that panthor.protected_heap_name="" means "I don't have a protected heap for you". If it's deemed acceptable, this should most certainly be described somewhere. > > > > + ptdev->protm.heap = dma_heap_find(protected_heap_name); > > > + if (!ptdev->protm.heap) { > > > + drm_warn(&ptdev->base, > > > + "Protected heap \'%s\' not (yet) available - deferring probe", > > > + protected_heap_name); > > > + ret = -EPROBE_DEFER; > > > + goto err_rpm_put; > > > > If you move the heap retrieval before the rpm enablement, you can get > > rid of this goto err_rpm_put. > > > > > + } > > > + } > > > + > > > ret = panthor_hw_init(ptdev); > > > if (ret) > > > - goto err_rpm_put; > > > + goto err_dma_heap_put; > > > > > > ret = panthor_pwr_init(ptdev); > > > if (ret)

59 minutes

[PATCH 0/6] drm/panthor: Use guards

by Boris Brezillon

Turn the mixed bag of manual locks and guards into something more consistent. This patchset takes care of locks that already have guards available, but also adds new guards for resv, drm_dev_enter/exit and the custom panthor_device_resume_and_get() helper we have around runtime PM. I've intentionally placed the patch transition all locks with readily available guards first so we can merge it even if the new guards face some controversy. Signed-off-by: Boris Brezillon <boris.brezillon(a)collabora.com> --- Boris Brezillon (6): drm/panthor: Driver-wide xxx_[un]lock -> [scoped_]guard replacement dma-resv: Define guards for context-less dma_resv locks drm: Define a conditional guard for drm_dev_{enter,exit}() drm/panthor: Use guards for resv locking drm/panthor: Use the drm_dev_access guard drm/panthor: Add a new guard for our custom resume_and_get() PM helper drivers/gpu/drm/panthor/panthor_devfreq.c | 29 +- drivers/gpu/drm/panthor/panthor_device.c | 163 +++++----- drivers/gpu/drm/panthor/panthor_device.h | 10 +- drivers/gpu/drm/panthor/panthor_drv.c | 62 ++-- drivers/gpu/drm/panthor/panthor_gem.c | 102 +++---- drivers/gpu/drm/panthor/panthor_gpu.c | 40 +-- drivers/gpu/drm/panthor/panthor_heap.c | 139 ++++----- drivers/gpu/drm/panthor/panthor_mmu.c | 480 ++++++++++++++---------------- drivers/gpu/drm/panthor/panthor_pwr.c | 8 +- drivers/gpu/drm/panthor/panthor_sched.c | 254 ++++++++-------- include/drm/drm_drv.h | 9 + include/linux/dma-resv.h | 5 + 12 files changed, 589 insertions(+), 712 deletions(-) --- base-commit: ac5ac0acf11df04295eb1811066097b7022d6c7f change-id: 20260512-panthor-guard-refactor-f1c6bc30c321 prerequisite-message-id: 20260512-panthor-signal-from-irq-v2-0-95c614a739cb(a)collabora.com prerequisite-patch-id: e3cfd6399b2dc5439687932c6e961d845369562a prerequisite-patch-id: 79820e6740c0c456efc1dfa273de04e495515a1c prerequisite-patch-id: a3611a7c9551c606aaf87125782e6d18b6a6549e prerequisite-patch-id: 6e9dc83a60e53e7b0d84030727ad9b1921e4b2ca prerequisite-patch-id: eabd36064a01418a6ada3176b996a4038a314c21 prerequisite-patch-id: ca3a30182b71bf66c51ed2b6411d7ed8dc761c8e prerequisite-patch-id: 6e549dd0ee9e3e0c8866da72dcabc82209d88360 prerequisite-patch-id: 5217700df7026ef533a2f273ea2535f9fc1274ac prerequisite-patch-id: 8d57abec9f92bcbb21108d3005805b7c155a48f6 prerequisite-patch-id: 0bf98de955fce577ff8d4fb82c02dc04684beca6 prerequisite-patch-id: a9e0d90a64dfd5950a69b857af3867404be1ab45 Best regards, -- Boris Brezillon <boris.brezillon(a)collabora.com>

1 hour, 45 minutes

[PATCH RFC 0/5] memcg: dma-buf per-cgroup accounting via pid_fd

by Albert Esteve

This RFC builds on T.J. Mercier's earlier series [1] which added a memory.stat counter for exported dma-bufs and a binder-backed mechanism to transfer charges between cgroups. The first commit is taken almost verbatim from TJ's series: it introduces MEMCG_DMABUF as a dedicated per-cgroup stat, so that the total exported dma-buf footprint is visible both system-wide (via the root cgroup) and per-application (via per-process cgroups). This avoids the overhead of DMABUF_SYSFS_STATS and integrates naturally into the existing cgroup memory hierarchy. The rest of the series departs from TJ's approach. While the first commit introduces the memcg stat infrastructure for dmabufs, the export-time charging it introduces in dma_buf_export() is then superseded: we charge at dma_heap_ioctl_allocate() time, using a new charge_pid_fd field in struct dma_heap_allocation_data. The allocator opens a pidfd for its client (e.g., from binder's sender_pid), passes it to the ioctl, and the kernel charges the buffer directly to the client's cgroup at allocation time, so no transfer step is needed. This decouples the accounting path from binder entirely: any allocator that knows its client's PID can use the pid_fd mechanism regardless of the IPC transport in use. The cross-cgroup charging capability requires access control. Patches #3 and #4 add a generic LSM hook (security_dma_heap_alloc) and an SELinux implementation based on a new dma_heap object class with a charge_to permission, so policy authors can express which domains are allowed to charge memory to another domain's cgroup. Last patch adds some tests to verify the new charge_pid_fd field. We are sending it as an RFC to spark broader discussion. It may or may not be the right path forward, and we welcome feedback on the trade-offs. Collision note: Eric Chanudet's series [2] adds __GFP_ACCOUNT to system_heap page allocations as an opt-in module parameter. That approach charges pages to the allocator's own kmem, which overlaps with MEMCG_DMABUF. This series explicitly removes __GFP_ACCOUNT from system heap allocations and routes all accounting through the MEMCG_DMABUF path to avoid double-counting. [1] https://lore.kernel.org/cgroups/20230109213809.418135-1-tjmercier@google.co… [2] https://lore.kernel.org/r/20260113-dmabuf-heap-system-memcg-v2-0-e85722cc2f… Signed-off-by: Albert Esteve <aesteve(a)redhat.com> --- Albert Esteve (4): dma-heap: charge dma-buf memory via explicit memcg security: dma-heap: Add dma_heap_alloc LSM hook selinux: Restrict cross-cgroup dma-heap charging selftests/dmabuf-heaps: Add dma-buf memcg accounting tests T.J. Mercier (1): memcg: Track exported dma-buffers Documentation/admin-guide/cgroup-v2.rst | 5 + drivers/dma-buf/dma-buf.c | 7 + drivers/dma-buf/dma-heap.c | 54 +++++- drivers/dma-buf/heaps/system_heap.c | 2 - include/linux/dma-buf.h | 4 + include/linux/lsm_hook_defs.h | 1 + include/linux/memcontrol.h | 37 ++++ include/linux/security.h | 7 + include/uapi/linux/dma-heap.h | 6 + mm/memcontrol.c | 19 ++ security/security.c | 16 ++ security/selinux/hooks.c | 7 + security/selinux/include/classmap.h | 1 + tools/testing/selftests/cgroup/Makefile | 2 +- tools/testing/selftests/cgroup/test_memcontrol.c | 143 +++++++++++++- tools/testing/selftests/dmabuf-heaps/config | 1 + tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c | 126 ++++++++++++- tools/testing/selftests/dmabuf-heaps/vmtest.sh | 205 +++++++++++++++++++++ 18 files changed, 633 insertions(+), 10 deletions(-) --- base-commit: 74fe02ce122a6103f207d29fafc8b3a53de6abaf change-id: 20260508-v2_20230123_tjmercier_google_com-f44fcfb16530 Best regards, -- Albert Esteve <aesteve(a)redhat.com>

1 hour, 56 minutes

Re: [PATCH RFC 2/5] dma-heap: charge dma-buf memory via explicit memcg

by T.J. Mercier

On Fri, May 15, 2026 at 6:53 AM Christian Brauner <brauner(a)kernel.org> wrote: > > On Tue, May 12, 2026 at 11:10:44AM +0200, Albert Esteve wrote: > > On embedded platforms a central process often allocates dma-buf > > memory on behalf of client applications. Without a way to > > attribute the charge to the requesting client's cgroup, the > > cost lands on the allocator, making per-cgroup memory limits > > ineffective for the actual consumers. > > > > Add charge_pid_fd to struct dma_heap_allocation_data. When set to > > Please be aware that pidfds come in two flavors: > > thread-group pidfds and thread-specific pidfds. Make sure that your API > doesn't implicitly depend on this distinction not existing. Hi Christian, Memcg is not a controller that supports "thread mode" so all threads in a group should belong to the same memcg. Checking the flags from pidfd_get_pid would be the best way for an explicit check of the pidfd type? > > a valid pidfd, DMA_HEAP_IOCTL_ALLOC resolves the target task's > > memcg and charges the buffer there via mem_cgroup_charge_dmabuf() > > inside dma_heap_buffer_alloc(). Without charge_pid_fd, and with > > the mem_accounting module parameter enabled, the buffer is charged > > to the allocator's own cgroup. > > > > Additionally, commit 3c227be90659 ("dma-buf: system_heap: account for > > system heap allocation in memcg") adds __GFP_ACCOUNT to system-heap > > page allocations. Keeping __GFP_ACCOUNT would charge the same pages > > twice (once to kmem, once to MEMCG_DMABUF), thus remove it and route > > all accounting through a single MEMCG_DMABUF path. > > > > Usage examples: > > > > 1. Central allocator charging to a client at allocation time. > > The allocator knows the client's PID (e.g., from binder's > > sender_pid) and uses pidfd to attribute the charge: > > > > pid_t client_pid = txn->sender_pid; > > int pidfd = pidfd_open(client_pid, 0); > > > > struct dma_heap_allocation_data alloc = { > > .len = buffer_size, > > .fd_flags = O_RDWR | O_CLOEXEC, > > .charge_pid_fd = pidfd, > > }; > > ioctl(heap_fd, DMA_HEAP_IOCTL_ALLOC, &alloc); > > close(pidfd); > > /* alloc.fd is now charged to client's cgroup */ > > > > 2. Default allocation (no pidfd, mem_accounting=1). > > When charge_pid_fd is not set and the mem_accounting module > > parameter is enabled, the buffer is charged to the allocator's > > own cgroup: > > > > struct dma_heap_allocation_data alloc = { > > .len = buffer_size, > > .fd_flags = O_RDWR | O_CLOEXEC, > > }; > > ioctl(heap_fd, DMA_HEAP_IOCTL_ALLOC, &alloc); > > /* charged to current process's cgroup */ > > > > Current limitations: > > > > - Single-owner model: a dma-buf carries one memcg charge regardless of > > how many processes share it. Means only the first owner (and exporter) > > of the shared buffer bears the charge. > > - Only memcg accounting supported. While this makes sense for system > > heap buffers, other heaps (e.g., CMA heaps) will require selectively > > charging also for the dmem controller. > > > > Signed-off-by: Albert Esteve <aesteve(a)redhat.com> > > --- > > Documentation/admin-guide/cgroup-v2.rst | 5 ++-- > > drivers/dma-buf/dma-buf.c | 16 ++++--------- > > drivers/dma-buf/dma-heap.c | 42 ++++++++++++++++++++++++++++++--- > > drivers/dma-buf/heaps/system_heap.c | 2 -- > > include/uapi/linux/dma-heap.h | 6 +++++ > > 5 files changed, 53 insertions(+), 18 deletions(-) > > > > diff --git a/Documentation/admin-guide/cgroup-v2.rst b/Documentation/admin-guide/cgroup-v2.rst > > index 8bdbc2e866430..824d269531eb1 100644 > > --- a/Documentation/admin-guide/cgroup-v2.rst > > +++ b/Documentation/admin-guide/cgroup-v2.rst > > @@ -1636,8 +1636,9 @@ The following nested keys are defined. > > structures. > > > > dmabuf (npn) > > - Amount of memory used for exported DMA buffers allocated by the cgroup. > > - Stays with the allocating cgroup regardless of how the buffer is shared. > > + Amount of memory used for exported DMA buffers allocated by or on > > + behalf of the cgroup. Stays with the allocating cgroup regardless > > + of how the buffer is shared. > > > > workingset_refault_anon > > Number of refaults of previously evicted anonymous pages. > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > > index ce02377f48908..23fb758b78297 100644 > > --- a/drivers/dma-buf/dma-buf.c > > +++ b/drivers/dma-buf/dma-buf.c > > @@ -181,8 +181,11 @@ static void dma_buf_release(struct dentry *dentry) > > */ > > BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active); > > > > - mem_cgroup_uncharge_dmabuf(dmabuf->memcg, PAGE_ALIGN(dmabuf->size) / PAGE_SIZE); > > - mem_cgroup_put(dmabuf->memcg); > > + if (dmabuf->memcg) { > > + mem_cgroup_uncharge_dmabuf(dmabuf->memcg, > > + PAGE_ALIGN(dmabuf->size) / PAGE_SIZE); > > + mem_cgroup_put(dmabuf->memcg); > > + } > > > > dmabuf->ops->release(dmabuf); > > > > @@ -764,13 +767,6 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) > > dmabuf->resv = resv; > > } > > > > - dmabuf->memcg = get_mem_cgroup_from_mm(current->mm); > > - if (!mem_cgroup_charge_dmabuf(dmabuf->memcg, PAGE_ALIGN(dmabuf->size) / PAGE_SIZE, > > - GFP_KERNEL)) { > > - ret = -ENOMEM; > > - goto err_memcg; > > - } > > - > > file->private_data = dmabuf; > > file->f_path.dentry->d_fsdata = dmabuf; > > dmabuf->file = file; > > @@ -781,8 +777,6 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) > > > > return dmabuf; > > > > -err_memcg: > > - mem_cgroup_put(dmabuf->memcg); > > err_file: > > fput(file); > > err_module: > > diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c > > index ac5f8685a6494..ff6e259afcdc0 100644 > > --- a/drivers/dma-buf/dma-heap.c > > +++ b/drivers/dma-buf/dma-heap.c > > @@ -7,13 +7,17 @@ > > */ > > > > #include <linux/cdev.h> > > +#include <linux/cgroup.h> > > #include <linux/device.h> > > #include <linux/dma-buf.h> > > #include <linux/dma-heap.h> > > +#include <linux/memcontrol.h> > > +#include <linux/sched/mm.h> > > #include <linux/err.h> > > #include <linux/export.h> > > #include <linux/list.h> > > #include <linux/nospec.h> > > +#include <linux/pidfd.h> > > #include <linux/syscalls.h> > > #include <linux/uaccess.h> > > #include <linux/xarray.h> > > @@ -55,10 +59,12 @@ MODULE_PARM_DESC(mem_accounting, > > "Enable cgroup-based memory accounting for dma-buf heap allocations (default=false)."); > > > > static int dma_heap_buffer_alloc(struct dma_heap *heap, size_t len, > > - u32 fd_flags, > > - u64 heap_flags) > > + u32 fd_flags, u64 heap_flags, > > + struct mem_cgroup *charge_to) > > { > > struct dma_buf *dmabuf; > > + unsigned int nr_pages; > > + struct mem_cgroup *memcg = charge_to; > > int fd; > > > > /* > > @@ -73,6 +79,22 @@ static int dma_heap_buffer_alloc(struct dma_heap *heap, size_t len, > > if (IS_ERR(dmabuf)) > > return PTR_ERR(dmabuf); > > > > + nr_pages = len / PAGE_SIZE; > > + > > + if (memcg) > > + css_get(&memcg->css); > > + else if (mem_accounting) > > + memcg = get_mem_cgroup_from_mm(current->mm); > > + > > + if (memcg) { > > + if (!mem_cgroup_charge_dmabuf(memcg, nr_pages, GFP_KERNEL)) { > > + mem_cgroup_put(memcg); > > + dma_buf_put(dmabuf); > > + return -ENOMEM; > > + } > > + dmabuf->memcg = memcg; > > + } > > + > > fd = dma_buf_fd(dmabuf, fd_flags); > > if (fd < 0) { > > dma_buf_put(dmabuf); > > @@ -102,6 +124,9 @@ static long dma_heap_ioctl_allocate(struct file *file, void *data) > > { > > struct dma_heap_allocation_data *heap_allocation = data; > > struct dma_heap *heap = file->private_data; > > + struct mem_cgroup *memcg = NULL; > > + struct task_struct *task; > > + unsigned int pidfd_flags; > > int fd; > > > > if (heap_allocation->fd) > > @@ -113,9 +138,20 @@ static long dma_heap_ioctl_allocate(struct file *file, void *data) > > if (heap_allocation->heap_flags & ~DMA_HEAP_VALID_HEAP_FLAGS) > > return -EINVAL; > > > > + if (heap_allocation->charge_pid_fd) { > > + task = pidfd_get_task(heap_allocation->charge_pid_fd, &pidfd_flags); > > Will always get a thread-group leader pidfd and will fail if this is a > thread-specific pidfd. pidfd_open(1234, PIDFD_THREAD) can be used to > open a thread-specific pidfd. > > > + if (IS_ERR(task)) > > + return PTR_ERR(task); > > + > > + memcg = get_mem_cgroup_from_mm(task->mm); > > + put_task_struct(task); > > + } > > + > > fd = dma_heap_buffer_alloc(heap, heap_allocation->len, > > heap_allocation->fd_flags, > > - heap_allocation->heap_flags); > > + heap_allocation->heap_flags, > > + memcg); > > + mem_cgroup_put(memcg); > > if (fd < 0) > > return fd; > > > > diff --git a/drivers/dma-buf/heaps/system_heap.c b/drivers/dma-buf/heaps/system_heap.c > > index 03c2b87cb1112..95d7688167b93 100644 > > --- a/drivers/dma-buf/heaps/system_heap.c > > +++ b/drivers/dma-buf/heaps/system_heap.c > > @@ -385,8 +385,6 @@ static struct page *alloc_largest_available(unsigned long size, > > if (max_order < orders[i]) > > continue; > > flags = order_flags[i]; > > - if (mem_accounting) > > - flags |= __GFP_ACCOUNT; > > page = alloc_pages(flags, orders[i]); > > if (!page) > > continue; > > diff --git a/include/uapi/linux/dma-heap.h b/include/uapi/linux/dma-heap.h > > index a4cf716a49fa6..e02b0f8cbc6a1 100644 > > --- a/include/uapi/linux/dma-heap.h > > +++ b/include/uapi/linux/dma-heap.h > > @@ -29,6 +29,10 @@ > > * handle to the allocated dma-buf > > * @fd_flags: file descriptor flags used when allocating > > * @heap_flags: flags passed to heap > > + * @charge_pid_fd: optional pidfd of the process whose cgroup should be > > + * charged for this allocation; 0 means charge the calling > > + * process's cgroup > > + * @__padding: reserved, must be zero > > * > > * Provided by userspace as an argument to the ioctl > > */ > > @@ -37,6 +41,8 @@ struct dma_heap_allocation_data { > > __u32 fd; > > __u32 fd_flags; > > __u64 heap_flags; > > + __u32 charge_pid_fd; > > + __u32 __padding; > > }; > > > > #define DMA_HEAP_IOC_MAGIC 'H' > > > > -- > > 2.53.0 > >

1 hour, 56 minutes

Re: [bug report] dma-buf: heaps: Rework heap allocation hooks to return struct dma_buf instead of fd

by T.J. Mercier

On Mon, May 18, 2026 at 8:06 AM Will Deacon <will(a)kernel.org> wrote: > > On Sat, May 02, 2026 at 12:40:10PM +0300, Dan Carpenter wrote: > > I'm not sure exactly who to report this bug too. Probably the mm > > devs? > > [Adding John and TJ, in case they are interested / able to help] > > Will > > (original report follows) > > > drivers/dma-buf/heaps/system_heap.c:499 system_heap_allocate() > > warn: passing positive error code 's32min-(-1),1' to 'ERR_PTR' > > > > drivers/dma-buf/heaps/system_heap.c > > 459 if (cc_shared) { > > 460 for_each_sgtable_sg(table, sg, i) { > > 461 ret = system_heap_set_page_decrypted(sg_page(sg)); > > 462 if (ret) > > 463 goto free_pages; > > > > It kind of looks like system_heap_set_page_decrypted() can return 1. > > > > 464 } > > 465 } > > 466 > > 467 /* create the dmabuf */ > > 468 exp_info.exp_name = dma_heap_get_name(heap); > > 469 exp_info.ops = &system_heap_buf_ops; > > 470 exp_info.size = buffer->len; > > 471 exp_info.flags = fd_flags; > > 472 exp_info.priv = buffer; > > 473 dmabuf = dma_buf_export(&exp_info); > > 474 if (IS_ERR(dmabuf)) { > > 475 ret = PTR_ERR(dmabuf); > > 476 goto free_pages; > > 477 } > > 478 return dmabuf; > > 479 > > 480 free_pages: > > 481 for_each_sgtable_sg(table, sg, i) { > > 482 struct page *p = sg_page(sg); > > 483 > > 484 /* > > 485 * Intentionally leak pages that cannot be re-encrypted > > 486 * to prevent shared memory from being reused. > > 487 */ > > 488 if (buffer->cc_shared && > > 489 system_heap_set_page_encrypted(p)) > > 490 continue; > > 491 __free_pages(p, compound_order(p)); > > 492 } > > 493 sg_free_table(table); > > 494 free_buffer: > > 495 list_for_each_entry_safe(page, tmp_page, &pages, lru) > > 496 __free_pages(page, compound_order(page)); > > 497 kfree(buffer); > > 498 > > --> 499 return ERR_PTR(ret); > > 500 } > > > > The problem is that add_to_pagemap() returns PM_END_OF_BUFFER (1) > > which is used by pagemap_read() and nowhere else. The call tree > > is: > > > > system_heap_allocate() > > system_heap_set_page_decrypted() > > set_memory_decrypted() > > realm_set_memory_decrypted() > > __set_memory_enc_dec() > > __change_memory_common() > > update_range_prot() > > walk_kernel_page_table_range_lockless() > > walk_pgd_range() > > pagemap_pte_hole() This doesn't look right to me. update_range_prot is in arm64 arch code. It uses the arm64 pageattr_ops which does not provide a pte_hole op. So walk_pgd_range should never call ops->pt_hole. > > add_to_pagemap() > > > > This code seems sort of old and I guess no one has reported the bug > > so maybe it's a false positive, but it feels like it's asking for > > problems to return the PM_END_OF_BUFFER. There aren't any comments > > on any of those functions above explaining what return values are > > expected. > > > > This email is a free service from the Smatch-CI project [smatch.sf.net]. > > > > regards, > > dan carpenter

6 hours, 14 minutes

Re: [bug report] dma-buf: heaps: Rework heap allocation hooks to return struct dma_buf instead of fd

by John Stultz

On Mon, May 18, 2026 at 8:06 AM Will Deacon <will(a)kernel.org> wrote: > > On Sat, May 02, 2026 at 12:40:10PM +0300, Dan Carpenter wrote: > > I'm not sure exactly who to report this bug too. Probably the mm > > devs? > > [Adding John and TJ, in case they are interested / able to help] > > Will > > (original report follows) > > > drivers/dma-buf/heaps/system_heap.c:499 system_heap_allocate() > > warn: passing positive error code 's32min-(-1),1' to 'ERR_PTR' > > > > drivers/dma-buf/heaps/system_heap.c > > 459 if (cc_shared) { > > 460 for_each_sgtable_sg(table, sg, i) { > > 461 ret = system_heap_set_page_decrypted(sg_page(sg)); > > 462 if (ret) > > 463 goto free_pages; > > > > It kind of looks like system_heap_set_page_decrypted() can return 1. > > > > 464 } > > 465 } > > 466 > > 467 /* create the dmabuf */ > > 468 exp_info.exp_name = dma_heap_get_name(heap); > > 469 exp_info.ops = &system_heap_buf_ops; > > 470 exp_info.size = buffer->len; > > 471 exp_info.flags = fd_flags; > > 472 exp_info.priv = buffer; > > 473 dmabuf = dma_buf_export(&exp_info); > > 474 if (IS_ERR(dmabuf)) { > > 475 ret = PTR_ERR(dmabuf); > > 476 goto free_pages; > > 477 } > > 478 return dmabuf; > > 479 > > 480 free_pages: > > 481 for_each_sgtable_sg(table, sg, i) { > > 482 struct page *p = sg_page(sg); > > 483 > > 484 /* > > 485 * Intentionally leak pages that cannot be re-encrypted > > 486 * to prevent shared memory from being reused. > > 487 */ > > 488 if (buffer->cc_shared && > > 489 system_heap_set_page_encrypted(p)) > > 490 continue; > > 491 __free_pages(p, compound_order(p)); > > 492 } > > 493 sg_free_table(table); > > 494 free_buffer: > > 495 list_for_each_entry_safe(page, tmp_page, &pages, lru) > > 496 __free_pages(page, compound_order(page)); > > 497 kfree(buffer); > > 498 > > --> 499 return ERR_PTR(ret); > > 500 } > > > > The problem is that add_to_pagemap() returns PM_END_OF_BUFFER (1) > > which is used by pagemap_read() and nowhere else. The call tree > > is: > > > > system_heap_allocate() > > system_heap_set_page_decrypted() > > set_memory_decrypted() > > realm_set_memory_decrypted() > > __set_memory_enc_dec() > > __change_memory_common() > > update_range_prot() > > walk_kernel_page_table_range_lockless() > > walk_pgd_range() > > pagemap_pte_hole() > > add_to_pagemap() > > > > This code seems sort of old and I guess no one has reported the bug > > so maybe it's a false positive, but it feels like it's asking for > > problems to return the PM_END_OF_BUFFER. There aren't any comments > > on any of those functions above explaining what return values are > > expected. So, do we just need the system_heap_set_page_decrypted() to have a if (ret > 0) special case on the return check from set_memory_decrypted()? Or should this get fixed at a deeper level? thanks -john

7 hours, 25 minutes

[PATCH 0/9] vfio/pci: Add mmap() for DMABUFs

by Matt Evans

Hi all, This series is based on previous RFCs/discussions: Tech topic: https://lore.kernel.org/linux-iommu/20250918214425.2677057-1-amastro@fb.com/ RFCv1: https://lore.kernel.org/all/20260226202211.929005-1-mattev@meta.com/ RFCv2: https://lore.kernel.org/kvm/20260312184613.3710705-1-mattev@meta.com/ The background/rationale is covered in more detail in the RFC cover letters. The TL;DR is: The goal is to enable userspace driver designs that use VFIO to export DMABUFs representing subsets of PCI device BARs, and "vend" those buffers from a primary process to other subordinate processes by fd. These processes then mmap() the buffers and their access to the device is isolated to the exported ranges. This is an improvement on sharing the VFIO device fd to subordinate processes, which would allow unfettered access . This is achieved by enabling mmap() of vfio-pci DMABUFs. Second, a new ioctl()-based revocation mechanism is added to allow the primary process to forcibly revoke access to previously-shared BAR spans, even if the subordinate processes haven't cleanly exited. (The related topic of safe delegation of iommufd control to the subordinate processes is not addressed here, and is follow-up work.) As well as isolation and revocation, another advantage to accessing a BAR through a VMA backed by a DMABUF is that it's straightforward to create the buffer with access attributes, such as write-combining. Notes on patches ================ Feedback from the RFCs requested that, instead of creating DMABUF-specific vm_ops and .fault paths, to go the whole way and migrate the existing VFIO PCI BAR mmap() to be backed by a DMABUF too, resulting in a common vm_ops and fault handler for mmap()s of both the VFIO device and explicitly-exported DMABUFs. This has been done for vfio-pci, but not sub-drivers (nvgrace-gpu's special-case mappings are unchanged). vfio/pci: Fix vfio_pci_dma_buf_cleanup() double-put A bug fix to a related are, whose context is a depdency for later patches. vfio/pci: Add a helper to look up PFNs for DMABUFs vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA The first is for a DMABUF VMA fault handler to determine arbitrary-sized PFNs from ranges in DMABUF. Secondly, refactor DMABUF export for use by the existing export feature and a new helper that creates a DMABUF corresponding to a VFIO BAR mmap() request. vfio/pci: Convert BAR mmap() to use a DMABUF The vfio-pci core mmap() creates a DMABUF with the helper, and the vm_ops fault handler uses the other helper to resolve the fault. Because this depends on DMABUF structs/code, CONFIG_VFIO_PCI_CORE needs to depend on CONFIG_DMA_SHARED_BUFFER. The CONFIG_VFIO_PCI_DMABUF still conditionally enables the export support code. NOTE: The user mmap()s a device fd, but the resulting VMA's vm_file becomes that of the DMABUF which takes ownership of the device and puts it on release. This maintains the existing behaviour of a VMA keeping the VFIO device open. BAR zapping then happens via the existing vfio_pci_dma_buf_move() path, which now needs to unmap PTEs in the DMABUF's address_space. vfio/pci: Provide a user-facing name for BAR mappings There was a request for decent debug naming in /proc/<pid>/maps etc. comparable to the existing VFIO names: since the VMAs are DMABUFs, they have a "dmabuf:" prefix and can't be 100% identical to before. This is a user-visible change, but this patch at least now gives us extra info on the BDF & BAR being mapped. vfio/pci: Clean up BAR zap and revocation In general (see NOTE!) the vfio_pci_zap_bars() is now obsolete, since it unmaps PTEs in the VFIO device address_space which is now unused. This consolidates all calls (e.g. around reset) with the neighbouring vfio_pci_dma_buf_move()s into new functions, to revoke-zap/unrevoke. NOTE: the nvgrace-gpu driver continues to use its own private vm_ops, fault handler, etc. for its special memregions, and these DO still add PTEs to the VFIO device address_space. So, a temporary flag, vdev->bar_needs_zap, maintains the old behaviour for this use. At least this patch's consolidation makes it easy to remove the remaining zap when this need goes away. A FIXME is added: if nvgrace-gpu is converted to DMABUFs, remove the flag and final zap. vfio/pci: Support mmap() of a VFIO DMABUF Adds mmap() for a DMABUF fd exported from vfio-pci. It was a goal to keep the VFIO device fd lifetime behaviour unchanged with respect to the DMABUFs. An application can close all device fds, and this will revoke/clean up all DMABUFs; no mappings or other access can be performed now. When enabling mmap() of the DMABUFs, this means access through the VMA is also revoked. This complicates the fault handler because whilst the DMABUF exists, it has no guarantee that the corresponding VFIO device is still alive. Adds synchronisation ensuring the vdev is available before vdev->memory_lock is touched. (I decided against the alternative of preventing cleanup by holding the VFIO device open if any DMABUFs exist, because it's both a change of behaviour and less clean overall.) I've added a chonky comment in place, happy to clarify more if you have ideas. vfio/pci: Permanently revoke a DMABUF on request By weight, this is mostly a rename of revoked to an enum, status. There are now 3 states for a buffer, usable and revoked temporary/permanent. A new VFIO device ioctl is added, VFIO_DEVICE_PCI_DMABUF_REVOKE, which passes a DMABUF (exported from that device) and permanently revokes it. Thus a userspace driver can guarantee any downstream consumers of a shared fd are prevented from accessing a BAR range, and that range can be reused. The code doing revocation in vfio_pci_dma_buf_move() is moved, unchanged, to a common function for use by _move() and the new ioctl path. Q: I can't think of a good reason to temporarily revoke/unrevoke buffers from userspace, so didn't add a 'flags' field to the ioctl struct. Easy to add if people think it's worthwhile for future use. vfio/pci: Add mmap() attributes to DMABUF feature Reserves bits [31:28] in vfio_device_feature_dma_buf to allow a (CPU) mapping attribute to be specified for an exported set of ranges. The default is the current UC, and a new flag can specify CPU access as WC. Q: I've taken 4 bits; the intention is for this field to be a scalar not a bitmap (i.e. mutually-exclusive access properties). Perhaps 4 is a bit too many? Testing ======= (The [RFC ONLY] userspace test program, for QEMU edu-plus, has been dropped, but can be found in the GitHub branch below.) This code has been tested in mapping DMABUFs of single/multiple ranges, aliasing mmap()s, aliasing ranges across DMABUFs, vm_pgoff > 0, revocation, shutdown/cleanup scenarios, and hugepage mappings seem to work correctly. I've lightly tested WC mappings also (by observing resulting PTEs as having the correct attributes...). No regressions observed on the VFIO selftests, or on our internal vfio-pci applications. End === This is based on -next (next-20260414 but will merge earlier), as it depends on Leon's series "vfio: Wait for dma-buf invalidation to complete": https://lore.kernel.org/linux-iommu/20260205-nocturnal-poetic-chamois-f566a… These commits are on GitHub, along with "[RFC ONLY] selftests: vfio: Add standalone vfio_dmabuf_mmap_test": https://github.com/metamev/linux/compare/next-20260414...metamev:linux:dev/… Thanks for reading, Matt ================================================================================ Change log: v1: - Cleanup of the common DMABUF-aware VMA vm_ops fault handler and export code. - Fixed a lot of races, particularly faults racing with DMABUF cleanup (if the VFIO device fds close, for example). - Added nicer human-readable names for VFIO mmap() VMAs RFCv2: Respin based on the feedback/suggestions: https://lore.kernel.org/kvm/20260312184613.3710705-1-mattev@meta.com/ - Transform the existing VFIO BAR mmap path to also use DMABUFs behind the scenes, and then simply share that code for explicitly-mapped DMABUFs. Jason wanted to go that direction to enable iommufd VFIO type 1 emulation to pick up a DMABUF for an IO mapping. - Revoke buffers using a VFIO device fd ioctl RFCv1: https://lore.kernel.org/all/20260226202211.929005-1-mattev@meta.com/ Matt Evans (9): vfio/pci: Fix vfio_pci_dma_buf_cleanup() double-put vfio/pci: Add a helper to look up PFNs for DMABUFs vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA vfio/pci: Convert BAR mmap() to use a DMABUF vfio/pci: Provide a user-facing name for BAR mappings vfio/pci: Clean up BAR zap and revocation vfio/pci: Support mmap() of a VFIO DMABUF vfio/pci: Permanently revoke a DMABUF on request vfio/pci: Add mmap() attributes to DMABUF feature drivers/vfio/pci/Kconfig | 3 +- drivers/vfio/pci/Makefile | 3 +- drivers/vfio/pci/nvgrace-gpu/main.c | 5 + drivers/vfio/pci/vfio_pci_config.c | 30 +- drivers/vfio/pci/vfio_pci_core.c | 224 ++++++++++--- drivers/vfio/pci/vfio_pci_dmabuf.c | 500 +++++++++++++++++++++++----- drivers/vfio/pci/vfio_pci_priv.h | 49 ++- include/linux/vfio_pci_core.h | 1 + include/uapi/linux/vfio.h | 42 ++- 9 files changed, 690 insertions(+), 167 deletions(-) -- 2.47.3

8 hours, 41 minutes

[PATCH 00/12] misc/syncobj: add /dev/syncobj device

by Julian Orth

This series adds a new device /dev/syncobj that can be used to create and manipulate DRM syncobjs. Previously, these operations required the use of a DRM device and the device needed to support the DRIVER_SYNCOBJ and DRIVER_SYNCOBJ_TIMELINE features. There are several issues with the existing API: - Syncobjs are the only explicit sync mechanism available on wayland. Most compositors do not use GPU waits. Instead, they use the DRM_IOCTL_SYNCOBJ_EVENTFD ioctl to perform a CPU wait. Being tied to DRM devices means that compositors cannot consistently offer this feature even though no device-specific logic is involved. - llvmpipe currently cannot offer syncobj interop because it does not have access to a DRM device. This means that applications using llvmpipe cannot present images before they have finished rendering, despite llvmpipe using threaded rendering. - Clients that do not use the Vulkan WSI need to manually probe /dev/dri for devices that support the syncobj ioctls in order to use the wayland syncobj protocol. - Similarly, clients that want to use screen capture have no equivalent to the WSI and are therefore forced into that path. - Having to keep a DRM device open has potentially negative interactions with GPU hotplug. - Having to translate between syncobj FDs and handles is troublesome in the compositor usecase since syncobjs come and go frequently and need to be cleaned up when clients disconnect. /dev/syncobj solves these issues by providing all syncobj ioctls under a consistent path that is not tied to any DRM device. It also operates directly on file descriptors instead of syncobj handles. The series starts with a number of small refactorings in drm_syncobj.c to make its functionality available outside of the file and without the need for drm_file/handle pairs. The last commit adds the /dev/syncobj module. I've added it as a misc device but maybe this should instead live somewhere under gpu/drm. An application using the new interface can be found at [1]. [1]: https://github.com/mahkoh/jay/pull/947 --- Julian Orth (12): drm/syncobj: add drm_syncobj_from_fd drm/syncobj: add drm_syncobj_fence_lookup drm/syncobj: make drm_syncobj_array_wait_timeout public drm/syncobj: add drm_syncobj_register_eventfd drm/syncobj: have transfer functions accept drm_syncobj directly drm/syncobj: add drm_syncobj_transfer drm/syncobj: add drm_syncobj_timeline_signal drm/syncobj: add drm_syncobj_query drm/syncobj: fix resource leak in drm_syncobj_import_sync_file_fence drm/syncobj: add drm_syncobj_import_sync_file drm/syncobj: add drm_syncobj_export_sync_file misc/syncobj: add new device Documentation/userspace-api/ioctl/ioctl-number.rst | 1 + drivers/gpu/drm/drm_syncobj.c | 374 ++++++++++++++----- drivers/misc/Kconfig | 10 + drivers/misc/Makefile | 1 + drivers/misc/syncobj.c | 404 +++++++++++++++++++++ include/drm/drm_syncobj.h | 21 ++ include/uapi/linux/syncobj.h | 75 ++++ 7 files changed, 795 insertions(+), 91 deletions(-) --- base-commit: 6916d5703ddf9a38f1f6c2cc793381a24ee914c6 change-id: 20260516-jorth-syncobj-d4d374c8c61b Best regards, -- Julian Orth <ju.orth(a)gmail.com>

10 hours, 29 minutes

Abortion Pills For Sale In Ad-Dawhah,[][][]<>+971568547782[][][]<> Mifepristone And Misoprostol Pills Available In Ad-Dawhah,

by namudigumoraka29＠gmail.com

Abortion Pills For Sale In Ad-Dawhah,[][][]<>+971568547782[][][]<> Mifepristone And Misoprostol Pills Available In Ad-Dawhah,Mtp Kit For Sale In Al Ain [][][][][][]<>+971568547782[][][][][][]<>( Pfizer ) Mtp Kit Available In Al Ain, Where Can I Buy Mtp Kit In Al AinKuwait +971568547782 Abortion Tablets Available In Qatar +971568547782 Abortion Pills For Sale In Kuwait City +971568547782 Abortion Pills For Sale In Al Asimah +971568547782 Abortion Pills For Sale In Al Ahmadi +971568547782 Abortion Pills For Sale In Hawalli +971568547782 Abortion Pills For Sale In Al Farwaniyah +971568547782 Abortion Pills For Sale In Al Jahra +971568547782 Abortion Pills For Sale In Salmiya +971568547782 Abortion Pills For Sale In Sabah as Salim +971568547782 Abortion Pills For Sale In Mangaf +971568547782 Abortion Pills For Sale In Fintas +971568547782 Abortion Pills For Sale In Dubai +971568547782 Abortion Pills For Sale In Abu Dhabi +971568547782 Abortion Pills For Sale In Sharjah +971568547782 Abortion Pills For Sale In Al Ain +971568547782 Abortion Pills For Sale In Ajman +971568547782 Abortion Pills For Sale In Fujairaih +971568547782 Abortion Pills For Sale In Ras Al Khaimah +971568547782 Abortion Pills For Sale In Doha +971568547782 Abortion Pills For Sale In Qatar +971568547782 Abortion Pills For Sale In Muscat +971568547782 Abortion Pills For Sale In Oman

10 hours, 48 minutes

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig