Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

19 participants
6605 discussions

A Wild Crossing Adventure in Crossy Road

by huffmansamuel908＠gmail.com

Crossy Road is the kind of game that looks cute and simple… until you realize you’ve been playing for an hour straight. All you do is cross roads, rivers, and train tracks while trying not to get hit or fall behind. Sounds easy, right? Not really. The longer you survive, the faster and crazier everything becomes. The pixel graphics, funny characters, and random chaos make every run feel different. One second you’re doing great, the next second a train appears out of nowhere. Crossy Road proves that a simple game can still be super fun, addictive, and impossible to put down. https://crossyroad-game.io

1 hour, 54 minutes

Slope Rider 3D: Drift Through Snowy Danger

by huffmansamuel908＠gmail.com

Slope Rider 3D is a captivating endless runner arcade game that delivers non-stop excitement through its dynamic 3D environment and ever-increasing speed. With its sleek design and smooth gameplay flow, the game creates a highly engaging experience where every moment feels intense and unpredictable. The minimalist concept combined with rapid progression makes it perfect for players looking for quick entertainment or a long, immersive challenge. https://sloperider3d.io

1 hour, 55 minutes

[PATCH v17 0/6] Rust bindings for gem shmem

by Lyude Paul

Most of this patch series has already been pushed upstream, this is just the second half of the patch series that has not been pushed yet + some additional changes which were required to implement changes requested by the mailing list. This patch series is originally from Asahi, previously posted by Daniel Almeida. The previous version of the patch series can be found here: https://patchwork.freedesktop.org/series/164580/ Branch with patches applied available here: https://gitlab.freedesktop.org/lyudess/linux/-/commits/rust/gem-shmem This patch series applies on top of drm-rust-next Patch-series wide changes since V15: * Fix some major rebasing errors I somehow didn't notice :( * Drop the dependency on LazyInit, use the trick that Alice suggested instead. * Fix dependency ordering so that Tyr can get the vmap stuff first without the other bits. Patch-series wide changes since V16: * Fix ordering one more time (SetOnce::reset() doesn't need to come before adding vmap functions) * Rebase against the latest DeviceContext changes from me that got pushed. Lyude Paul (6): rust: drm: gem: shmem: Fix Default implementation for ObjectConfig rust: drm: gem: shmem: Add DmaResvGuard helper rust: drm: gem: shmem: Add vmap functions rust: faux: Allow retrieving a bound Device rust: sync: Add SetOnce::reset() rust: drm: gem: Introduce shmem::Object::sg_table() rust/kernel/drm/gem/shmem.rs | 518 ++++++++++++++++++++++++++++++++++- rust/kernel/faux.rs | 7 +- rust/kernel/sync/set_once.rs | 60 +++- 3 files changed, 563 insertions(+), 22 deletions(-) base-commit: 723bd79ca9e492cc91850094a2892bde0345c51a -- 2.54.0

6 hours, 26 minutes

[PATCH 0/4] rust / dma_buf: Add abstractions for dma_fence

by Philipp Stanner

Changes since the RFC: - Include support for ForeignOwnable for ARef, so that a Fence can be stuffed into an XArray et al. (Code by Danilo) - Implement ForeignOwnable (with new borrow type) for DriverFence, so that it can be stuffed into an XArray. - Include the rcu::RcuBox data type to defer dropping data with RCU (Cody by Alice) - Port DmaFence to RcuBox to make UAF bugs through later, new dma_fence callbacks (backend_ops) impossible. - Force users to pass their fence data in an RcuBox (or have it not need drop()) through a Sealed trait. - Document the rules for the user's DriverFence::data's drop implementation very clearly (deadlock danger). - rustfmt, Clippy. - Various style suggestions, safety comments, etc. (Önur) - Add __rust_helper prefix to helper functions. (Önur) Changes in RFC v3: - Omit JobQueue patches for now - Completely redesign the memory layout: Instead of a Fence refcounting a DriverFence, both now live in the same allocation to allow for future support the dma_fence backend_ops callbacks which need to do container_of. (mostly Boris's feedback) - Allow for pre-allocating fences to avoid deadlocks when submitting jobs to a GPU. (Boris) - Simultaneously, allow for pre-preparing fence callback objects, so the driver can allocate them when it sees fit. (code largely stolen and inspired by Daniel). - Signal fences on drop, ensure synchronization. - Force users to set an error code when signalling. - Write more documentation - A ton of minor other changes. Alright, so since the last RFCs did not reveal significant design issues, I decided to transition this series to a v1 and hope that we can get it upstream. This now includes code for more common infrastructure that dma_fence needs, contributed by Danilo and Alice. --- Old cover letter for RFC: So, this is the spiritual successor of the first / second RFC [1]. v2 also contained code for drm::JobQueue, but mostly to show how the fence code would be used. JobQueue is under heavy rework right now, so I don't want to bother your eyes with it. The docstring examples should show how Rust fences are supposed to be used, though. This v3 contains a huge amount of highly valuable feedback from a variety of people, notably Boris, but also from Alice, Gary and Danilo. There are some TODOs open (a better trait for fence backend_ops and RCU support), but my hope is that this effort is now finally approaching its end. I would greatly appreciate feedback and especially more information about what might be missing to make this usable, which is obviously where Daniel's and Boris's feedback will be valuable once more. Please regard this patch just as what it's titled: an RFC, to discuss a bit more and to inform a broader community about what the current state is and where this is heading at. Many regards, Philipp [1] https://lore.kernel.org/rust-for-linux/20260203081403.68733-2-phasta@kernel… Alice Ryhl (1): rust: rcu: add RcuBox type Danilo Krummrich (1): rust: types: implement ForeignOwnable for ARef<T> Philipp Stanner (2): rust: Add dma_fence abstractions MAINTAINERS: Add entry for Rust dma-buf MAINTAINERS | 2 + rust/bindings/bindings_helper.h | 2 + rust/helpers/dma_fence.c | 48 ++ rust/helpers/helpers.c | 1 + rust/kernel/dma_buf/dma_fence.rs | 821 +++++++++++++++++++++++++++++++ rust/kernel/dma_buf/mod.rs | 13 + rust/kernel/lib.rs | 1 + rust/kernel/sync/aref.rs | 39 ++ rust/kernel/sync/rcu.rs | 31 +- rust/kernel/sync/rcu/rcu_box.rs | 145 ++++++ 10 files changed, 1102 insertions(+), 1 deletion(-) create mode 100644 rust/helpers/dma_fence.c create mode 100644 rust/kernel/dma_buf/dma_fence.rs create mode 100644 rust/kernel/dma_buf/mod.rs create mode 100644 rust/kernel/sync/rcu/rcu_box.rs -- 2.54.0

8 hours, 32 minutes

Re: [PATCH 3/4] rust: Add dma_fence abstractions

by Boris Brezillon

On Wed, 3 Jun 2026 13:41:02 -0300 Daniel Almeida <dwlsalmeida(a)gmail.com> wrote: > > + /// Called when the fence is signaled. > > + /// > > + /// This is called from the fence signaling path, which may be in interrupt > > + /// context or with locks held, which is why `self` is only borrowed, so that > > + /// it cannot drop. Implementations must not sleep or perform > > + /// long-running operations. > > + /// > > + /// An implementation likely wants to inform itself (e.g., through a work item) > > + /// within this callback that the associated [`FenceCbRegistration`] can now be > > + /// dropped. > > + fn called(&mut self); > > This is a central point. We ideally would want this to consume self, because we > may want to move things out of the callback. This one comes from me. The rationale being that ::called() is called from an atomic context, and the resources attached to the callback data might require acquiring other sleeping locks to be released, and sometimes you don't even notice immediately because said resources are refcounted, and the lock is only acquired when you happen to be the last owner. Yes, those can be caught at runtime if the C side is properly annotated with might_sleep(), but that's not always the case. If we defer the drop of the data only when the FenceCb is dropped/recycled, we're at least not constrained by this "runs in atomic context" thing. > > Consider a fence design where signal() consumes self. Now consider this: > > ``` > impl FenceCb for MyCallback { > fn called(&mut self) { > // Can't move the fence out, so we have to put an Option<T> just to be able > // to move. > if let Some(f) = self.some_fence.take() { > f.signal(); > } > } > ``` > > This used to be the case when our version of the job queue used the "proxy > fence" design: > > > ``` > // Callback on the hw fence > impl FenceCb for MyCallback { > fn called(&mut self) { > if let Some(f) = self.submit_fence.take() { > f.signal(); > } I'm pretty sure lockdep won't like it anyway, because this is nested locking of the same lock class. For such proxies, we'll need to teach lockdep about the nesting like has been recently done on dma_fence_array & co. But I'm digressing. > } > ``` > > Although this is not the case anymore, since we phased out this design given > Christian's recent work. Still, we should ideally not require Option<T> here in > general just to make resource transfer possible. I see. OTOH, don't we need to make this inner data movable if we want to cancel the FenceCb before the fence is signaled anyway? And that's most certainly a case we have in the teardown path.

8 hours, 54 minutes

[PATCH v2 0/9] vfio/pci: Add mmap() for DMABUFs

by Matt Evans

Hi all, This series is based on previous RFCs/discussions: Tech topic: https://lore.kernel.org/linux-iommu/20250918214425.2677057-1-amastro@fb.com/ RFCv1: https://lore.kernel.org/all/20260226202211.929005-1-mattev@meta.com/ RFCv2: https://lore.kernel.org/kvm/20260312184613.3710705-1-mattev@meta.com/ The background/rationale is covered in more detail in the RFC cover letters. The TL;DR is: The goal is to enable userspace driver designs that use VFIO to export DMABUFs representing subsets of PCI device BARs, and "vend" those buffers from a primary process to other subordinate processes by fd. These processes then mmap() the buffers and their access to the device is isolated to the exported ranges. This is an improvement on sharing the VFIO device fd to subordinate processes, which would allow unfettered access. This is achieved by enabling mmap() of vfio-pci DMABUFs, passed by fd to subordinate processes. Second, a new ioctl()-based revocation mechanism is added to allow the primary process to forcibly revoke access to previously-shared BAR spans, even if the subordinate processes haven't cleanly exited. (The related topic of safe delegation of iommufd control to the subordinate processes is not addressed here, and is follow-up work.) As well as isolation and revocation, another advantage to accessing a BAR through a VMA backed by a DMABUF is that it's straightforward to mmap() the buffer with access attributes, such as write-combining. Feedback from the RFCs requested that, instead of creating DMABUF-specific vm_ops and .fault paths, to go the whole way and migrate the existing VFIO PCI BAR mmap() to be backed by a DMABUF too, resulting in a common vm_ops and fault handler for mmap()s of both the VFIO device and explicitly-exported DMABUFs. This will help future iommufd emulation of VFIO Type1 peer-to-peer, making it easier to get a DMABUF for a VFIO BAR as a DMA target. mmap() conversion to use DMABUF underneath has been done for vfio-pci, but not sub-drivers: nvgrace-gpu's mmap() override path is unchanged; I kept this out of scope for now not least because I don't have a thorough test setup for this system. I would prefer to help the nvgrace-gpu maintainers enable BAR mmap() DMABUFs themselves. Notes on patches ================ PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE Later in the series, vfio-pci's mmap() is going to depend on pcim_p2pdma_provider() which depended on CONFIG_PCI_P2PDMA, which in turn depended on ZONE_DEVICE (which isn't available on 32-bit and some archs, because they lack MEMORY_HOTPLUG and friends). VFIO does _not_ require actual P2P to be present for basic mmap() functionality, only for the optional CONFIG_DMA_SHARED_BUFFER feature. This splits P2PDMA into a CONFIG_PCI_P2PDMA_CORE (which currently contains pcim_p2pdma_provider()) and an optional CONFIG_PCI_P2PDMA (which depends on ZONE_DEVICE etc., and provides P2P functionality). vfio/pci: Add a helper to look up PFNs for DMABUFs vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA The first is for a DMABUF VMA fault handler to determine arbitrary-sized PFNs from ranges in DMABUF. Secondly, refactor DMABUF export for use by the existing export feature and add a new helper that creates a DMABUF corresponding to a VFIO BAR mmap() request. vfio/pci: Convert BAR mmap() to use a DMABUF The vfio-pci core mmap() creates a DMABUF with the helper, and the vm_ops fault handler uses the other helper to resolve the fault. Because this depends on DMABUF structs/code, CONFIG_VFIO_PCI_CORE needs to depend on CONFIG_DMA_SHARED_BUFFER. The CONFIG_VFIO_PCI_DMABUF still conditionally enables the export support code. NOTE: The user mmap()s a device fd, but the resulting VMA's vm_file becomes that of the DMABUF which takes ownership of the device and puts it on release. This maintains the existing behaviour of a VMA keeping the VFIO device open. BAR zapping then happens via the existing vfio_pci_dma_buf_move() path, which now needs to unmap PTEs in the DMABUF's address_space. vfio/pci: Provide a user-facing name for BAR mappings There was a request for decent debug naming in /proc/<pid>/maps etc. comparable to the existing VFIO names: since the VMAs are DMABUFs, they have a "dmabuf:" prefix and can't be 100% identical to before. This is a user-visible change, but this patch at least now gives us extra info on the BDF & BAR being mapped. vfio/pci: Clean up BAR zap and revocation In general (see NOTE!) the vfio_pci_zap_bars() is now obsolete, since it unmaps PTEs in the VFIO device address_space which is now unused. This consolidates all calls (e.g. around reset) with the neighbouring vfio_pci_dma_buf_move()s into new functions, to revoke-zap/unrevoke. !!! NOTE: the nvgrace-gpu driver continues to use its own private vm_ops, fault handler, etc. for its special memregions, and these DO still add PTEs to the VFIO device address_space. So, a temporary flag, vdev->bar_needs_zap, maintains the old behaviour for this use. At least this patch's consolidation makes it easy to remove the remaining zap when this need goes away; a FIXME reminds that this can be removed when nvgrace-gpu is converted. vfio/pci: Support mmap() of a VFIO DMABUF Adds mmap() for a DMABUF fd exported from vfio-pci. It was a goal to keep the VFIO device fd lifetime behaviour unchanged with respect to the DMABUFs. An application can close all device fds, and this will revoke/clean up all DMABUFs; no mappings or other access can be performed now. When enabling mmap() of the DMABUFs, this means access through the VMA is also revoked. This complicates the fault handler because whilst the DMABUF exists, it has no guarantee that the corresponding VFIO device is still alive. Adds synchronisation ensuring the vdev is available before vdev->memory_lock is touched; this holds the device registration so that even if the buffer has been cleaned up, vdev hasn't been freed and so the lock can be safely taken. (I decided against the alternative of preventing cleanup by holding the VFIO device open if any DMABUFs exist, because it's both a change of behaviour and less clean overall.) I've added a chonky comment in place, happy to clarify more if you have ideas. This commit makes VFIO_PCI_CORE depend on PCI_P2PDMA_CORE (commit 1) to bring in (only) the P2PDMA provider code. vfio/pci: Permanently revoke a DMABUF on request By weight, this is mostly a rename of revoked to an enum, status. There are now 3 states for a buffer, usable and revoked temporary/permanent. A new VFIO device ioctl is added, VFIO_DEVICE_PCI_DMABUF_REVOKE, which passes a DMABUF (exported from that device) and permanently revokes it. Thus a userspace driver can guarantee any downstream consumers of a shared fd are prevented from accessing a BAR range, and that range can be reused. The code doing revocation in vfio_pci_dma_buf_move() is moved, unchanged, to a common function for use by _move() and the new ioctl path. Q: I can't think of a good reason to temporarily revoke/unrevoke buffers from userspace, so didn't add a 'flags' field to the ioctl struct. Easy to add if people think it's worthwhile for future use. vfio/pci: Add mmap() attributes to DMABUF feature Adds a new VFIO feature, VFIO_DEVICE_FEATURE_DMA_BUF_MEMATTR. After a DMABUF is exported, this feature ioctl() isused to set a memory attribute that will be used by future mmap()s of the DMABUF fd (i.e. it does nothing for any existing maps). The default is UC, and via the feature one can specify CPU access as WC. The attribute is an enum/scalar rather than bitmap/cumulative. The attributes follow a "try-fail" model where a client can request an attribute and either succeed or fail with ENOTSUPP if it's unknown; if future attributes are platform-specific then their support can be probed. (Since it's just UC/WC for now, there is no reservation or numeric structure to the namespace yet, but we could support system/arch-specific values in future by carving out base + arch-specific + IMPDEF ranges.) Testing ======= (The [RFC ONLY] userspace test program, for QEMU edu-plus, has been dropped from the series, but can be found in the GitHub branch below. It at least illustrates the export, map, revoke, attribute, and close semantics interoperate.) This code has been tested in mapping DMABUFs of single/multiple ranges, aliasing mmap()s, aliasing ranges across DMABUFs, vm_pgoff > 0, revocation, shutdown/cleanup scenarios, and hugepage mappings seem to work correctly. I've lightly tested WC mappings also (by observing resulting PTEs as having the correct attributes...). No regressions observed on the VFIO selftests, or on our internal vfio-pci applications. End === This is based on VFIO next (e.g. at b9285405c5f6). These commits are on GitHub for easier browsing, along with "[RFC ONLY] selftests: vfio: Add standalone vfio_dmabuf_mmap_test": https://github.com/metamev/linux/compare/b9285405c5f6...metamev:linux:dev/m… Thanks for reading, Matt ================================================================================ Change log: v2: - Rebase on VFIO next, picking up Alex's vfio_pci_dma_buf_move()/vfio_pci_dma_buf_cleanup() fixes, and dropping "vfio/pci: Fix vfio_pci_dma_buf_cleanup() double-put" - Added "PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE" so that the newly-added vfio-pci hard dependency on the P2PDMA provider instead pulls in the _CORE variant and not the full-fat CONFIG_PCI_P2PDMA. This means that the core of vfio-pci does not need ZONE_DEVICE, but if it's available then enabling P2PDMA in turn enables DMABUF export. Fixes basic VFIO operation on 32b or other platforms without ZONE_DEVICE. - Fixed comment inaccuracy in vfio_pci_dma_buf_revoke() and cleaned up vdev validity test. - vfio_pci_dma_buf_find_pfn(): use PAGE_ALIGN(), better span variable naming, OVF check - Made vm_pgoffs use consistent (keeping the resource index at the top and masking where offset is used). For BAR mmap, use new vma_pgoff_adjust to create the DMABUF with the exact mmap()ed span instead of from the start of the BAR with an invisible portion before the mapping. - Added VFIO_DEVICE_FEATURE_DMA_BUF_MEMATTR to set memory attributes, instead of using the export `flags` field. - vfio_pci_ioctl_reset: Moved vfio_pci_zap_revoke_bars() (effectively, vfio_pci_dma_buf_move()) back after D0 transition. Note, if a BAR zap is needed, it's done in this function so now happens after this D0 transition with the _move; it was done before it at the time of the memory_lock taking. - Minimised vfio_pci_dma_buf_mmap() (removed redundant span check), added READ_ONCE for memattr - Misc fixes: comment in DMABUF name generation, removed superfluous READ_ONCE from faulthandler v1: https://lore.kernel.org/kvm/20260416131815.2729131-1-mattev@meta.com/ - Cleanup of the common DMABUF-aware VMA vm_ops fault handler and export code. - Fixed a lot of races, particularly faults racing with DMABUF cleanup (if the VFIO device fds close, for example). - Added nicer human-readable names for VFIO mmap() VMAs RFCv2: Respin based on the feedback/suggestions: https://lore.kernel.org/kvm/20260312184613.3710705-1-mattev@meta.com/ - Transform the existing VFIO BAR mmap path to also use DMABUFs behind the scenes, and then simply share that code for explicitly-mapped DMABUFs. Jason wanted to go that direction to enable iommufd VFIO type 1 emulation to pick up a DMABUF for an IO mapping. - Revoke buffers using a VFIO device fd ioctl RFCv1: https://lore.kernel.org/all/20260226202211.929005-1-mattev@meta.com/ Matt Evans (9): PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE vfio/pci: Add a helper to look up PFNs for DMABUFs vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA vfio/pci: Convert BAR mmap() to use a DMABUF vfio/pci: Provide a user-facing name for BAR mappings vfio/pci: Clean up BAR zap and revocation vfio/pci: Support mmap() of a VFIO DMABUF vfio/pci: Permanently revoke a DMABUF on request vfio/pci: Add mmap() attributes to DMABUF feature drivers/pci/Kconfig | 10 +- drivers/pci/Makefile | 2 +- drivers/pci/p2pdma.c | 16 + drivers/vfio/pci/Kconfig | 4 +- drivers/vfio/pci/Makefile | 3 +- drivers/vfio/pci/nvgrace-gpu/main.c | 5 + drivers/vfio/pci/vfio_pci_config.c | 30 +- drivers/vfio/pci/vfio_pci_core.c | 225 +++++++++--- drivers/vfio/pci/vfio_pci_dmabuf.c | 548 ++++++++++++++++++++++++---- drivers/vfio/pci/vfio_pci_priv.h | 57 ++- include/linux/pci-p2pdma.h | 24 +- include/linux/pci.h | 2 +- include/linux/vfio_pci_core.h | 1 + include/uapi/linux/vfio.h | 57 +++ 14 files changed, 815 insertions(+), 169 deletions(-) -- 2.47.3

11 hours, 46 minutes

Re: [PATCH 11/15] accel/qda: Add PRIME DMA-BUF import support

by Christian König

On 6/3/26 08:11, Ekansh Gupta wrote: > On 19-05-2026 12:25, Christian König wrote: >> On 5/19/26 08:16, Ekansh Gupta via B4 Relay wrote: >>> From: Ekansh Gupta <ekansh.gupta(a)oss.qualcomm.com> ... >>> +static int qda_memory_manager_map_imported(struct qda_memory_manager *mem_mgr, >>> + struct qda_gem_obj *gem_obj, >>> + struct qda_iommu_device *iommu_dev) >>> +{ >>> + struct scatterlist *sg; >>> + dma_addr_t dma_addr; >>> + >>> + if (!gem_obj->is_imported || !gem_obj->sgt || !iommu_dev) { >>> + drm_err(gem_obj->base.dev, "Invalid parameters for imported buffer mapping\n"); >>> + return -EINVAL; >>> + } >>> + >>> + sg = gem_obj->sgt->sgl; >>> + if (!sg) { >>> + drm_err(gem_obj->base.dev, "Invalid scatter-gather list for imported buffer\n"); >>> + return -EINVAL; >>> + } >>> + >>> + gem_obj->iommu_dev = iommu_dev; >>> + >>> + /* >>> + * After dma_buf_map_attachment_unlocked(), sg_dma_address() returns the >>> + * IOMMU virtual address, not the physical address. The IOMMU maps the >>> + * entire buffer as a contiguous range in the IOMMU address space even if >>> + * the underlying physical memory is non-contiguous. Therefore the first >>> + * sg entry's DMA address is the start of the complete contiguous >>> + * IOMMU-mapped range and is sufficient to describe the buffer to the DSP. >>> + */ >>> + dma_addr = sg_dma_address(sg); >>> + dma_addr += ((u64)iommu_dev->sid << 32); >>> + gem_obj->dma_addr = dma_addr; >> >> That handling here is completely broken since it assumes that the exporter maps the buffer as contigious range. >> >> But that's in no way guaranteed. > I'll collect more details and will try to implement this in the right > way, maybe by iterating the full sg_table.> You could also document explicitly that you can only import contiguous buffers (e.g. DMA-buf heap CMA etc....) and then cleanly reject non contiguous buffers here. We have quite a number of drivers/HW with that limitation, so only accepting contiguous buffers is perfectly ok. You just can't silently assume that IOMMU would always map the entire buffer as one contiguous range, cause that is certainly not true. Regards, Christian. >> Regards, >> Christian.

12 hours, 28 minutes

Re: [PATCH RESEND v2] dma-buf: heaps: use max3 in dma_heap_ioctl

by Sumit Semwal

Hello Thorsten, On Wed, 3 Jun 2026 at 04:14, Thorsten Blum <thorsten.blum(a)linux.dev> wrote: > > Gentle ping? > > On Sun, May 17, 2026 at 07:23:53PM +0200, Thorsten Blum wrote: > > Replace two nested max() calls with a single max3() in dma_heap_ioctl(). > > > > Reviewed-by: T.J. Mercier <tjmercier(a)google.com> > > Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> Apologies for the delay; its now pushed to drm-misc-next. > > --- > > Changes in v2: > > - Include minmax.h as suggested by T.J. Mercier > > - v1: https://lore.kernel.org/lkml/20260427172519.417333-3-thorsten.blum@linux.de… > > --- > > drivers/dma-buf/dma-heap.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c > > index ac5f8685a649..d49188893608 100644 > > --- a/drivers/dma-buf/dma-heap.c > > +++ b/drivers/dma-buf/dma-heap.c > > @@ -13,6 +13,7 @@ > > #include <linux/err.h> > > #include <linux/export.h> > > #include <linux/list.h> > > +#include <linux/minmax.h> > > #include <linux/nospec.h> > > #include <linux/syscalls.h> > > #include <linux/uaccess.h> > > @@ -153,7 +154,7 @@ static long dma_heap_ioctl(struct file *file, unsigned int ucmd, > > in_size = 0; > > if ((ucmd & kcmd & IOC_OUT) == 0) > > out_size = 0; > > - ksize = max(max(in_size, out_size), drv_size); > > + ksize = max3(in_size, out_size, drv_size); > > > > /* If necessary, allocate buffer for ioctl argument */ > > if (ksize > sizeof(stack_kdata)) { Best, Sumit.

17 hours, 8 minutes

[PATCH v5] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

In case MMIO size is bigger than 4G and peer2peer DMA goes through host bridge, we trigger a code path that assigns the total linked IOVA (which is greater than 4G) to mapped_len. Previously, `mapped_len` was declared as 32-bit `unsigned int`. When accumulating `size_t` lengths, this leads to a silent wrap-around. This truncation causes truncated lengths to be passed to functions like `fill_sg_entry()`. Fix this by changing `mapped_len` to `size_t` (64-bit). While at it, fix similar potential overflow issues in `calc_sg_nents` by using `size_t` for `nents` and checking against `UINT_MAX` and using `unsigned int` for the loop iterator in `fill_sg_entry` to match. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Cc: stable(a)vger.kernel.org Cc: iommu(a)lists.linux.dev Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Signed-off-by: David Hu <xuehaohu(a)google.com> --- Changes in v5: - Removed WARN_ON_ONCE from calc_sg_nents() to avoid log noise (Jason). - Added explicit check for `!nents` in dma_buf_phys_vec_to_sgt() to cleanly return -EINVAL on overflow (Jason). Changes in v4: - Added WARN_ON_ONCE() to the nents overflow check to prevent silent failures (Claude Bot). Changes in v3: - Removed leftover sentence fragment from the commit message. - Kept `nents = 0` initialization (previously stated as removed in the v2 changelog) as it is strictly required for the `+=` accumulation loop in `calc_sg_nents()`. Changes in v2: - Fixed 'IVOA' -> 'IOVA' typo and expanded commit message (Claude Bot). - Added Reverse Xmas tree formatting (Pranjal). - Folded in extra bounds checking for calc_sg_nents() (Pranjal). - Folded in type consistency fix for fill_sg_entry() (Pranjal). drivers/dma-buf/dma-buf-mapping.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..607b7998463d 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -10,7 +10,7 @@ static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, dma_addr_t addr) { unsigned int len, nents; - int i; + unsigned int i; nents = DIV_ROUND_UP(length, UINT_MAX); for (i = 0; i < nents; i++) { @@ -36,7 +36,7 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, struct phys_vec *phys_vec, size_t nr_ranges, size_t size) { - unsigned int nents = 0; + size_t nents = 0; size_t i; if (!state || !dma_use_iova(state)) { @@ -51,6 +51,9 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, nents = DIV_ROUND_UP(size, UINT_MAX); } + if (nents > UINT_MAX) + return 0; + return nents; } @@ -95,9 +98,10 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len = 0; + unsigned int nents; dma_addr_t addr; size_t i; int ret; @@ -133,6 +137,11 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, } nents = calc_sg_nents(dma->state, phys_vec, nr_ranges, size); + if (!nents) { + ret = -EINVAL; + goto err_free_state; + } + ret = sg_alloc_table(&dma->sgt, nents, GFP_KERNEL | __GFP_ZERO); if (ret) goto err_free_state; -- 2.54.0.929.g9b7fa37559-goog

18 hours, 20 minutes

Jumping to the Beat

by huffmansamuel908＠gmail.com

With its fast tempo and unforgiving obstacles, Geometry Dash Lite offers a unique challenge that keeps players fully engaged. The game uses simple tap controls, yet demands sharp focus and perfect timing to survive each level. Bright colors, sharp shapes, and energetic music combine to create an intense atmosphere. As players retry levels again and again, they slowly improve their skills and reaction speed. https://geometrylite2.io

22 hours, 42 minutes

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig