Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

37 participants
6629 discussions

MUYERN TRUST HACKER || Private Digital Security

by priyankaragade6＠gmail.com

It is 2026. Cryptocurrency is no longer just an investment; it is the backbone of a new global financial system. Millions of people now manage their wealth through digital assets like Bitcoin, Ethereum, and USDT. This shift has brought unprecedented financial freedom, but it has also opened the door to a new era of cybercrime. From sophisticated phishing attacks and fake investment platforms to direct wallet hacks, the methods used by scammers have become increasingly complex. Every day, victims lose access to their hard-earned digital assets. The feeling of helplessness is overwhelming—but it is not the end of the story. At MUYERN TRUST HACKER, we turn that helplessness into action. Recognized as the Best, Top, and Most Trusted Cryptocurrency Recovery Company in 2026, we have been fighting crypto crime since 2010. With over $990 Million recovered and a reported 99% success rate, we don’t just promise results; we deliver them. But how exactly do we recover what seems lost? Here is a look at our proven methodology. The Myth of "Untraceable" Crypto Many victims believe that once crypto is stolen, it is gone forever because blockchain is anonymous. This is a misconception. Blockchain is pseudonymous, not anonymous. Every transaction leaves a permanent, public footprint. While scammers use mixers and bridges to hide their tracks, they eventually need to cash out. That is where they make mistakes—and where we step in. Our 4-Step Recovery Process We combine cutting-edge technology with legal expertise to trace, freeze, and return your assets. 1. Forensic Case Assessment Recovery begins with intelligence. When you contact us, our experts conduct a deep-dive analysis of your case. We review transaction hashes, wallet addresses, and communication logs to identify the type of fraud (e.g., romance scam, investment fraud, or hack). We determine the viability of recovery before proceeding, ensuring transparency and honesty from day one. 2. Advanced Blockchain Tracing Using proprietary forensic tools, we trace the movement of your funds across multiple blockchains. Even if scammers attempt to launder money through decentralized exchanges (DEXs) or privacy protocols, our algorithms identify patterns and link illicit addresses to known entities. We follow the money trail until it reaches a point of vulnerability—usually a centralized exchange or a regulated financial institution. 3. Strategic Legal Intervention Tracing is only half the battle. To recover funds, we must act where the criminals cash out. We collaborate with: Global Exchanges: Providing irrefutable forensic evidence to freeze accounts holding stolen funds. Law Enforcement: Assisting cybercrime units with detailed investigation reports. Legal Networks: Navigating international jurisdictions to secure asset returns through legal channels. This multi-pronged approach puts immense pressure on bad actors and compliant platforms to return the assets. 4. Secure Asset Return & Protection Once funds are recovered, we facilitate their secure transfer back to your personal wallet. But our job doesn’t end there. We provide a post-recovery security audit, helping you strengthen your digital defenses to prevent future attacks. We believe in empowering our clients, not just rescuing them. Why MUYERN TRUST HACKER is the Leader in 2026 In an industry rife with secondary scams, trust is everything. Here is why thousands of victims choose us: Proven Longevity: Operating since 2010, we have evolved alongside the technology, giving us unmatched experience. Massive Impact: We have recovered over $990 Million in digital assets for individuals and businesses worldwide. High Success Rate: Our rigorous vetting process ensures a reported 99% Crypto Recovery Rate for accepted cases. Global Reach: Cybercrime has no borders, and neither do we. Our network spans major financial hubs across the globe. Don’t Let Scammers Win If you have lost cryptocurrency to fraud, hacks, or scams, time is critical. The faster you act, the higher the chance of recovery. You do not have to face this alone. Join the thousands of clients who have reclaimed their financial freedom with MUYERN TRUST HACKER. Ready to Start Your Recovery? Contact our specialist team today for a confidential, no-obligation case assessment. Email: [ muyerntrusted(at)mail-me(.)c o m ] What App: [ +1.2.0.2.7.0.3.2.2.3.9 ]

2 hours, 2 minutes

[PATCH v7] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

In case MMIO size is bigger than 4G and peer2peer DMA goes through host bridge, we trigger a code path that assigns the total linked IOVA (which is greater than 4G) to mapped_len. Previously, `mapped_len` was declared as 32-bit `unsigned int`. When accumulating `size_t` lengths, this leads to a silent wrap-around. This truncation causes truncated lengths to be passed to functions like `fill_sg_entry()`. Fix this by changing `mapped_len` to `size_t` (64-bit). While at it, fix similar potential overflow issues in `calc_sg_nents` by using `check_add_overflow()` for `nents` and using `unsigned int` for the loop iterator in `fill_sg_entry` to match. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Cc: stable(a)vger.kernel.org Cc: iommu(a)lists.linux.dev Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Reviewed-by: Kevin Tian <kevin.tian(a)intel.com> Reviewed-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: David Hu <xuehaohu(a)google.com> --- Changes in v7: - Added a missing blank line after local variable declaration in `calc_sg_nents()` (Leon). - Collected Reviewed-by from Leon Romanovsky. Changes in v6: - Used `check_add_overflow()` in `calc_sg_nents()` for safer accumulation (Leon). - Dropped explicit `!nents` check and added a comment noting that `sg_alloc_table` handles `nents == 0` (Leon). - Collected Reviewed-by from Kevin Tian. Changes in v5: - Removed WARN_ON_ONCE from calc_sg_nents() to avoid log noise (Jason). - Added explicit check for `!nents` in dma_buf_phys_vec_to_sgt() to cleanly return -EINVAL on overflow (Jason). Changes in v4: - Added WARN_ON_ONCE() to the nents overflow check to prevent silent failures (Claude Bot). Changes in v3: - Removed leftover sentence fragment from the commit message. - Kept `nents = 0` initialization (previously stated as removed in the v2 changelog) as it is strictly required for the `+=` accumulation loop in `calc_sg_nents()`. Changes in v2: - Fixed 'IVOA' -> 'IOVA' typo and expanded commit message (Claude Bot). - Added Reverse Xmas tree formatting (Pranjal). - Folded in extra bounds checking for calc_sg_nents() (Pranjal). - Folded in type consistency fix for fill_sg_entry() (Pranjal). - Collected Reviewed-by from Pranjal Shrivastava. drivers/dma-buf/dma-buf-mapping.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..80f6ab2f4809 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -5,12 +5,13 @@ */ #include <linux/dma-buf-mapping.h> #include <linux/dma-resv.h> +#include <linux/overflow.h> static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, dma_addr_t addr) { unsigned int len, nents; - int i; + unsigned int i; nents = DIV_ROUND_UP(length, UINT_MAX); for (i = 0; i < nents; i++) { @@ -40,8 +41,12 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, size_t i; if (!state || !dma_use_iova(state)) { - for (i = 0; i < nr_ranges; i++) - nents += DIV_ROUND_UP(phys_vec[i].len, UINT_MAX); + for (i = 0; i < nr_ranges; i++) { + unsigned int added = DIV_ROUND_UP(phys_vec[i].len, UINT_MAX); + + if (check_add_overflow(nents, added, &nents)) + return 0; + } } else { /* * In IOVA case, there is only one SG entry which spans @@ -95,9 +100,10 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len = 0; + unsigned int nents; dma_addr_t addr; size_t i; int ret; @@ -133,6 +139,8 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, } nents = calc_sg_nents(dma->state, phys_vec, nr_ranges, size); + + /* sg_alloc_table will cleanly fail and return -EINVAL if nents == 0 */ ret = sg_alloc_table(&dma->sgt, nents, GFP_KERNEL | __GFP_ZERO); if (ret) goto err_free_state; -- 2.54.0.1064.gd145956f57-goog

7 hours, 9 minutes

[PATCH v6] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

In case MMIO size is bigger than 4G and peer2peer DMA goes through host bridge, we trigger a code path that assigns the total linked IOVA (which is greater than 4G) to mapped_len. Previously, `mapped_len` was declared as 32-bit `unsigned int`. When accumulating `size_t` lengths, this leads to a silent wrap-around. This truncation causes truncated lengths to be passed to functions like `fill_sg_entry()`. Fix this by changing `mapped_len` to `size_t` (64-bit). While at it, fix similar potential overflow issues in `calc_sg_nents` by using `check_add_overflow()` for `nents` and using `unsigned int` for the loop iterator in `fill_sg_entry` to match. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Cc: stable(a)vger.kernel.org Cc: iommu(a)lists.linux.dev Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Reviewed-by: Kevin Tian <kevin.tian(a)intel.com> Signed-off-by: David Hu <xuehaohu(a)google.com> --- Changes in v6: - Used `check_add_overflow()` in `calc_sg_nents()` for safer accumulation (Leon). - Dropped explicit `!nents` check and added a comment noting that `sg_alloc_table` handles `nents == 0` (Leon). - Collected Reviewed-by from Kevin Tian. Changes in v5: - Removed WARN_ON_ONCE from calc_sg_nents() to avoid log noise (Jason). - Added explicit check for `!nents` in dma_buf_phys_vec_to_sgt() to cleanly return -EINVAL on overflow (Jason). Changes in v4: - Added WARN_ON_ONCE() to the nents overflow check to prevent silent failures (Claude Bot). Changes in v3: - Removed leftover sentence fragment from the commit message. - Kept `nents = 0` initialization (previously stated as removed in the v2 changelog) as it is strictly required for the `+=` accumulation loop in `calc_sg_nents()`. Changes in v2: - Fixed 'IVOA' -> 'IOVA' typo and expanded commit message (Claude Bot). - Added Reverse Xmas tree formatting (Pranjal). - Folded in extra bounds checking for calc_sg_nents() (Pranjal). - Folded in type consistency fix for fill_sg_entry() (Pranjal). - Collected Reviewed-by from Pranjal Shrivastava. drivers/dma-buf/dma-buf-mapping.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..67a8ff52fb8f 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -5,12 +5,13 @@ */ #include <linux/dma-buf-mapping.h> #include <linux/dma-resv.h> +#include <linux/overflow.h> static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, dma_addr_t addr) { unsigned int len, nents; - int i; + unsigned int i; nents = DIV_ROUND_UP(length, UINT_MAX); for (i = 0; i < nents; i++) { @@ -40,8 +41,11 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, size_t i; if (!state || !dma_use_iova(state)) { - for (i = 0; i < nr_ranges; i++) - nents += DIV_ROUND_UP(phys_vec[i].len, UINT_MAX); + for (i = 0; i < nr_ranges; i++) { + unsigned int added = DIV_ROUND_UP(phys_vec[i].len, UINT_MAX); + if (check_add_overflow(nents, added, &nents)) + return 0; + } } else { /* * In IOVA case, there is only one SG entry which spans @@ -95,9 +99,10 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len = 0; + unsigned int nents; dma_addr_t addr; size_t i; int ret; @@ -133,6 +138,8 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, } nents = calc_sg_nents(dma->state, phys_vec, nr_ranges, size); + + /* sg_alloc_table will cleanly fail and return -EINVAL if nents == 0 */ ret = sg_alloc_table(&dma->sgt, nents, GFP_KERNEL | __GFP_ZERO); if (ret) goto err_free_state; -- 2.54.0.1064.gd145956f57-goog

7 hours, 30 minutes

[PATCH] dma-buf: enable sg_table wrapping on CONFIG_DEBUG

by Christian König

Importers notoriously abused the struct page pointers from the sg_table the DMA-buf exporter provides. This has created numerous problems ranging from crashes over random memory corruption to security issues. To find such bad importers DMA-buf already has a functionality to wrap the sg_table and set the page pointers to NULL enabled under CONFIG_DMABUF_DEBUG. Change that to just CONFIG_DEBUG to catch even more importers doing something nasty. Signed-off-by: Christian König <christian.koenig(a)amd.com> --- drivers/dma-buf/dma-buf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 71f37544a5c6..d5dfa82ed2dd 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -857,7 +857,7 @@ static int dma_buf_wrap_sg_table(struct sg_table **sg_table) struct dma_buf_sg_table_wrapper *to; int i, ret; - if (!IS_ENABLED(CONFIG_DMABUF_DEBUG)) + if (!IS_ENABLED(CONFIG_DEBUG)) return 0; /* @@ -896,7 +896,7 @@ static void dma_buf_unwrap_sg_table(struct sg_table **sg_table) { struct dma_buf_sg_table_wrapper *copy; - if (!IS_ENABLED(CONFIG_DMABUF_DEBUG)) + if (!IS_ENABLED(CONFIG_DEBUG)) return; copy = container_of(*sg_table, typeof(*copy), wrapper); -- 2.43.0

9 hours, 51 minutes

Does Recuva Hacker Solutions (RHS) work?

by hobertgregory05＠gmail.com

Yes. RHS operates as a blockchain investigation service, providing professional tracing and forensic reporting. RHS has contributed to major seizures, including a December 2025 case involving over $300 million linked to an international crypto fraud scheme. RHS does not promise guaranteed recovery but delivers actionable intelligence that supports law enforcement and legal action.

11 hours, 17 minutes

Escape Road 2: Fast Lane Escape

by lilysmith10098＠gmail.com

Escape Road 2 challenges players to stay one step ahead in a world where every corner could lead to freedom or failure. Busy streets, unpredictable traffic, and constant pursuit create an exciting environment that rewards skillful driving. Players must make rapid decisions while navigating through increasingly difficult situations. The sense of momentum grows throughout each run, making survival both challenging and satisfying. Smooth vehicle handling enhances the experience, allowing daring maneuvers and creative escapes. Escape Road 2 offers a compelling mix of action and excitement that keeps players returning for another chance to extend their journey. Play game at https://escaperoad2.io

15 hours, 22 minutes

Unlocking the Melody: A Guide to Heardle

by many.unicorn.syms＠hidingmail.net

Ever found yourself humming along to a tune, only to realize you can’t quite place the artist or title? If so, you’re in for a treat with Heardle. This delightful online game offers a daily dose of musical trivia, challenging your ear and memory in a surprisingly addictive way. Whether you're a seasoned music aficionado or just looking for a fun brain-teaser, Heardle provides an engaging experience. https://heardlefree.com/ What is Heardle? At its core, Heardle is a daily musical guessing game. Each day, a new song is presented, and your task is to identify it based on short audio snippets. The beauty of Heardle lies in its progressive difficulty. You start with just a second of the intro, and if you’re stumped, you can get more time, up to a maximum of 16 seconds. It's a fantastic way to discover new music or reconnect with old favorites. You can experience the game and try your hand at guessing the daily song by visiting Heardle. Gameplay: Your Daily Musical Challenge Playing Heardle is straightforward and intuitive. When you first open the game, you'll see a simple interface with a play button and a search bar. Listen to the Snippet: Click the play button to hear the initial one-second snippet of the song. Make Your Guess (or Skip): Based on this tiny fragment, you can either type your guess into the search bar. As you type, the game will suggest potential song titles and artists. If you have no idea, or want more time, you can click "Skip" to hear a longer segment. Progressive Reveals: Each time you skip, the audio snippet gets slightly longer, giving you more musical clues. You have a total of six attempts. The Reveal: If you guess correctly, or if you exhaust all your attempts, the song's title and artist are revealed. You'll also see your score (how many attempts it took you) and have the option to share your result. Tips for Mastering Heardle While luck plays a small part, there are strategies to improve your Heardle success rate: Focus on Intros: Many songs have very distinctive introductions. Pay close attention to unique instrumentals, vocal hooks, or production styles in the initial seconds. Genre Awareness: If you have a general idea of the era or genre, it can significantly narrow down your search. Sometimes just knowing it's a 90s pop song or a classic rock anthem is enough to trigger a memory. Don't Be Afraid to Skip: There's no penalty for skipping! If the first second doesn't ring a bell, don't waste time pondering. Get those extra seconds of audio. Hum It Out: Sometimes, humming the tune in your head can help you connect it to lyrics or a title you know. Listen Actively: Instead of just hearing, actively listen for specific instruments, vocal inflections, or rhythmic patterns. Explore Past Heardles: While not directly helping with the current day's song, revisiting past Heardle puzzles can help you train your ear and recognize common song structures. You can often find archives of past games on sites like Heardle. Conclusion Heardle offers a delightful and accessible way to engage with music. It's a perfect brief escape for your coffee break, a fun challenge to share with friends, or simply a way to test your musical knowledge. Give it a try, and you might just surprise yourself with how many melodies you recognize – and perhaps discover a new favorite along the way!

16 hours, 31 minutes

Embrace the Chaos: A Beginner's Guide to the Joy of Basket Random

by unable.rhinoceros.micz＠hidingmail.net

If you are tired of ultra-realistic sports simulators that require complex button combinations and intense strategic planning, it is time to embrace the chaos. Enter the world of physics-based ragdoll games, where the only rule is that there are no rules. At the absolute peak of this hilariously unpredictable genre is Basket Random, a two-button browser game that turns the structured sport of basketball into a chaotic, laughter-inducing spectacle. https://basketrandomgame.com/ Whether you want to kill a few minutes during a study break or challenge a friend to a local duel, here is your ultimate guide to experiencing this delightfully absurd game. What is Basket Random? At its core, the game is a 2v2 basketball match, but with a major twist: your players move like floppy, inflatable tube men. Developed with bouncy ragdoll physics, every round presents a completely randomized setup. One round you might be playing with giant heads on a snowy court with a heavy bowling ball; the next, you are on a sunny beach holding a tiny tennis ball with shortened arms. The objective is simple: be the first to score 5 points. However, achieving that objective is a beautifully chaotic journey of trial, error, and luck. How to Play: One-Button Mastery The beauty of the game lies in its minimalist control scheme. You do not need to worry about passing, sprinting, or shooting buttons. You only need one key: Player 1 (or Single Player): Press the W key (or Up Arrow). Player 2: Press the Up Arrow key. When you tap the key, both of your players will jump and tilt in the direction of the ball. If you hold the key, they will swing their arms and legs wildly. Releasing the key at the right moment allows your player to throw the ball toward the hoop. It sounds simple, but because the physics change with every single point scored, you must constantly adapt your timing to the new weight of the ball, the bounce of the court, and the length of your players' limbs. Tips to Dominate the Chaotic Court While the game relies heavily on accidental moments of brilliance, you can actually develop a loose strategy to win more matches: Master the "Spam" vs. "Hold" Balance: Do not just mash the jump button blindly. If the ball is loose, rapid tapping can help you scramble toward it. However, if your player has possession, hold the button to lean backward, then release it at the peak of your jump for a cleaner arc toward the hoop. Play Defense First: Sometimes, the best offense is a solid block. Position your tallest player under the opponent's hoop to swat away their chaotic shots. Use the Environment: Take note of the court changes. On icy courts, your players will slide much further, which can be used to slide-tackle the ball away from opponents. Conclusion Ultimately, the best way to experience Basket Random is with a friend sitting right next to you. The game’s charm lies in its ability to level the playing field; a seasoned gaming pro can easily lose to a beginner who happened to get a lucky bounce off a player's head. It is a game designed not for sweat and competition, but for shared laughter and high-fives. So, open up your browser, grab a friend, and prepare for some of the most hilarious basketball matches you will ever play.

21 hours, 22 minutes

[PATCH] iommufd: take dma_resv lock before dma_buf_unpin() in release path

by Ankit Soni

dma_buf_unpin() requires the caller to hold the exporter's dma_resv lock: void dma_buf_unpin(struct dma_buf_attachment *attach) { ... dma_resv_assert_held(dmabuf->resv); ... } iopt_release_pages() calls dma_buf_unpin() without taking that lock, so every iommufd_ioas_destroy()/iommufd_ioas_unmap() that releases the last reference on a DMABUF-backed iopt_pages triggers a WARN. This was hit while running tools/testing/selftests/iommu/iommufd: WARNING: drivers/dma-buf/dma-buf.c:1137 at dma_buf_unpin+0x62/0x70 RIP: 0010:dma_buf_unpin+0x62/0x70 Call Trace: <TASK> dma_buf_unpin+0x62/0x70 iopt_release_pages+0xe4/0x190 iopt_unmap_iova_range+0x1c7/0x290 iopt_unmap_all+0x1a/0x30 iommufd_ioas_destroy+0x1d/0x50 iommufd_fops_release+0x93/0x150 __fput+0xfc/0x2c0 __x64_sys_close+0x3d/0x80 do_syscall_64+0x65/0x180 </TASK> Take the dma_resv lock around dma_buf_unpin() in iopt_release_pages(), matching the iopt_map_dmabuf() convention. dma_buf_detach() acquires the reservation lock internally, so it must remain outside the locked region. Fixes: 8c5f9645c389 ("iommufd: Add dma_buf_pin()") Reported-by: Ankit Soni <Ankit.Soni(a)amd.com> Signed-off-by: Ankit Soni <Ankit.Soni(a)amd.com> --- drivers/iommu/iommufd/pages.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c index 9bdb2945afe1..7b64002e54b9 100644 --- a/drivers/iommu/iommufd/pages.c +++ b/drivers/iommu/iommufd/pages.c @@ -1663,7 +1663,9 @@ void iopt_release_pages(struct kref *kref) if (iopt_is_dmabuf(pages) && pages->dmabuf.attach) { struct dma_buf *dmabuf = pages->dmabuf.attach->dmabuf; + dma_resv_lock(dmabuf->resv, NULL); dma_buf_unpin(pages->dmabuf.attach); + dma_resv_unlock(dmabuf->resv); dma_buf_detach(dmabuf, pages->dmabuf.attach); dma_buf_put(dmabuf); WARN_ON(!list_empty(&pages->dmabuf.tracker)); -- 2.43.0

23 hours, 32 minutes

[PATCH v5] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

In case MMIO size is bigger than 4G and peer2peer DMA goes through host bridge, we trigger a code path that assigns the total linked IOVA (which is greater than 4G) to mapped_len. Previously, `mapped_len` was declared as 32-bit `unsigned int`. When accumulating `size_t` lengths, this leads to a silent wrap-around. This truncation causes truncated lengths to be passed to functions like `fill_sg_entry()`. Fix this by changing `mapped_len` to `size_t` (64-bit). While at it, fix similar potential overflow issues in `calc_sg_nents` by using `size_t` for `nents` and checking against `UINT_MAX` and using `unsigned int` for the loop iterator in `fill_sg_entry` to match. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Cc: stable(a)vger.kernel.org Cc: iommu(a)lists.linux.dev Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Signed-off-by: David Hu <xuehaohu(a)google.com> --- Changes in v5: - Removed WARN_ON_ONCE from calc_sg_nents() to avoid log noise (Jason). - Added explicit check for `!nents` in dma_buf_phys_vec_to_sgt() to cleanly return -EINVAL on overflow (Jason). Changes in v4: - Added WARN_ON_ONCE() to the nents overflow check to prevent silent failures (Claude Bot). Changes in v3: - Removed leftover sentence fragment from the commit message. - Kept `nents = 0` initialization (previously stated as removed in the v2 changelog) as it is strictly required for the `+=` accumulation loop in `calc_sg_nents()`. Changes in v2: - Fixed 'IVOA' -> 'IOVA' typo and expanded commit message (Claude Bot). - Added Reverse Xmas tree formatting (Pranjal). - Folded in extra bounds checking for calc_sg_nents() (Pranjal). - Folded in type consistency fix for fill_sg_entry() (Pranjal). drivers/dma-buf/dma-buf-mapping.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..607b7998463d 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -10,7 +10,7 @@ static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, dma_addr_t addr) { unsigned int len, nents; - int i; + unsigned int i; nents = DIV_ROUND_UP(length, UINT_MAX); for (i = 0; i < nents; i++) { @@ -36,7 +36,7 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, struct phys_vec *phys_vec, size_t nr_ranges, size_t size) { - unsigned int nents = 0; + size_t nents = 0; size_t i; if (!state || !dma_use_iova(state)) { @@ -51,6 +51,9 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, nents = DIV_ROUND_UP(size, UINT_MAX); } + if (nents > UINT_MAX) + return 0; + return nents; } @@ -95,9 +98,10 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len = 0; + unsigned int nents; dma_addr_t addr; size_t i; int ret; @@ -133,6 +137,11 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, } nents = calc_sg_nents(dma->state, phys_vec, nr_ranges, size); + if (!nents) { + ret = -EINVAL; + goto err_free_state; + } + ret = sg_alloc_table(&dma->sgt, nents, GFP_KERNEL | __GFP_ZERO); if (ret) goto err_free_state; -- 2.54.0.929.g9b7fa37559-goog

1 day, 4 hours

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig