Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

95 participants
6576 discussions

[PATCH v2] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

In case MMIO size is bigger than 4G and peer2peer DMA goes through host bridge, we trigger a code path that assigns the total linked IOVA (which is greater than 4G) to mapped_len. Previously, `mapped_len` was declared as 32-bit `unsigned int`. When accumulating `size_t` lengths, this leads to a silent wrap-around. This truncation causes truncated lengths to be passed to functions like `fill_sg_entry()`. Fix this by changing `mapped_len` to `size_t` (64-bit). While at it, fix similar potential overflow issues in `calc_sg_nents` by using `size_t` for `nents` and checking against `UINT_MAX` and using `unsigned int` for the loop iterator in `fill_sg_entry` to match. to mapped_len, and leading to a silent overflow Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Cc: stable(a)vger.kernel.org Cc: iommu(a)lists.linux.dev Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Signed-off-by: David Hu <xuehaohu(a)google.com> --- Changes in v2: Fixed 'IVOA' -> 'IOVA' typo and expanded commit message (Claude Bot). Added Reverse Xmas tree formatting (Pranjal). Folded in extra bounds checking for calc_sg_nents() (Pranjal). Folded in type consistency fix for fill_sg_entry() (Pranjal). Droped unnecessary `nents = 0` initialization (Claude Bot). drivers/dma-buf/dma-buf-mapping.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..5bc769fc42ea 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -10,7 +10,7 @@ static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, dma_addr_t addr) { unsigned int len, nents; - int i; + unsigned int i; nents = DIV_ROUND_UP(length, UINT_MAX); for (i = 0; i < nents; i++) { @@ -36,7 +36,7 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, struct phys_vec *phys_vec, size_t nr_ranges, size_t size) { - unsigned int nents = 0; + size_t nents = 0; size_t i; if (!state || !dma_use_iova(state)) { @@ -51,6 +51,9 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, nents = DIV_ROUND_UP(size, UINT_MAX); } + if (nents > UINT_MAX) + return 0; + return nents; } @@ -95,9 +98,10 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len = 0; + unsigned int nents; dma_addr_t addr; size_t i; int ret; -- 2.54.0.794.g4f17f83d09-goog

2 days, 22 hours

Re: [PATCH] dma-buf: Fix silent overflow for phys vec to sgt

by David Hu

On Tue, May 26, 2026 at 1:33 PM Pranjal Shrivastava <praan(a)google.com> wrote: > > On Mon, May 11, 2026, David Hu wrote: > > In case MMIO size is bigger than 4G, and peer2peer > > dma goes through host bridge, we trigger the code > > path to assign total linked IVOA, greater than 4G > > Nit: s/IVOA/IOVA > > > to mapped_len, and leading to a silent overflow > > > Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") > > Signed-off-by: David Hu <xuehaohu(a)google.com> > > --- > > drivers/dma-buf/dma-buf-mapping.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c > > index 794acff2546a..658064140357 100644 > > --- a/drivers/dma-buf/dma-buf-mapping.c > > +++ b/drivers/dma-buf/dma-buf-mapping.c > > @@ -95,7 +95,8 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, > > size_t nr_ranges, size_t size, > > enum dma_data_direction dir) > > { > > - unsigned int nents, mapped_len = 0; > > + unsigned int nents = 0; > > + size_t mapped_len = 0; > > struct dma_buf_dma *dma; > > struct scatterlist *sgl; > > dma_addr_t addr; > > Minor nit: Let's follow the reverse xmas tree format? > This looks correct to me, for this change: > > Reviewed-by: Pranjal Shrivastava <praan(a)google.com> > > Apart from this, I see similar issues at other places: > > 1. In calc_sg_nents(), nents is accumulated as an unsigned int. [1] > If nr_ranges is very large, nents could also overflow, potentially > leading to a small allocation in sg_alloc_table() and a subsequent > out-of-bounds access in the mapping loop. It might be worth changing > nents to size_t there and adding a check against UINT_MAX. > > 2. In fill_sg_entry(), the loop variable i is an int [2]. Changing > it to unsigned int would be more consistent with the nents type > and safer for extremely large mappings. > > > Maybe, we should also fix these? For example: > > diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c > index 794acff2546a..ecf07ffca2b9 100644 > --- a/drivers/dma-buf/dma-buf-mapping.c > +++ b/drivers/dma-buf/dma-buf-mapping.c > @@ -10,7 +10,7 @@ static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, > dma_addr_t addr) > { > unsigned int len, nents; > - int i; > + unsigned int i; > > nents = DIV_ROUND_UP(length, UINT_MAX); > for (i = 0; i < nents; i++) { > @@ -36,7 +36,7 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, > struct phys_vec *phys_vec, size_t nr_ranges, > size_t size) > { > - unsigned int nents = 0; > + size_t nents = 0; > size_t i; > > if (!state || !dma_use_iova(state)) { > @@ -51,6 +51,9 @@ static unsigned int calc_sg_nents(struct dma_iova_state *state, > nents = DIV_ROUND_UP(size, UINT_MAX); > } > > + if (nents > UINT_MAX) > + return 0; > + > return nents; > } > > Thanks, > Praan > > [1] https://elixir.bootlin.com/linux/v7.1-rc3/source/drivers/dma-buf/dma-buf-ma… > [2] https://elixir.bootlin.com/linux/v7.1-rc3/source/drivers/dma-buf/dma-buf-ma… Thank you Pranjal for the review ! Good catch on other potential overflow sites. I have folded in your suggestions for calc_sg_nents(), and fill_sg_entry(), and applied reverse xmas tree formatting. Sending out a v2 shortly.

2 days, 22 hours

Re: [PATCH v2 1/9] PCI/P2PDMA: Add CONFIG_PCI_P2PDMA_CORE

by Matt Evans

Hi Logan, On 27/05/2026 17:07, Logan Gunthorpe wrote: > > On 2026-05-27 04:23, Matt Evans wrote: >> The P2PDMA code currently provides two features under the same >> CONFIG_PCI_P2PDMA option: >> >> 1. Locate providers via pcim_p2pdma_provider() >> 2. Manage actual P2P DMA >> >> Other code (such as vfio-pci) depends on 1, without having a hard >> dependency on 2. >> >> A future commit expands the use of DMABUF in vfio-pci for non-P2P >> scenarios, relying on pcim_p2pdma_provider() always being present. If >> that depended on CONFIG_PCI_P2PDMA, it would make vfio-pci only >> available if CONFIG_ZONE_DEVICE is present (e.g. 64-bit systems), even >> when P2P is not needed. >> >> To resolve this, introduce CONFIG_PCI_P2PDMA_CORE which contains the >> basic provider functionality to make it available even if the >> CONFIG_PCI_P2PDMA feature is disabled or unavailable due to >> !CONFIG_ZONE_DEVICE. Users such as vfio-pci can enable their own P2P >> features based off the original CONFIG_PCI_P2PDMA (available when >> CONFIG_ZONE_DEVICE is set). >> >> Signed-off-by: Matt Evans <mattev(a)meta.com> > > Largely this looks good to me. I have one minor nit below that you can > apply or not. Either way, feel free to add: > > Reviewed-by: Logan Gunthorpe <logang(a)deltatee.com> > > >> static void pci_p2pdma_release(void *data) >> { >> struct pci_dev *pdev = data; >> @@ -241,11 +251,13 @@ static void pci_p2pdma_release(void *data) >> synchronize_rcu(); >> xa_destroy(&p2pdma->map_types); >> >> +#ifdef CONFIG_PCI_P2PDMA >> if (!p2pdma->pool) >> return; >> >> gen_pool_destroy(p2pdma->pool); >> sysfs_remove_group(&pdev->dev.kobj, &p2pmem_group); >> +#endif >> } > > I'm personally not a fan of adding #ifdefs inside functions like this. > This instance is small and easy to understand, but it can quickly become > a bit of a mess if we start adding more features. I probably would have > created a pci_p2pdma_release_pool() helper which does the inverse of > pci_p2pdma_setup_pool(), it would be called in pci_p2pdma_release() and > an empty implementation would be provided in the case where > CONFIG_PCI_P2PDMA is not set. That's cleaner, I'll do that. Thanks for the review. Matt

3 days, 2 hours

Basketball Stars: Rule the Court and Become the MVP

by joeytribuani0＠gmail.com

Basketball Stars is the perfect game for anyone who loves fast-paced street basketball action! From smooth dribble moves and ankle-breaking crossovers to clutch shots and powerful dunks, every match feels intense and competitive. The game’s easy controls make it simple to start playing, but mastering the timing, defense, and shooting mechanics takes real skill. Whether you’re playing quick one-on-one matches or climbing the ranked leaderboard, Basketball Stars keeps every game exciting. One of the best parts is the character customization. You can unlock new outfits, courts, basketballs, and upgrades to create your own unique style on the court. Playing against real opponents online also adds a fun challenge because every player has a different strategy. If you enjoy basketball games with arcade-style gameplay and nonstop action, Basketball Stars is definitely worth checking out. Step onto the court and show everyone who the real MVP is! WEB: https://basketballstars2026.io

3 days, 10 hours

Geometry Dash Lite – A Challenging Rhythm Game That Keeps Players Hooked

by christabbati＠gmail.com

Mobile games come and go, but some titles remain popular for years because of their addictive gameplay and unique style. One of those games is Geometry Dash Lite, the free version of the famous rhythm-based platformer developed by RobTop Games. Even with its simple controls and minimalist design, the game continues to attract millions of players worldwide. Easy to Play, Difficult to Master The gameplay of Geometry Dash Lite is very straightforward. Players control a geometric icon that automatically moves forward through obstacle-filled levels. The main objective is to jump at the correct time to avoid spikes, traps, and dangerous platforms. The controls only require a single tap or click, making the game easy for anyone to pick up. However, the real challenge comes from mastering timing and memorizing level patterns. One small mistake sends you back to the beginning, which can be frustrating but also highly motivating. Rhythm and Music Create the Experience What truly makes Geometry Dash Lite stand out is its connection between gameplay and music. Every level is synchronized with energetic electronic soundtracks that guide the player through obstacles and jumps. The rhythm helps create a fast-paced and immersive experience that feels both exciting and satisfying. As the music intensifies, so does the gameplay. Players must stay focused and react quickly to survive increasingly difficult sections. Colorful Graphics and Creative Design Although the game uses simple geometric visuals, the design is stylish and memorable. Bright neon colors, smooth animations, and creative level layouts give each stage its own personality. Different gameplay mechanics are introduced as players progress, keeping the experience fresh and challenging. Why Players Keep Coming Back One of the biggest strengths of Geometry Dash Lite is the sense of achievement it provides. Completing a difficult level after dozens of failed attempts feels incredibly rewarding. This balance between frustration and satisfaction is what makes the game so addictive. The game is also perfect for short gaming sessions, allowing players to quickly retry levels and improve their skills over time. Final Thoughts Geometry Dash Lite proves that a game does not need complicated mechanics or realistic graphics to become successful. Its combination of rhythm-based gameplay, challenging obstacles, and energetic music creates an experience that is simple, fun, and highly addictive. Whether you are a beginner looking for a fun mobile game or a competitive player seeking a difficult challenge, Geometry Dash Lite offers an exciting adventure that is hard to put down. SITE: https://geometrylite22.io

3 days, 14 hours

[PATCH v14 0/6] rust: drm: gem: shmem: Add sg_table() function

by Lyude Paul

(was previously Rust bindings for gem shmem) Most of this patch series has already been pushed upstream, this is just the second half of the patch series that has not been pushed yet + some additional changes which were required to implement changes requested by the mailing list. This patch series is originally from Asahi, previously posted by Daniel Almeida. The previous version of the patch series can be found here: https://patchwork.freedesktop.org/series/164580/ Branch with patches applied available here: https://gitlab.freedesktop.org/lyudess/linux/-/commits/rust/gem-shmem This patch series applies on top of drm-rust-next with the following dependencies applied: https://lkml.org/lkml/2026/5/26/1960 Lyude Paul (6): rust: faux: Allow retrieving a bound Device rust: gem: shmem: Fix Default implementation for ObjectConfig rust: drm: gem: s/device::Device/Device/ for shmem.rs drm/gem/shmem: Introduce __drm_gem_shmem_free_sgt_locked() rust: drm: gem/shmem: Add DmaResvGuard helper rust: drm: gem: Introduce shmem::Object::sg_table() drivers/gpu/drm/drm_gem_shmem_helper.c | 32 ++- include/drm/drm_gem_shmem_helper.h | 1 + rust/kernel/drm/gem/shmem.rs | 264 +++++++++++++++++++++++-- rust/kernel/faux.rs | 7 +- 4 files changed, 279 insertions(+), 25 deletions(-) base-commit: 2cf1840b0fa7637b6731fd554529f8d57ea34c04 prerequisite-patch-id: c8ade07eec6e9c9e875800b114137c459d362e4e prerequisite-patch-id: dc4f750bc885b867842587b994261f43602bc6a8 -- 2.54.0

3 days, 21 hours

Re: [PATCH] iommufd: take dma_resv lock before dma_buf_unpin() in release path

by Jason Gunthorpe

On Tue, May 26, 2026 at 11:10:34AM +0000, Ankit Soni wrote: > dma_buf_unpin() requires the caller to hold the exporter's dma_resv > lock: > > void dma_buf_unpin(struct dma_buf_attachment *attach) > { > ... > dma_resv_assert_held(dmabuf->resv); > ... > } > > iopt_release_pages() calls dma_buf_unpin() without taking that lock, > so every iommufd_ioas_destroy()/iommufd_ioas_unmap() that releases > the last reference on a DMABUF-backed iopt_pages triggers a WARN. > This was hit while running tools/testing/selftests/iommu/iommufd: Any idea why this is comming up now? Did I run the tests without some kind of debug option to turn on that assertion maybe? Jason

4 days, 6 hours

Navigating the Unpredictable: A Dive into Level Devil

by profound.cheetah.kect＠hidingmail.net

If you’re looking for a fun way to spend an evening, trying an interesting game is a great option—especially one that makes you think, explore, or improve your skills without feeling overwhelming. One example that many players enjoy is Level Devil. Even if you’ve never played before, you can approach it like a puzzle: learn the rules, watch what works, and gradually build confidence as levels start to feel more predictable. https://leveldevilfull.com In this article, I’ll walk you through how to experience a game like Level Devil in a friendly, practical way—focusing on what to do first, how to play, and what habits can make the experience smoother. Gameplay When you start Level Devil, your first goal is simply to understand how the game responds to you. Pay attention to the basics: movement controls, timing, and what happens when you try different approaches. Many players get stuck by rushing. Instead, try a short “experiment run” where your only objective is to learn mechanics—no pressure to win quickly. As you progress, the game tends to reward pattern recognition. Levels may ask you to manage obstacles, plan routes, or react under time constraints. A helpful mindset is to think in small steps: What’s the next safe action? What’s the easiest section to master first? If a section feels difficult, pause and observe. Look for consistent cues—visual hints, recurring enemy behavior, or environmental timing. Often, you don’t need a “perfect” run; you need a reliable one. For another way to explore the experience, some players prefer to review the broader game details here: Level Devil. Tips Start with calm attempts. If you’re on your first run, prioritize learning over scoring. Try not to restart too many times in anger—give yourself time to understand the rhythm of a level. Use “fail data.” Each time you die, ask a simple question: Did I misread timing, misjudge distance, or panic too early? That answer helps you choose a better strategy next attempt. Practice the hardest segment, not the whole level. If the game allows repetition, focus on the portion that blocks you. Clearing smaller checkpoints builds momentum. Keep your controls consistent. Sudden changes in how you press buttons or time actions can make you worse temporarily. Once you find a comfortable method, stick with it for a few attempts. Take breaks when you’re frustrated. A five-minute pause can reset your focus. When you return, you’ll often spot a solution you missed before. Conclusion Playing a game like Level Devil is less about having “elite” reflexes and more about learning the game’s patterns and improving step by step. Start by experimenting, approach challenges with curiosity, and use your failures as feedback. With a calm routine—short sessions, focused practice, and mindful breaks—you can enjoy the puzzle-like satisfaction that makes many levels rewarding.

4 days, 16 hours

[PATCH v3 00/10] Add dmabuf read/write via io_uring

by Pavel Begunkov

The patch set allows to register a dmabuf to an io_uring instance for a specified file and use it with io_uring read / write requests. The infrastructure is not tied to io_uring and there could be more users in the future. A similar idea was attempted some years ago by Keith [1], from where I borrowed a good number of changes, and later was brough up by Tushar and Vishal from Intel. It's an opt-in feature for files, and they need to implement a new file operation to use it. Only NVMe block devices are supported in this series. The user API is built on top of io_uring's "registered buffers", where a dmabuf is registered in a special way, but after it can be used as any other "registered buffer" with IORING_OP_{READ,WRITE}_FIXED requests. It's created via a new file operation and the resulted map is then passed through the I/O stack in a new iterator type. There is some additional infrastructure to bind it all, which also counts requests using a dmabuf map and managing lifetimes, which is used to implement map invalidation. It was tested for GPU <-> NVMe transfers. Also, as it maintains a long-term dma mapping, it helps with the IOMMU cost. The numbers below are for udmabuf reads previously run by Anuj for different IOMMU modes: - STRICT: before = 570 KIOPS, after = 5.01 MIOPS - LAZY: before = 1.93 MIOPS, after = 5.01 MIOPS - PASSTHROUGH: before = 5.01 MIOPS, after = 5.01 MIOPS There are some liburing tests that can serve as an example: git: https://github.com/isilence/liburing.git rw-dmabuf-tests-v3 url: https://github.com/isilence/liburing/tree/rw-dmabuf-tests-v3 [1] https://lore.kernel.org/io-uring/20220805162444.3985535-1-kbusch@fb.com/ v3: - Rework io_uring registration - Move token/map infrastructure code out of blk-mq - Simplify callbacks: remove a separate blk-mq table, which was mostly just forwarding calls (to nvme). - Don't skip dma sync depending on request direction - Fix a couple of hangs - Rename s/dma/dmabuf/ - Other small changes v2: - Don't pass raw dma addresses, wrap it into a driver specific object - Split into two objects: token and map - Implement move_notify Pavel Begunkov (10): file: add callback for creating long-term dmabuf maps iov_iter: add iterator type for dmabuf maps block: move bvec init into __bio_clone block: introduce dma map backed bio type lib: add dmabuf token infrastructure block: forward create_dmabuf_token to drivers nvme-pci: implement dma_token backed requests io_uring/rsrc: introduce buf registration structure io_uring/rsrc: extend buffer update io_uring/rsrc: add dmabuf backed registered buffers block/bio.c | 28 +++- block/blk-merge.c | 14 ++ block/blk.h | 3 +- block/fops.c | 16 ++ drivers/nvme/host/pci.c | 282 ++++++++++++++++++++++++++++++++ include/linux/bio.h | 19 ++- include/linux/blk-mq.h | 9 + include/linux/blk_types.h | 8 +- include/linux/fs.h | 2 + include/linux/io_dmabuf_token.h | 92 +++++++++++ include/linux/io_uring_types.h | 5 + include/linux/uio.h | 11 ++ include/uapi/linux/io_uring.h | 31 +++- io_uring/io_uring.c | 3 +- io_uring/rsrc.c | 266 +++++++++++++++++++++++++----- io_uring/rsrc.h | 30 +++- io_uring/rw.c | 4 +- lib/Kconfig | 4 + lib/Makefile | 2 + lib/io_dmabuf_token.c | 272 ++++++++++++++++++++++++++++++ lib/iov_iter.c | 29 +++- 21 files changed, 1071 insertions(+), 59 deletions(-) create mode 100644 include/linux/io_dmabuf_token.h create mode 100644 lib/io_dmabuf_token.c -- 2.53.0

5 days, 11 hours

[PATCH v2 0/2] arm64: tegra: Enable DMA Support on Tegra194 QSPI

by Aaron Kling via B4 Relay

The reason for this is to properly support the spi nor chip on the Jetson Xavier NX module. Prior to this, it would time out on all transfers and sometimes even trigger a cbb fault, locking up the entire unit. With this, reading and writing to the flash memory works as expected. This also fixes the tegra210-quad spi driver to properly use the dma memory space instead of the spi controllers. Without this, enabling dma on the controllers results in mmu faults. The driver change has only been tested on tegra210 / p3450 and tegra194 / p3518 as that is the only available test platforms. Tegra234 and Tegra241 should also be verified. I have p3766 for tegra234, but the qspi flash memory is firewalled by mb1 on all publicly available bootloaders, and no other spi devices are part of the devkit. --- Changes in v2: - Drop bindings patches - Add patch to use dma memory space instead of the spi controllers when dma is enabled. - Drop iommu properties from final patch - Link to v1: https://lore.kernel.org/r/20260515-tegra194-qspi-iommu-v1-0-57dfb63cd3d6@gm… --- Aaron Kling (2): spi: tegra210-quad: Allocate DMA memory for DMA engine arm64: tegra: Enable DMA Support on Tegra194 QSPI arch/arm64/boot/dts/nvidia/tegra194.dtsi | 4 ++++ drivers/spi/spi-tegra210-quad.c | 29 ++++++++++++++++++----------- 2 files changed, 22 insertions(+), 11 deletions(-) --- base-commit: c1ecb239fa3456529a32255359fc78b69eb9d847 change-id: 20260515-tegra194-qspi-iommu-e4e4644d5fdf Best regards, -- Aaron Kling <webgeek1234(a)gmail.com>

5 days, 12 hours

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig