Linaro-mm-sig November 2025

linaro-mm-sig@lists.linaro.org

70 participants
52 discussions

[RFC v2 00/11] Add dmabuf read/write via io_uring

by asml.silence＠gmail.com

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

4 months, 1 week

Reasonable maximum signaling timeout for dma_fences

by Christian König

Hi everybody, we have documented here https://www.kernel.org/doc/html/latest/driver-api/dma-buf.html#dma-fence-cr… that dma_fence objects must signal in a reasonable amount of time, but at the same time note that drivers might have a different idea of what reasonable means. Recently I realized that this is actually not a good idea. Background is that the wall clock timeout means that for example the OOM killer might actually wait for this timeout to be able to terminate a process and reclaim the memory used. And this is just an example of how general kernel features might depend on that. Some drivers and fence implementations used 10 seconds and that raised complains by end users. So at least amdgpu recently switched to 2 second which triggered an internal discussion about it. This patch set here now adds a define to the dma_fence header which gives 2 seconds as reasonable amount of time. SW-sync is modified to always taint the kernel (since it doesn't has a timeout), VGEM is switched over to the new define and the scheduler gets a warning and taints the kernel if a driver uses a timeout longer than that. I have not much intention of actually committing the patches (maybe except the SW-sync one), but question is if 2 seconds are reasonable? Regards, Christian.

4 months, 2 weeks

[RFC v2 06/11] nvme-pci: add support for dmabuf reggistration

by asml.silence＠gmail.com

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

4 months, 2 weeks

[RFC v2 07/11] nvme-pci: implement dma_token backed requests

by asml.silence＠gmail.com

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

4 months, 2 weeks

[PATCH RFC] mm/vmap: map contiguous pages in batches whenever possible

by Barry Song

From: Barry Song <v-songbaohua(a)oppo.com> In many cases, the pages passed to vmap() may include high-order pages—for example, the systemheap often allocates pages in descending order: order 8, then 4, then 0. Currently, vmap() iterates over every page individually—even the pages inside a high-order block are handled one by one. This patch detects high-order pages and maps them as a single contiguous block whenever possible. Another possibility is to implement a new API, vmap_sg(). However, that change seems to be quite large in scope. When vmapping a 128MB dma-buf using the systemheap, this RFC appears to make system_heap_do_vmap() 16× faster: W/ patch: [ 51.363682] system_heap_do_vmap took 2474000 ns [ 53.307044] system_heap_do_vmap took 2469008 ns [ 55.061985] system_heap_do_vmap took 2519008 ns [ 56.653810] system_heap_do_vmap took 2674000 ns W/o patch: [ 8.260880] system_heap_do_vmap took 39490000 ns [ 32.513292] system_heap_do_vmap took 38784000 ns [ 82.673374] system_heap_do_vmap took 40711008 ns [ 84.579062] system_heap_do_vmap took 40236000 ns Cc: Uladzislau Rezki <urezki(a)gmail.com> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: John Stultz <jstultz(a)google.com> Cc: Maxime Ripard <mripard(a)kernel.org> Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> --- mm/vmalloc.c | 49 +++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 43 insertions(+), 6 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 0832f944544c..af2e3e8c052a 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -642,6 +642,34 @@ static int vmap_small_pages_range_noflush(unsigned long addr, unsigned long end, return err; } +static inline int get_vmap_batch_order(struct page **pages, + unsigned int stride, + int max_steps, + unsigned int idx) +{ + /* + * Currently, batching is only supported in vmap_pages_range + * when page_shift == PAGE_SHIFT. + */ + if (stride != 1) + return 0; + + struct page *base = pages[idx]; + if (!PageHead(base)) + return 0; + + int order = compound_order(base); + int nr_pages = 1 << order; + + if (max_steps < nr_pages) + return 0; + + for (int i = 0; i < nr_pages; i++) + if (pages[idx + i] != base + i) + return 0; + return order; +} + /* * vmap_pages_range_noflush is similar to vmap_pages_range, but does not * flush caches. @@ -655,23 +683,32 @@ int __vmap_pages_range_noflush(unsigned long addr, unsigned long end, pgprot_t prot, struct page **pages, unsigned int page_shift) { unsigned int i, nr = (end - addr) >> PAGE_SHIFT; + unsigned int stride; WARN_ON(page_shift < PAGE_SHIFT); + /* + * Some users may allocate pages from high-order down to order 0. + * We roughly check if the first page is a compound page. If so, + * there is a chance to batch multiple pages together. + */ if (!IS_ENABLED(CONFIG_HAVE_ARCH_HUGE_VMALLOC) || - page_shift == PAGE_SHIFT) + (page_shift == PAGE_SHIFT && !PageCompound(pages[0]))) return vmap_small_pages_range_noflush(addr, end, prot, pages); - for (i = 0; i < nr; i += 1U << (page_shift - PAGE_SHIFT)) { - int err; + stride = 1U << (page_shift - PAGE_SHIFT); + for (i = 0; i < nr; ) { + int err, order; - err = vmap_range_noflush(addr, addr + (1UL << page_shift), + order = get_vmap_batch_order(pages, stride, nr - i, i); + err = vmap_range_noflush(addr, addr + (1UL << (page_shift + order)), page_to_phys(pages[i]), prot, - page_shift); + page_shift + order); if (err) return err; - addr += 1UL << page_shift; + addr += 1UL << (page_shift + order); + i += 1U << (order + page_shift - PAGE_SHIFT); } return 0; -- 2.39.3 (Apple Git-146)

4 months, 2 weeks

[PATCH] dma-buf: heaps: Clear CMA pages with clear_page()

by Linus Walleij

clear_page() translates into memset(*p, 0, PAGE_SIZE) on some architectures, but on the major architectures it will call an optimized assembly snippet so use this instead of open coding a memset(). Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> --- drivers/dma-buf/heaps/cma_heap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/heaps/cma_heap.c b/drivers/dma-buf/heaps/cma_heap.c index 0df007111975..9eaff80050f2 100644 --- a/drivers/dma-buf/heaps/cma_heap.c +++ b/drivers/dma-buf/heaps/cma_heap.c @@ -315,7 +315,7 @@ static struct dma_buf *cma_heap_allocate(struct dma_heap *heap, while (nr_clear_pages > 0) { void *vaddr = kmap_local_page(page); - memset(vaddr, 0, PAGE_SIZE); + clear_page(vaddr); kunmap_local(vaddr); /* * Avoid wasting time zeroing memory if the process --- base-commit: 3a8660878839faadb4f1a6dd72c3179c1df56787 change-id: 20251129-dma-buf-heap-clear-page-248bb236e4c4 Best regards, -- Linus Walleij <linus.walleij(a)linaro.org>

4 months, 2 weeks

Re: [PATCH v17 44/47] dept: introduce APIs to set page usage and use subclasses_evt for the usage

by Byungchul Park

On Thu, Oct 02, 2025 at 05:12:44PM +0900, Byungchul Park wrote: > False positive reports have been observed since dept works with the > assumption that all the pages have the same dept class, but the class > should be split since the problematic call paths are different depending > on what the page is used for. > > At least, ones in block device's address_space and ones in regular > file's address_space have exclusively different usages. > > Thus, define usage candidates like: > > DEPT_PAGE_REGFILE_CACHE /* page in regular file's address_space */ > DEPT_PAGE_BDEV_CACHE /* page in block device's address_space */ > DEPT_PAGE_DEFAULT /* the others */ 1. I'd like to annotate a page to DEPT_PAGE_REGFILE_CACHE when the page starts to be associated with a page cache for fs data. 2. And I'd like to annotate a page to DEPT_PAGE_BDEV_CACHE when the page starts to be associated with meta data of fs e.g. super block. 3. Lastly, I'd like to reset the annotated value if any, that has been set in the page, when the page ends the assoication with either page cache or meta block of fs e.g. freeing the page. Can anyone suggest good places in code for the annotation 1, 2, 3? It'd be totally appreciated. :-) Byungchul > Introduce APIs to set each page's usage properly and make sure not to > interact between at least between DEPT_PAGE_REGFILE_CACHE and > DEPT_PAGE_BDEV_CACHE. However, besides the exclusive usages, allow any > other combinations to interact to the other for example: > > PG_locked for DEPT_PAGE_DEFAULT page can wait for PG_locked for > DEPT_PAGE_REGFILE_CACHE page and vice versa. > > PG_locked for DEPT_PAGE_DEFAULT page can wait for PG_locked for > DEPT_PAGE_BDEV_CACHE page and vice versa. > > PG_locked for DEPT_PAGE_DEFAULT page can wait for PG_locked for > DEPT_PAGE_DEFAULT page. > > Signed-off-by: Byungchul Park <byungchul(a)sk.com> > --- > include/linux/dept.h | 31 +++++++++++++++- > include/linux/mm_types.h | 1 + > include/linux/page-flags.h | 76 +++++++++++++++++++++++++++++++++++++- > 3 files changed, 104 insertions(+), 4 deletions(-) > > diff --git a/include/linux/dept.h b/include/linux/dept.h > index 0ac13129f308..fbbc41048fac 100644 > --- a/include/linux/dept.h > +++ b/include/linux/dept.h > @@ -21,8 +21,8 @@ struct task_struct; > #define DEPT_MAX_WAIT_HIST 64 > #define DEPT_MAX_ECXT_HELD 48 > > -#define DEPT_MAX_SUBCLASSES 16 > -#define DEPT_MAX_SUBCLASSES_EVT 2 > +#define DEPT_MAX_SUBCLASSES 24 > +#define DEPT_MAX_SUBCLASSES_EVT 3 > #define DEPT_MAX_SUBCLASSES_USR (DEPT_MAX_SUBCLASSES / DEPT_MAX_SUBCLASSES_EVT) > #define DEPT_MAX_SUBCLASSES_CACHE 2 > > @@ -390,6 +390,32 @@ struct dept_ext_wgen { > unsigned int wgen; > }; > > +enum { > + DEPT_PAGE_DEFAULT = 0, > + DEPT_PAGE_REGFILE_CACHE, /* regular file page cache */ > + DEPT_PAGE_BDEV_CACHE, /* block device cache */ > + DEPT_PAGE_USAGE_NR, /* nr of usages options */ > +}; > + > +#define DEPT_PAGE_USAGE_SHIFT 16 > +#define DEPT_PAGE_USAGE_MASK ((1U << DEPT_PAGE_USAGE_SHIFT) - 1) > +#define DEPT_PAGE_USAGE_PENDING_MASK (DEPT_PAGE_USAGE_MASK << DEPT_PAGE_USAGE_SHIFT) > + > +/* > + * Identify each page's usage type > + */ > +struct dept_page_usage { > + /* > + * low 16 bits : the current usage type > + * high 16 bits : usage type requested to be set > + * > + * Do not apply the type requested immediately but defer until > + * after clearing PG_locked bit of the folio or page e.g. by > + * folio_unlock(). > + */ > + atomic_t type; /* Update and read atomically */ > +}; > + > struct dept_event_site { > /* > * event site name > @@ -562,6 +588,7 @@ extern void dept_hardirqs_off(void); > struct dept_key { }; > struct dept_map { }; > struct dept_ext_wgen { }; > +struct dept_page_usage { }; > struct dept_event_site { }; > > #define DEPT_MAP_INITIALIZER(n, k) { } > diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h > index 5ebc565309af..8ccbb030500c 100644 > --- a/include/linux/mm_types.h > +++ b/include/linux/mm_types.h > @@ -224,6 +224,7 @@ struct page { > struct page *kmsan_shadow; > struct page *kmsan_origin; > #endif > + struct dept_page_usage usage; > struct dept_ext_wgen pg_locked_wgen; > } _struct_page_alignment; > > diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h > index d3c4954c4218..3fd3660ddc6f 100644 > --- a/include/linux/page-flags.h > +++ b/include/linux/page-flags.h > @@ -204,6 +204,68 @@ enum pageflags { > > extern struct dept_map pg_locked_map; > > +static inline int dept_set_page_usage(struct page *p, > + unsigned int new_type) > +{ > + unsigned int type = atomic_read(&p->usage.type); > + > + if (WARN_ON_ONCE(new_type >= DEPT_PAGE_USAGE_NR)) > + return -1; > + > + new_type <<= DEPT_PAGE_USAGE_SHIFT; > +retry: > + new_type &= ~DEPT_PAGE_USAGE_MASK; > + new_type |= type & DEPT_PAGE_USAGE_MASK; > + > + if (!atomic_try_cmpxchg(&p->usage.type, &type, new_type)) > + goto retry; > + > + return 0; > +} > + > +static inline int dept_reset_page_usage(struct page *p) > +{ > + return dept_set_page_usage(p, DEPT_PAGE_DEFAULT); > +} > + > +static inline void dept_update_page_usage(struct page *p) > +{ > + unsigned int type = atomic_read(&p->usage.type); > + unsigned int new_type; > + > +retry: > + new_type = type & DEPT_PAGE_USAGE_PENDING_MASK; > + new_type >>= DEPT_PAGE_USAGE_SHIFT; > + new_type |= type & DEPT_PAGE_USAGE_PENDING_MASK; > + > + /* > + * Already updated by others. > + */ > + if (type == new_type) > + return; > + > + if (!atomic_try_cmpxchg(&p->usage.type, &type, new_type)) > + goto retry; > +} > + > +static inline unsigned long dept_event_flags(struct page *p, bool wait) > +{ > + unsigned int type; > + > + type = atomic_read(&p->usage.type) & DEPT_PAGE_USAGE_MASK; > + > + if (WARN_ON_ONCE(type >= DEPT_PAGE_USAGE_NR)) > + return 0; > + > + /* > + * event > + */ > + if (!wait) > + return 1UL << type; > + > + return (1UL << DEPT_PAGE_DEFAULT) | (1UL << type); > +} > + > /* > * Place the following annotations in its suitable point in code: > * > @@ -214,20 +276,28 @@ extern struct dept_map pg_locked_map; > > static inline void dept_page_set_bit(struct page *p, int bit_nr) > { > + dept_update_page_usage(p); > if (bit_nr == PG_locked) > dept_request_event(&pg_locked_map, &p->pg_locked_wgen); > } > > static inline void dept_page_clear_bit(struct page *p, int bit_nr) > { > + unsigned long evt_f; > + > + evt_f = dept_event_flags(p, false); > if (bit_nr == PG_locked) > - dept_event(&pg_locked_map, 1UL, _RET_IP_, __func__, &p->pg_locked_wgen); > + dept_event(&pg_locked_map, evt_f, _RET_IP_, __func__, &p->pg_locked_wgen); > } > > static inline void dept_page_wait_on_bit(struct page *p, int bit_nr) > { > + unsigned long evt_f; > + > + dept_update_page_usage(p); > + evt_f = dept_event_flags(p, true); > if (bit_nr == PG_locked) > - dept_wait(&pg_locked_map, 1UL, _RET_IP_, __func__, 0, -1L); > + dept_wait(&pg_locked_map, evt_f, _RET_IP_, __func__, 0, -1L); > } > > static inline void dept_folio_set_bit(struct folio *f, int bit_nr) > @@ -245,6 +315,8 @@ static inline void dept_folio_wait_on_bit(struct folio *f, int bit_nr) > dept_page_wait_on_bit(&f->page, bit_nr); > } > #else > +#define dept_set_page_usage(p, t) do { } while (0) > +#define dept_reset_page_usage(p) do { } while (0) > #define dept_page_set_bit(p, bit_nr) do { } while (0) > #define dept_page_clear_bit(p, bit_nr) do { } while (0) > #define dept_page_wait_on_bit(p, bit_nr) do { } while (0) > -- > 2.17.1

4 months, 2 weeks

[PATCH 0/6] dma-fence: Remove return code of dma_fence_signal() et al.

by Philipp Stanner

Barely anyone uses dma_fence_signal()'s (and similar functions') return code. Checking it is pretty much useless anyways, because what are you going to do if a fence was already signal it? Unsignal it and signal it again? ;p Removing the return code simplifies the API and makes it easier for me to sit on top with Rust DmaFence. Philipp Stanner (6): dma-buf/dma-fence: Add dma_fence_test_signaled_flag() amd/amdkfd: Ignore return code of dma_fence_signal() drm/gpu/xe: Ignore dma_fenc_signal() return code dma-buf: Don't misuse dma_fence_signal() drm/ttm: Remove return check of dma_fence_signal() dma-buf/dma-fence: Remove return code of signaling-functions drivers/dma-buf/dma-fence.c | 59 ++++++------------- drivers/dma-buf/st-dma-fence.c | 7 +-- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 5 +- .../gpu/drm/ttm/tests/ttm_bo_validate_test.c | 3 +- drivers/gpu/drm/xe/xe_hw_fence.c | 5 +- include/linux/dma-fence.h | 33 ++++++++--- 6 files changed, 53 insertions(+), 59 deletions(-) -- 2.49.0

4 months, 3 weeks

[PATCH] dma-buf: fix integer overflow in fill_sg_entry() for buffers >= 8GiB

by Alex Mastro

fill_sg_entry() splits large DMA buffers into multiple scatter-gather entries, each holding up to UINT_MAX bytes. When calculating the DMA address for entries beyond the second one, the expression (i * UINT_MAX) causes integer overflow due to 32-bit arithmetic. This manifests when the input arg length >= 8 GiB results in looping for i >= 2. Fix by casting i to dma_addr_t before multiplication. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Signed-off-by: Alex Mastro <amastro(a)fb.com> --- More color about how I discovered this in [1] for the commit at [2]: [1] https://lore.kernel.org/all/aSZHO6otK0Heh+Qj@devgpu015.cco6.facebook.com [2] https://lore.kernel.org/all/20251120-dmabuf-vfio-v9-6-d7f71607f371@nvidia.c… --- drivers/dma-buf/dma-buf-mapping.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index b4819811a64a..b7352e609fbd 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -24,7 +24,7 @@ static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length, * does not require the CPU list for mapping or unmapping. */ sg_set_page(sgl, NULL, 0, 0); - sg_dma_address(sgl) = addr + i * UINT_MAX; + sg_dma_address(sgl) = addr + (dma_addr_t)i * UINT_MAX; sg_dma_len(sgl) = len; sgl = sg_next(sgl); } --- base-commit: 5415d887db0e059920cb5673a32cc4d66daa280f change-id: 20251125-dma-buf-overflow-e3253f108e36 Best regards, -- Alex Mastro <amastro(a)fb.com>

4 months, 3 weeks

Independence for dma_fences! v3

by Christian König

Hi everyone, dma_fences have ever lived under the tyranny dictated by the module lifetime of their issuer, leading to crashes should anybody still holding a reference to a dma_fence when the module of the issuer was unloaded. The basic problem is that when buffer are shared between drivers dma_fence objects can leak into external drivers and stay there even after they are signaled. The dma_resv object for example only lazy releases dma_fences. So what happens is that when the module who originally created the dma_fence unloads the dma_fence_ops function table becomes unavailable as well and so any attempt to release the fence crashes the system. Previously various approaches have been discussed, including changing the locking semantics of the dma_fence callbacks (by me) as well as using the drm scheduler as intermediate layer (by Sima) to disconnect dma_fences from their actual users, but none of them are actually solving all problems. Tvrtko did some really nice prerequisite work by protecting the returned strings of the dma_fence_ops by RCU. This way dma_fence creators where able to just wait for an RCU grace period after fence signaling before they could be save to free those data structures. Now this patch set here goes a step further and protects the whole dma_fence_ops structure by RCU, so that after the fence signals the pointer to the dma_fence_ops is set to NULL when there is no wait nor release callback given. All functionality which use the dma_fence_ops reference are put inside an RCU critical section, except for the deprecated issuer specific wait and of course the optional release callback. Additional to the RCU changes the lock protecting the dma_fence state previously had to be allocated external. This set here now changes the functionality to make that external lock optional and allows dma_fences to use an inline lock and be self contained. This patch set addressed all previous code review comments and is based on drm-tip, includes my changes for amdgpu as well as Mathew's patches for XE. Going to push the core DMA-buf changes to drm-misc-next as soon as I get the appropriate rb. The driver specific changes can go upstream through the driver channels as necessary. Please review and comment, Christian.

4 months, 3 weeks

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig November 2025