Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

90 participants
7021 discussions

Re: [PATCH v3 7/9] vfio/pci: Support mmap() of a VFIO DMABUF

by Pranjal Shrivastava

On Wed, Jun 10, 2026 at 04:43:21PM +0100, Matt Evans wrote: Hi Matt, [...] > + * > + * With the goal of taking vdev->memory_lock in a world where > + * vdev might not still exist: > + * > + * 1. Take the resv lock on the DMABUF: > + * - If racing cleanup got in first, the buffer is revoked; > + * stop/exit if so. > + * - If we got in first, the buffer is not revoked so vdev is > + * non-NULL, accessible, and cleanup _has not yet put the > + * VFIO device registration_. So, the device refcount must > + * be >0. > + * > + * 2. Take vfio_device registration (refcount guaranteed >0 > + * hereafter). > + * > + * 3. Unlock the DMABUF's resv lock: > + * - A racing cleanup can now complete. > + * - But, the device refcount >0, meaning the vfio_device > + * (and vfio_pcie_core device vdev) have not yet been > + * freed. vdev is accessible, even if the DMABUF has been > + * revoked or cleanup has happened, because > + * vfio_unregister_group_dev() can't complete. > + * > + * 4. Take the vdev->memory_lock > + * - Either the DMABUF is usable, or has been cleaned up. > + * Whichever, it can no longer change under us. > + * - Test the DMABUF revocation status again: if it was > + * revoked between 1 and 4 return a SIGBUS. Otherwise, > + * return a PFN. > + * - It's not necessary to also take the resv lock, because > + * the status/vdev can't change while memory_lock is held. > + * > + * 5. Unlock, done. > */ > + > + dma_resv_lock(priv->dmabuf->resv, NULL); > + > + if (priv->revoked) { > + pr_debug_ratelimited("%s VA 0x%lx, pgoff 0x%lx: DMABUF revoked/cleaned up\n", > + __func__, vmf->address, vma->vm_pgoff); > + dma_resv_unlock(priv->dmabuf->resv); > + return VM_FAULT_SIGBUS; > + } > + > + /* If the buffer isn't revoked, vdev is valid */ > vdev = priv->vdev; > > + if (!vfio_device_try_get_registration(&vdev->vdev)) { > + /* > + * If vdev != NULL (above), the registration should > + * already be >0 and so this try_get should never > + * fail. > + */ > + dev_warn(&vdev->pdev->dev, "%s: Unexpected registration failure\n", > + __func__); > + dma_resv_unlock(priv->dmabuf->resv); > + return VM_FAULT_SIGBUS; > + } > + dma_resv_unlock(priv->dmabuf->resv); > + > scoped_guard(rwsem_read, &vdev->memory_lock) { > + /* Revocation status must be re-read, under memory_lock */ > if (!priv->revoked) { > int pres = vfio_pci_dma_buf_find_pfn(priv, vma, > vmf->address, Wait, I noticed that the is_aligned_for_order() check from mainline was removed here. Was that intentional? For hugepage faults (order > 0), we must ensure the PFN and address are properly aligned before calling vfio_pci_vmf_insert_pfn(). In the current upstream code, we have: if (is_aligned_for_order(vma, addr, pfn, order)) Should we restore that check here? > @@ -1766,6 +1827,7 @@ static vm_fault_t vfio_pci_mmap_huge_fault(struct vm_fault *vmf, > __func__, order, pfn, vmf->address, > vma->vm_pgoff, (unsigned int)ret); > > + vfio_device_put_registration(&vdev->vdev); > return ret; > } > > @@ -1774,7 +1836,7 @@ static vm_fault_t vfio_pci_mmap_page_fault(struct vm_fault *vmf) > return vfio_pci_mmap_huge_fault(vmf, 0); > } > > -static const struct vm_operations_struct vfio_pci_mmap_ops = { > +const struct vm_operations_struct vfio_pci_mmap_ops = { > .fault = vfio_pci_mmap_page_fault, Nit: Instead of making this global, should we add a helper? E.g.: void vfio_pci_set_vma_ops(struct vm_area_struct *vma) { vma->vm_ops = &vfio_pci_mmap_ops; } [...] > + > +static int vfio_pci_dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma) > +{ > + struct vfio_pci_dma_buf *priv = dmabuf->priv; > + > + /* > + * If we observe that the buffer is revoked now then refuse > + * the mmap(). This is a belt-and-braces early failure to > + * ease debugging a revoked buffer being used. Userspace > + * might also race an mmap() against an explicit revocation, > + * or an action doing a temporary revoke; race scenarios are > + * still safe because the fault handler ultimately prevents > + * access to a revoked buffer if it isn't caught here. > + */ > + if (READ_ONCE(priv->revoked)) > + return -ENODEV; > + if ((vma->vm_flags & VM_SHARED) == 0) > + return -EINVAL; > + > + /* > + * dma_buf_mmap_internal() has asserted that the VMA is > + * contained within the DMABUF size before calling this. > + */ > + > + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > + vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot); > + > + /* See comments in vfio_pci_core_mmap() re VM_ALLOW_ANY_UNCACHED. */ > + vm_flags_set(vma, VM_ALLOW_ANY_UNCACHED | VM_IO | VM_PFNMAP | > + VM_DONTEXPAND | VM_DONTDUMP); > + vma->vm_private_data = priv; > + vma->vm_ops = &vfio_pci_mmap_ops; > + > + return 0; > +} > #endif /* CONFIG_VFIO_PCI_DMABUF */ > Thanks, Praan

1 week

Re: [PATCH v3 4/9] vfio/pci: Convert BAR mmap() to use a DMABUF

by Pranjal Shrivastava

On Fri, Jun 12, 2026 at 04:22:12PM +0100, Matt Evans wrote: > Hi Pranjal, > > On 12/06/2026 11:41, Pranjal Shrivastava wrote: > > On Wed, Jun 10, 2026 at 04:43:18PM +0100, Matt Evans wrote: > >> Convert the VFIO device fd fops->mmap to create a DMABUF representing > >> the BAR mapping, and make the VMA fault handler look up PFNs from the > >> corresponding DMABUF. This supports future code mmap()ing BAR > >> DMABUFs, and iommufd work to support Type1 P2P. > >> > >> First, vfio_pci_core_mmap() uses the new > >> vfio_pci_core_mmap_prep_dmabuf() helper to export a DMABUF > >> representing a single BAR range. Then, the vfio_pci_mmap_huge_fault() > >> callback is updated to understand revoked buffers, and uses the new > >> vfio_pci_dma_buf_find_pfn() helper to determine the PFN for a given > >> fault address. > >> > >> Now that the VFIO DMABUFs can be mmap()ed, vfio_pci_dma_buf_move() > >> zaps PTEs (used on the revocation and cleanup paths). > >> > >> CONFIG_VFIO_PCI_CORE now unconditionally depends on > >> CONFIG_DMA_SHARED_BUFFER and CONFIG_PCI_P2PDMA_CORE. The > >> CONFIG_VFIO_PCI_DMABUF feature conditionally includes support for > >> VFIO_DEVICE_FEATURE_DMA_BUF, depending on the availability of > >> CONFIG_PCI_P2PDMA. > >> > >> Signed-off-by: Matt Evans <matt(a)ozlabs.org> > >> --- > >> drivers/vfio/pci/Kconfig | 5 +- > >> drivers/vfio/pci/Makefile | 3 +- > >> drivers/vfio/pci/vfio_pci_core.c | 75 +++++++++++++++++++----------- > >> drivers/vfio/pci/vfio_pci_dmabuf.c | 12 +++++ > >> drivers/vfio/pci/vfio_pci_priv.h | 11 +---- > >> 5 files changed, 67 insertions(+), 39 deletions(-) Hi Matt, [...] > >> int vfio_pci_core_mmap_prep_dmabuf(struct vfio_pci_core_device *vdev, > >> struct vm_area_struct *vma, > >> @@ -532,6 +538,10 @@ void vfio_pci_dma_buf_move(struct vfio_pci_core_device *vdev, bool revoked) > >> struct vfio_pci_dma_buf *tmp; > >> > >> lockdep_assert_held_write(&vdev->memory_lock); > >> + /* > >> + * Holding memory_lock ensures a racing VMA fault observes > >> + * priv->revoked properly. > >> + */ > > > > Nit: This comment should appear before the lockdep_assert_held_write() > > Also, it is slightly verbose.. (not against it though). > > Right, I'll move it. Agree it's wordy but if anyone changes that I want > them to "think faulthandler". > That's fair I guess. > >> list_for_each_entry_safe(priv, tmp, &vdev->dmabufs, dmabufs_elm) { > >> if (!get_file_active(&priv->dmabuf->file)) > >> @@ -549,6 +559,8 @@ void vfio_pci_dma_buf_move(struct vfio_pci_core_device *vdev, bool revoked) > >> if (revoked) { > >> kref_put(&priv->kref, vfio_pci_dma_buf_done); > >> wait_for_completion(&priv->comp); > >> + unmap_mapping_range(priv->dmabuf->file->f_mapping, > >> + 0, priv->size, 1); > > > > Have we run this series with lockdep enabled? > > I guess it'd be nice to check with lockdep once.. > > I've (generally) always run testing of this series with lockdep. (No > issues (anymore).) That sounds good! Thanks for confirming! :) Praan

1 week

[PATCH v21 0/4] Rust bindings for gem shmem

by Lyude Paul

Most of this patch series has already been pushed upstream, this is just the second half of the patch series that has not been pushed yet + some additional changes which were required to implement changes requested by the mailing list. This patch series is originally from Asahi, previously posted by Daniel Almeida. The previous version of the patch series can be found here: https://patchwork.freedesktop.org/series/164580/ Branch with patches applied available here: https://gitlab.freedesktop.org/lyudess/linux/-/commits/rust/gem-shmem This patch series applies on top of drm-rust-next Patch-series wide changes since V15: * Fix some major rebasing errors I somehow didn't notice :( * Drop the dependency on LazyInit, use the trick that Alice suggested instead. * Fix dependency ordering so that Tyr can get the vmap stuff first without the other bits. Patch-series wide changes since V16: * Fix ordering one more time (SetOnce::reset() doesn't need to come before adding vmap functions) * Rebase against the latest DeviceContext changes from me that got pushed. Patch-series wide changes since V20: * Lots of Sashiko fixes, excluding the comments that I couldn't prove weren't just bogus. Lyude Paul (4): rust: drm: gem: shmem: Add DmaResvGuard helper rust: drm: gem: shmem: Add vmap functions rust: faux: Allow retrieving a bound Device rust: drm: gem: Introduce shmem::Object::sg_table() rust/kernel/drm/gem/shmem.rs | 547 ++++++++++++++++++++++++++++++++++- rust/kernel/faux.rs | 18 +- 2 files changed, 549 insertions(+), 16 deletions(-) base-commit: 550dc7536644db2d67c6f8cf525bba682fba08d9 -- 2.54.0

1 week

[PATCH v20 0/4] Rust bindings for gem shmem

by Lyude Paul

Most of this patch series has already been pushed upstream, this is just the second half of the patch series that has not been pushed yet + some additional changes which were required to implement changes requested by the mailing list. This patch series is originally from Asahi, previously posted by Daniel Almeida. The previous version of the patch series can be found here: https://patchwork.freedesktop.org/series/164580/ Branch with patches applied available here: https://gitlab.freedesktop.org/lyudess/linux/-/commits/rust/gem-shmem This patch series applies on top of drm-rust-next Patch-series wide changes since V15: * Fix some major rebasing errors I somehow didn't notice :( * Drop the dependency on LazyInit, use the trick that Alice suggested instead. * Fix dependency ordering so that Tyr can get the vmap stuff first without the other bits. Patch-series wide changes since V16: * Fix ordering one more time (SetOnce::reset() doesn't need to come before adding vmap functions) * Rebase against the latest DeviceContext changes from me that got pushed. Patch-series wide changes since V20: * Lots of Sashiko fixes, excluding the comments that I couldn't prove weren't just bogus. Lyude Paul (4): rust: drm: gem: shmem: Add DmaResvGuard helper rust: drm: gem: shmem: Add vmap functions rust: faux: Allow retrieving a bound Device rust: drm: gem: Introduce shmem::Object::sg_table() rust/kernel/drm/gem/shmem.rs | 546 ++++++++++++++++++++++++++++++++++- rust/kernel/faux.rs | 16 +- 2 files changed, 546 insertions(+), 16 deletions(-) base-commit: 848bf57e98e1678ce7a49eb4e0bf0502da95dc07 -- 2.54.0

1 week

Re: [PATCH v3 2/9] vfio/pci: Add a helper to look up PFNs for DMABUFs

by Pranjal Shrivastava

On Wed, Jun 10, 2026 at 04:43:16PM +0100, Matt Evans wrote: > Add vfio_pci_dma_buf_find_pfn(), which a VMA fault handler can use to > find a PFN. > > This supports multi-range DMABUFs, which typically would be used to > represent scattered spans but might even represent overlapping or > aliasing spans of PFNs. > > Because this is intended to be used in vfio_pci_core.c, we also need > to expose the struct vfio_pci_dma_buf in the vfio_pci_priv.h header. > > Signed-off-by: Matt Evans <matt(a)ozlabs.org> > --- > drivers/vfio/pci/vfio_pci_dmabuf.c | 137 ++++++++++++++++++++++++++--- > drivers/vfio/pci/vfio_pci_priv.h | 20 +++++ > 2 files changed, 144 insertions(+), 13 deletions(-) > > diff --git a/drivers/vfio/pci/vfio_pci_dmabuf.c b/drivers/vfio/pci/vfio_pci_dmabuf.c > index c16f460c01d6..9e5e865f6fb6 100644 > --- a/drivers/vfio/pci/vfio_pci_dmabuf.c > +++ b/drivers/vfio/pci/vfio_pci_dmabuf.c > @@ -9,19 +9,6 @@ > > MODULE_IMPORT_NS("DMA_BUF"); > > -struct vfio_pci_dma_buf { > - struct dma_buf *dmabuf; > - struct vfio_pci_core_device *vdev; > - struct list_head dmabufs_elm; > - size_t size; > - struct phys_vec *phys_vec; > - struct p2pdma_provider *provider; > - u32 nr_ranges; > - struct kref kref; > - struct completion comp; > - u8 revoked : 1; > -}; > - > static int vfio_pci_dma_buf_attach(struct dma_buf *dmabuf, > struct dma_buf_attachment *attachment) > { > @@ -106,6 +93,130 @@ static const struct dma_buf_ops vfio_pci_dmabuf_ops = { > .release = vfio_pci_dma_buf_release, > }; > > +int vfio_pci_dma_buf_find_pfn(struct vfio_pci_dma_buf *priv, > + struct vm_area_struct *vma, > + unsigned long address, Nit: s/address/fault_addr ? > + unsigned int order, > + unsigned long *out_pfn) > +{ > + /* > + * Given a VMA (start, end, pgoffs) and a fault address, > + * search the corresponding DMABUF's phys_vec[] to find the > + * range representing the address's offset into the VMA, and > + * its PFN. > + * > + * The phys_vec[] ranges represent contiguous spans of VAs > + * upwards from the buffer offset 0; the actual PFNs might be > + * in any order, overlap/alias, etc. Calculate an offset of > + * the desired page given VMA start/pgoff and address, then > + * search upwards from 0 to find which span contains it. > + * > + * On success, a valid PFN for a page sized by 'order' is > + * returned into out_pfn. > + * > + * Failure occurs if: > + * - The page would cross the edge of the VMA > + * - The page isn't entirely contained within a range > + * - We find a range, but the final PFN isn't aligned to the > + * requested order. > + * > + * (Upon failure, the caller is expected to try again with a > + * smaller order; the tests above will always succeed for > + * order=0 as the limit case.) > + * > + * It's suboptimal if DMABUFs are created with neigbouring > + * ranges that are physically contiguous, since hugepages > + * can't straddle range boundaries. (The construction of the > + * ranges vector should merge such ranges.) > + * > + * Finally, vma_pgoff_adjust is used for a DMABUF representing > + * a VFIO BAR mmap, which is created from the start of the > + * offset region. > + */ > + > + const unsigned long pagesize = PAGE_SIZE << order; > + unsigned long vma_off = ((vma->vm_pgoff - priv->vma_pgoff_adjust) << > + PAGE_SHIFT) & VFIO_PCI_OFFSET_MASK; > + unsigned long rounded_page_addr = ALIGN_DOWN(address, pagesize); > + unsigned long rounded_page_end = rounded_page_addr + pagesize; > + unsigned long page_buf_offset; > + unsigned long page_buf_offset_end; > + unsigned long range_buf_offset = 0; > + unsigned int i; > + > + if (rounded_page_addr < vma->vm_start || rounded_page_end > vma->vm_end) { > + if (order > 0) > + return -EAGAIN; > + > + /* A fault address outside of the VMA is absurd. */ > + WARN(1, "Fault addr 0x%lx outside VMA 0x%lx-0x%lx\n", > + address, vma->vm_start, vma->vm_end); This could flood dmesg if triggered repeatedly by userspace :( Since a fault outside the VMA is an invalid access that already results in a SIGBUS, we could probably avoid the WARN here? Perhaps pr_warn_ratelimited() should suffice? > + return -EFAULT; > + } > + > + /* > + * page_buff_offset[_end] is the span of DMABUF offsets > + * corresponding to the faulting page: > + */ > + if (unlikely(check_add_overflow(rounded_page_addr - vma->vm_start, > + vma_off, &page_buf_offset) || > + check_add_overflow(page_buf_offset, pagesize, > + &page_buf_offset_end))) > + return -EFAULT; > + > + for (i = 0; i < priv->nr_ranges; i++) { > + size_t range_len = priv->phys_vec[i].len; > + phys_addr_t range_start = priv->phys_vec[i].paddr; > + > + /* > + * If the current range starts after the page's span, > + * this and any future range won't match. Bail early. > + */ > + if (page_buf_offset_end <= range_buf_offset) > + break; > + > + if (page_buf_offset >= range_buf_offset && > + page_buf_offset_end <= range_buf_offset + range_len) { > + /* > + * The faulting page is wholly contained > + * within the span represented by the range. > + * Validate PFN alignment for the order: > + */ > + unsigned long pfn = (range_start + page_buf_offset - > + range_buf_offset) / PAGE_SIZE; Minor nit: I'm aware that decent compilers convert pow(2) divides to >> However, we seem to be using `>> PAGE_SHIFT` across vfio-pci. E.g.: return (pci_resource_start(vdev->pdev, index) >> PAGE_SHIFT) + pgoff; unsigned long pgoff = (addr - vma->vm_start) >> PAGE_SHIFT; Let's consider using the same pattern? > + > + if (IS_ALIGNED(pfn, 1 << order)) { > + *out_pfn = pfn; > + return 0; > + } > + /* Retry with smaller order */ > + return -EAGAIN; > + } > + range_buf_offset += range_len; > + } > + > + /* > + * A hugepage straddling a range boundary will fail to match a > + * range, but the address will (eventually) match when retried > + * with a smaller page. > + */ > + if (order > 0) > + return -EAGAIN; > + > + /* > + * If we get here, the address fell outside of the span > + * represented by the (concatenated) ranges. Setup of a Nit: double space before "Setup" and "But" below. > + * mapping must ensure that the VMA is <= the total size of > + * the ranges, so this should never happen. But, if it does, > + * force SIGBUS for the access and warn. > + */ > + WARN_ONCE(1, "No range for addr 0x%lx, order %d: VMA 0x%lx-0x%lx pgoff 0x%lx, %u ranges, size 0x%zx\n", > + address, order, vma->vm_start, vma->vm_end, vma->vm_pgoff, > + priv->nr_ranges, priv->size); > + > + return -EFAULT; The fall-through logic at the end feels a bit redundant. If we've exhausted the phys_vec list without finding a match, returning -EAGAIN for order > 0 seems like the correct fallback behavior. However, the subsequent WARN_ONCE for the order == 0 seems unnecessary? An out-of-bounds access is an error that should simply return -EFAULT (converting to SIGBUS) without polluting the kernel log with stackdumps? Can we instead convert this to a pr_warn or something? Something like: ret = order ? -EAGAIN : -EFAULT; if (ret == -EFAULT) pr_warn_ratelimited("No range for addr 0x%lx...\n", address); return ret; (with appropriate comments) Thanks, Praan

1 week

Re: [PATCH v3 0/9] vfio/pci: Add mmap() for DMABUFs

by Pranjal Shrivastava

On Fri, Jun 12, 2026 at 04:11:50PM +0100, Matt Evans wrote: > Hi Kevin, > > On 12/06/2026 09:27, Tian, Kevin wrote: > >> From: Matt Evans <matt(a)ozlabs.org> > >> Sent: Wednesday, June 10, 2026 11:43 PM > >> > > [...] > >> > >> vfio/pci: Support mmap() of a VFIO DMABUF > >> > >> Adds mmap() for a DMABUF fd exported from vfio-pci. > >> > >> It was a goal to keep the VFIO device fd lifetime behaviour > >> unchanged with respect to the DMABUFs. An application can close > >> all device fds, and this will revoke/clean up all DMABUFs; no > >> mappings or other access can be performed now. When enabling > >> mmap() of the DMABUFs, this means access through the VMA is also > >> revoked. This complicates the fault handler because whilst the > >> DMABUF exists, it has no guarantee that the corresponding VFIO > >> device is still alive. Adds synchronisation ensuring the vdev is > >> available before vdev->memory_lock is touched; this holds the > >> device registration so that even if the buffer has been cleaned up, > >> vdev hasn't been freed and so the lock can be safely taken. > >> > >> This commit makes VFIO_PCI_CORE depend on PCI_P2PDMA_CORE > >> (commit > >> 1) to bring in (only) the P2PDMA provider code. > > > > the last sentence is stale as the dependency is now added in patch4. > > Right, will fix. > > >> > >> End > >> === > >> > >> This is based on VFIO next (e.g. at b9285405c5f6). > >> > > > > Sashiko failed to apply this series. Is there dependent work in vfio-next? > > > > otherwise getting a Sashiko review is helpful here. > > It _did_ depend on (at least the context of) some fixes in vfio-next. > Looks like it'll rebase on master now those are merged. I should've > re-checked this for v3, oops. :| > > (FWIW, I had Robot Claude Opus 4.8 to review several times up to v3. > But I agree, Sashiko would be interesting too. Can it be manually > triggered with branch guidance?) I guess relevant steps to run locally are here: https://github.com/sashiko-dev/sashiko/blob/main/README.md Additionally, we can try providing a base-commit (which points to a public commit). Thanks, Praan

1 week

Re: [PATCH v3 5/9] vfio/pci: Provide a user-facing name for BAR mappings

by Pranjal Shrivastava

On Wed, Jun 10, 2026 at 04:43:19PM +0100, Matt Evans wrote: > Since converting BAR mmap()s to using DMABUFs, we lose the original > device path in /proc/<pid>/maps, lsof, etc. Generate a debug-oriented > synthetic 'filename' based on the cdev, plus BDF, plus resource index. > > This applies only to BAR mappings via the VFIO device fd, as > explicitly-exported DMABUFs are named by userspace via the > DMA_BUF_SET_NAME ioctl. > > Signed-off-by: Matt Evans <matt(a)ozlabs.org> > --- > drivers/vfio/pci/vfio_pci_dmabuf.c | 27 +++++++++++++++++++++++++-- > 1 file changed, 25 insertions(+), 2 deletions(-) > > diff --git a/drivers/vfio/pci/vfio_pci_dmabuf.c b/drivers/vfio/pci/vfio_pci_dmabuf.c > index 2fd3629789bf..8f7f1b909b94 100644 > --- a/drivers/vfio/pci/vfio_pci_dmabuf.c > +++ b/drivers/vfio/pci/vfio_pci_dmabuf.c > @@ -4,6 +4,7 @@ > #include <linux/dma-buf-mapping.h> > #include <linux/pci-p2pdma.h> > #include <linux/dma-resv.h> > +#include <uapi/linux/dma-buf.h> > > #include "vfio_pci_priv.h" > > @@ -470,6 +471,7 @@ int vfio_pci_core_mmap_prep_dmabuf(struct vfio_pci_core_device *vdev, > { > struct vfio_pci_dma_buf *priv; > unsigned long vma_pgoff = vma->vm_pgoff & (VFIO_PCI_OFFSET_MASK >> PAGE_SHIFT); > + char *bufname; > int ret; > > priv = kzalloc_obj(*priv); > @@ -482,6 +484,20 @@ int vfio_pci_core_mmap_prep_dmabuf(struct vfio_pci_core_device *vdev, > goto err_free_priv; > } > > + bufname = kzalloc(DMA_BUF_NAME_LEN, GFP_KERNEL); > + if (!bufname) { > + ret = -ENOMEM; > + goto err_free_phys; > + } > + > + /* > + * Maximum size of the friendly debug name is > + * vfio1234567890:ffff:ff:3f.7/5 = 30, which fits within > + * DMA_BUF_NAME_LEN. > + */ > + snprintf(bufname, DMA_BUF_NAME_LEN, "%s:%s/%x", > + dev_name(&vdev->vdev.device), pci_name(vdev->pdev), res_index); > + Nit: Could we instead use: bufname = kasprintf(GFP_KERNEL, "%s:%s/%x", dev_name(&vdev->vdev.device), pci_name(vdev->pdev), res_index); if (!bufname) ret = -ENOMEM; [...] > /* > * The DMABUF begins from the mmap()'s BAR offset, i.e. the > * start of the VMA corresponds to byte 0 of the DMABUF and > @@ -500,7 +516,7 @@ int vfio_pci_core_mmap_prep_dmabuf(struct vfio_pci_core_device *vdev, > priv->provider = pcim_p2pdma_provider(vdev->pdev, res_index); > if (!priv->provider) { > ret = -EINVAL; > - goto err_free_phys; > + goto err_free_name; > } > > priv->phys_vec[0].paddr = phys_start + ((u64)vma_pgoff << PAGE_SHIFT); > @@ -508,7 +524,7 @@ int vfio_pci_core_mmap_prep_dmabuf(struct vfio_pci_core_device *vdev, > > ret = vfio_pci_dmabuf_export(vdev, priv, O_CLOEXEC | O_RDWR); > if (ret) > - goto err_free_phys; > + goto err_free_name; > > /* > * Ownership of the DMABUF file transfers to the VMA so that > @@ -523,8 +539,15 @@ int vfio_pci_core_mmap_prep_dmabuf(struct vfio_pci_core_device *vdev, > vma->vm_file = priv->dmabuf->file; > vma->vm_private_data = priv; > > + spin_lock(&priv->dmabuf->name_lock); > + kfree(priv->dmabuf->name); > + priv->dmabuf->name = bufname; > + spin_unlock(&priv->dmabuf->name_lock); > + > return 0; > > +err_free_name: > + kfree(bufname); > err_free_phys: > kfree(priv->phys_vec); > err_free_priv: Apart from that, Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Thanks, Praan

1 week

Re: [PATCH v3 4/9] vfio/pci: Convert BAR mmap() to use a DMABUF

by Pranjal Shrivastava

On Wed, Jun 10, 2026 at 04:43:18PM +0100, Matt Evans wrote: > Convert the VFIO device fd fops->mmap to create a DMABUF representing > the BAR mapping, and make the VMA fault handler look up PFNs from the > corresponding DMABUF. This supports future code mmap()ing BAR > DMABUFs, and iommufd work to support Type1 P2P. > > First, vfio_pci_core_mmap() uses the new > vfio_pci_core_mmap_prep_dmabuf() helper to export a DMABUF > representing a single BAR range. Then, the vfio_pci_mmap_huge_fault() > callback is updated to understand revoked buffers, and uses the new > vfio_pci_dma_buf_find_pfn() helper to determine the PFN for a given > fault address. > > Now that the VFIO DMABUFs can be mmap()ed, vfio_pci_dma_buf_move() > zaps PTEs (used on the revocation and cleanup paths). > > CONFIG_VFIO_PCI_CORE now unconditionally depends on > CONFIG_DMA_SHARED_BUFFER and CONFIG_PCI_P2PDMA_CORE. The > CONFIG_VFIO_PCI_DMABUF feature conditionally includes support for > VFIO_DEVICE_FEATURE_DMA_BUF, depending on the availability of > CONFIG_PCI_P2PDMA. > > Signed-off-by: Matt Evans <matt(a)ozlabs.org> > --- > drivers/vfio/pci/Kconfig | 5 +- > drivers/vfio/pci/Makefile | 3 +- > drivers/vfio/pci/vfio_pci_core.c | 75 +++++++++++++++++++----------- > drivers/vfio/pci/vfio_pci_dmabuf.c | 12 +++++ > drivers/vfio/pci/vfio_pci_priv.h | 11 +---- > 5 files changed, 67 insertions(+), 39 deletions(-) > > diff --git a/drivers/vfio/pci/Kconfig b/drivers/vfio/pci/Kconfig > index 296bf01e185e..67a2ae1fbc04 100644 > --- a/drivers/vfio/pci/Kconfig > +++ b/drivers/vfio/pci/Kconfig > @@ -6,6 +6,8 @@ config VFIO_PCI_CORE > tristate > select VFIO_VIRQFD > select IRQ_BYPASS_MANAGER > + select PCI_P2PDMA_CORE > + select DMA_SHARED_BUFFER > > config VFIO_PCI_INTX > def_bool y if !S390 > @@ -56,7 +58,8 @@ config VFIO_PCI_ZDEV_KVM > To enable s390x KVM vfio-pci extensions, say Y. > > config VFIO_PCI_DMABUF > - def_bool y if VFIO_PCI_CORE && PCI_P2PDMA && DMA_SHARED_BUFFER > + def_bool y if PCI_P2PDMA > + depends on VFIO_PCI_CORE > > source "drivers/vfio/pci/mlx5/Kconfig" > [...] > int vfio_pci_core_mmap_prep_dmabuf(struct vfio_pci_core_device *vdev, > struct vm_area_struct *vma, > @@ -532,6 +538,10 @@ void vfio_pci_dma_buf_move(struct vfio_pci_core_device *vdev, bool revoked) > struct vfio_pci_dma_buf *tmp; > > lockdep_assert_held_write(&vdev->memory_lock); > + /* > + * Holding memory_lock ensures a racing VMA fault observes > + * priv->revoked properly. > + */ Nit: This comment should appear before the lockdep_assert_held_write() Also, it is slightly verbose.. (not against it though). > > list_for_each_entry_safe(priv, tmp, &vdev->dmabufs, dmabufs_elm) { > if (!get_file_active(&priv->dmabuf->file)) > @@ -549,6 +559,8 @@ void vfio_pci_dma_buf_move(struct vfio_pci_core_device *vdev, bool revoked) > if (revoked) { > kref_put(&priv->kref, vfio_pci_dma_buf_done); > wait_for_completion(&priv->comp); > + unmap_mapping_range(priv->dmabuf->file->f_mapping, > + 0, priv->size, 1); Have we run this series with lockdep enabled? I guess it'd be nice to check with lockdep once.. Apart from these, Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Thanks, Praan

1 week

Re: [PATCH v3 3/9] vfio/pci: Add a helper to create a DMABUF for a BAR-map VMA

by Pranjal Shrivastava

On Wed, Jun 10, 2026 at 04:43:17PM +0100, Matt Evans wrote: > This helper, vfio_pci_core_mmap_prep_dmabuf(), creates a single-range > DMABUF for the purpose of mapping a PCI BAR. This is used in a future > commit by VFIO's ordinary mmap() path. > > This function transfers ownership of the VFIO device fd to the > DMABUF, which fput()s when it's released. > > Refactor the existing vfio_pci_core_feature_dma_buf() to split out > export code common to the two paths, VFIO_DEVICE_FEATURE_DMA_BUF and > this new VFIO_BAR mmap(). > > Signed-off-by: Matt Evans <matt(a)ozlabs.org> > --- > drivers/vfio/pci/vfio_pci_dmabuf.c | 142 +++++++++++++++++++++++------ > drivers/vfio/pci/vfio_pci_priv.h | 5 + > 2 files changed, 117 insertions(+), 30 deletions(-) > [...] > + > + /* > + * Ownership of the DMABUF file transfers to the VMA so that > + * other users can locate the DMABUF via a VA. Ownership of > + * the original VFIO device file being mmap()ed transfers to > + * priv, and is put when the DMABUF is released. This > + * intentionally does not use get_file()/vma_set_file() > + * because the references are already held, and ownership > + * moves. > + */ > + priv->vfile = vma->vm_file; > + vma->vm_file = priv->dmabuf->file; > + vma->vm_private_data = priv; I appreciate this comment. Thanks for being clear! Reviewed-by: Pranjal Shrivastava <praan(a)google.com> Thanks, Praan

1 week, 1 day

[PATCH v6 1/2] accel/rocket: Fix error path handling in rocket_job_run()

by ZhaoJinming

In rocket_job_run(), after taking an extra fence reference for job->done_fence via dma_fence_get(), the error paths have three bugs: - The dma_fence reference held by job->done_fence is never released, causing a reference leak. - pm_runtime_get_sync() increments the usage counter even on failure, but the error path does not decrement it, leaking the runtime PM reference and preventing the NPU from suspending. - A valid but unsignaled fence is returned to the DRM scheduler, which triggers WARN("Fence ... released with pending signals!") when the scheduler drops its reference. Fix by replacing pm_runtime_get_sync() with pm_runtime_resume_and_get() which auto-balances the usage counter on failure, releasing both fence references on error, and returning ERR_PTR(ret) instead of the unsignaled fence. Cc: stable(a)vger.kernel.org Fixes: 0810d5ad88a1 ("accel/rocket: Add job submission IOCTL") Signed-off-by: ZhaoJinming <zhaojinming(a)uniontech.com> --- drivers/accel/rocket/rocket_job.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/accel/rocket/rocket_job.c b/drivers/accel/rocket/rocket_job.c index ac51bff39833..e8a073e22ac2 100644 --- a/drivers/accel/rocket/rocket_job.c +++ b/drivers/accel/rocket/rocket_job.c @@ -310,13 +310,22 @@ static struct dma_fence *rocket_job_run(struct drm_sched_job *sched_job) dma_fence_put(job->done_fence); job->done_fence = dma_fence_get(fence); - ret = pm_runtime_get_sync(core->dev); - if (ret < 0) - return fence; + ret = pm_runtime_resume_and_get(core->dev); + if (ret < 0) { + dma_fence_put(job->done_fence); + job->done_fence = NULL; + dma_fence_put(fence); + return ERR_PTR(ret); + } ret = iommu_attach_group(job->domain->domain, core->iommu_group); - if (ret < 0) - return fence; + if (ret < 0) { + pm_runtime_put(core->dev); + dma_fence_put(job->done_fence); + job->done_fence = NULL; + dma_fence_put(fence); + return ERR_PTR(ret); + } scoped_guard(mutex, &core->job_lock) { core->in_flight_job = job; -- 2.20.1

1 week, 1 day

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig