From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: dma-buf: Fix silent overflow for phys vec to sgt
Date: Sat, 16 May 2026 14:37:12 +1000
Message-ID: <review-overall-20260511214243.349487-1-xuehaohu@google.com>
In-Reply-To: <20260511214243.349487-1-xuehaohu@google.com>
References: <20260511214243.349487-1-xuehaohu@google.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Overall Series Review

Subject: dma-buf: Fix silent overflow for phys vec to sgt
Author: David Hu <xuehaohu@google.com>
Patches: 1
Reviewed: 2026-05-16T14:37:12.053368

---

This is a single-patch fix for an integer overflow bug in `dma_buf_phys_vec=
_to_sgt()`. The variable `mapped_len` was declared as `unsigned int` (32-bi=
t), but it accumulates `phys_vec[i].len` values which are `size_t` (64-bit =
on 64-bit platforms). When the total MMIO mapping exceeds 4 GiB (e.g., peer=
-to-peer DMA through a host bridge), `mapped_len` silently wraps, leading t=
o a truncated value being passed to `dma_iova_sync()` and `fill_sg_entry()`.

The fix is correct and minimal =E2=80=94 changing `mapped_len` from `unsign=
ed int` to `size_t` matches both the type of `phys_vec[].len` and the `size=
` parameter signatures of `dma_iova_sync()`, `dma_iova_destroy()`, and `fil=
l_sg_entry()`.

**Verdict: The fix is correct and should be accepted**, with minor commit m=
essage nits noted below.

---

---
Generated by Claude Code Patch Reviewer