[PATCH] dma-buf: Fix silent overflow for phys vec to sgt

[PATCH] dma-buf: Fix silent overflow for phys vec to sgt

[David Hu]

In case MMIO size is bigger than 4G, and peer2peer
dma goes through host bridge, we trigger the code
path to assign total linked IVOA, greater than 4G
to mapped_len, and leading to a silent overflow

Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine")
Signed-off-by: David Hu <xuehaohu@google.com>
---
 drivers/dma-buf/dma-buf-mapping.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c
index 794acff2546a..658064140357 100644
--- a/drivers/dma-buf/dma-buf-mapping.c
+++ b/drivers/dma-buf/dma-buf-mapping.c
@@ -95,7 +95,8 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach,
 					 size_t nr_ranges, size_t size,
 					 enum dma_data_direction dir)
 {
-	unsigned int nents, mapped_len = 0;
+	unsigned int nents = 0;
+	size_t mapped_len = 0;
 	struct dma_buf_dma *dma;
 	struct scatterlist *sgl;
 	dma_addr_t addr;
-- 
2.54.0.563.g4f69b47b94-goog

Claude review: dma-buf: Fix silent overflow for phys vec to sgt

[Claude Code Review Bot]

Patch Review

**The bug:** In `drivers/dma-buf/dma-buf-mapping.c:97-98` (pre-patch), both `nents` and `mapped_len` were declared together as `unsigned int`. The accumulation at line 155:

```c
mapped_len += phys_vec[i].len;
```

adds `size_t` values (since `struct phys_vec` in `include/linux/types.h:173-176` defines `len` as `size_t`) into a 32-bit variable. When total MMIO size exceeds 4 GiB this wraps silently, causing the subsequent `WARN_ON_ONCE(mapped_len != size)` check at line 170 to fire, and more critically, `dma_iova_sync()` and `fill_sg_entry()` to receive a truncated length.

**The fix is correct:**

```c
-	unsigned int nents, mapped_len = 0;
+	unsigned int nents = 0;
+	size_t mapped_len = 0;
```

- `size_t` for `mapped_len` matches the types it interacts with: `phys_vec[i].len` (`size_t`), the `size` function parameter (`size_t`), `dma_iova_sync()` size argument (`size_t`), `dma_iova_destroy()` size argument, and `fill_sg_entry()` length argument (`size_t`).
- `nents` correctly remains `unsigned int`, matching the return type of `calc_sg_nents()` and the `sg_alloc_table()` nents parameter.
- Separating the declarations onto two lines is the right call since the types now differ.

**Minor observations:**

1. **Commit message quality:** The commit message is a bit terse and could be clearer. "total linked IVOA" appears to be a typo for "total linked IOVA". The description would benefit from explicitly stating that `mapped_len` was `unsigned int` (32 bits) and is being changed to `size_t` (64 bits), and clarifying the specific consequence (truncated length passed to `dma_iova_sync`/`dma_iova_destroy`).

2. **The `nents = 0` initialization change:** The original code had `nents` implicitly initialized alongside `mapped_len` in the combined declaration `unsigned int nents, mapped_len = 0;` — but note that **only** `mapped_len` was initialized to 0 in the original code; `nents` was left uninitialized. The patch adds `= 0` to `nents`, which is a minor improvement for safety, though `nents` is always assigned from `calc_sg_nents()` before use at line 136, so the initialization is technically unnecessary. This is fine but could be mentioned as a separate cleanup.

3. **No Cc: stable tag:** Given this is a `Fixes:` patch for a potential data corruption / incorrect DMA mapping on >4 GiB MMIO BARs, a `Cc: stable@vger.kernel.org` tag would be appropriate if the fix should be backported.

**No functional issues found.** The patch is minimal, correct, and addresses a real overflow bug on large MMIO regions.

---
Generated by Claude Code Patch Reviewer

Claude review: dma-buf: Fix silent overflow for phys vec to sgt

[Claude Code Review Bot]

Overall Series Review

Subject: dma-buf: Fix silent overflow for phys vec to sgt
Author: David Hu <xuehaohu@google.com>
Patches: 1
Reviewed: 2026-05-16T14:37:12.053368

---

This is a single-patch fix for an integer overflow bug in `dma_buf_phys_vec_to_sgt()`. The variable `mapped_len` was declared as `unsigned int` (32-bit), but it accumulates `phys_vec[i].len` values which are `size_t` (64-bit on 64-bit platforms). When the total MMIO mapping exceeds 4 GiB (e.g., peer-to-peer DMA through a host bridge), `mapped_len` silently wraps, leading to a truncated value being passed to `dma_iova_sync()` and `fill_sg_entry()`.

The fix is correct and minimal — changing `mapped_len` from `unsigned int` to `size_t` matches both the type of `phys_vec[].len` and the `size` parameter signatures of `dma_iova_sync()`, `dma_iova_destroy()`, and `fill_sg_entry()`.

**Verdict: The fix is correct and should be accepted**, with minor commit message nits noted below.

---

---
Generated by Claude Code Patch Reviewer