Claude review: dma-buf: Fix silent overflow for phys vec to sgt

[Claude Code Review Bot <claude-review@example.com>]

Patch Review

**The bug:** In `drivers/dma-buf/dma-buf-mapping.c:97-98` (pre-patch), both `nents` and `mapped_len` were declared together as `unsigned int`. The accumulation at line 155:

```c
mapped_len += phys_vec[i].len;
```

adds `size_t` values (since `struct phys_vec` in `include/linux/types.h:173-176` defines `len` as `size_t`) into a 32-bit variable. When total MMIO size exceeds 4 GiB this wraps silently, causing the subsequent `WARN_ON_ONCE(mapped_len != size)` check at line 170 to fire, and more critically, `dma_iova_sync()` and `fill_sg_entry()` to receive a truncated length.

**The fix is correct:**

```c
-	unsigned int nents, mapped_len = 0;
+	unsigned int nents = 0;
+	size_t mapped_len = 0;
```

- `size_t` for `mapped_len` matches the types it interacts with: `phys_vec[i].len` (`size_t`), the `size` function parameter (`size_t`), `dma_iova_sync()` size argument (`size_t`), `dma_iova_destroy()` size argument, and `fill_sg_entry()` length argument (`size_t`).
- `nents` correctly remains `unsigned int`, matching the return type of `calc_sg_nents()` and the `sg_alloc_table()` nents parameter.
- Separating the declarations onto two lines is the right call since the types now differ.

**Minor observations:**

1. **Commit message quality:** The commit message is a bit terse and could be clearer. "total linked IVOA" appears to be a typo for "total linked IOVA". The description would benefit from explicitly stating that `mapped_len` was `unsigned int` (32 bits) and is being changed to `size_t` (64 bits), and clarifying the specific consequence (truncated length passed to `dma_iova_sync`/`dma_iova_destroy`).

2. **The `nents = 0` initialization change:** The original code had `nents` implicitly initialized alongside `mapped_len` in the combined declaration `unsigned int nents, mapped_len = 0;` — but note that **only** `mapped_len` was initialized to 0 in the original code; `nents` was left uninitialized. The patch adds `= 0` to `nents`, which is a minor improvement for safety, though `nents` is always assigned from `calc_sg_nents()` before use at line 136, so the initialization is technically unnecessary. This is fine but could be mentioned as a separate cleanup.

3. **No Cc: stable tag:** Given this is a `Fixes:` patch for a potential data corruption / incorrect DMA mapping on >4 GiB MMIO BARs, a `Cc: stable@vger.kernel.org` tag would be appropriate if the fix should be backported.

**No functional issues found.** The patch is minimal, correct, and addresses a real overflow bug on large MMIO regions.

---
Generated by Claude Code Patch Reviewer