From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: dma-buf: Fix silent overflow for phys vec to sgt Date: Thu, 04 Jun 2026 13:39:51 +1000 Message-ID: In-Reply-To: <20260601200012.3872274-1-xuehaohu@google.com> References: <20260601200012.3872274-1-xuehaohu@google.com> <20260601200012.3872274-1-xuehaohu@google.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **The core bug fix (mapped_len) =E2=80=94 correct:** ```c - unsigned int nents, mapped_len =3D 0; struct dma_buf_dma *dma; struct scatterlist *sgl; + size_t mapped_len =3D 0; + unsigned int nents; ``` This is the primary fix. `mapped_len` accumulates `phys_vec[i].len` which i= s `size_t` (confirmed from `struct phys_vec` in `include/linux/types.h:173`= ). With a >4GB MMIO region, the old `unsigned int` silently wraps. The down= stream consumers `dma_iova_sync()` and `fill_sg_entry()` both take `size_t`= length parameters, so `size_t mapped_len` is the correct type. The variabl= e reordering follows reverse Christmas tree style =E2=80=94 good. **The calc_sg_nents overflow protection =E2=80=94 correct:** ```c - unsigned int nents =3D 0; + size_t nents =3D 0; ``` Using `size_t` for the intermediate accumulation is correct. In the non-IOV= A path, the loop `nents +=3D DIV_ROUND_UP(phys_vec[i].len, UINT_MAX)` accum= ulates across `nr_ranges` entries, and theoretically could exceed `UINT_MAX= ` with enough large ranges. The function still returns `unsigned int`, whic= h matches what `sg_alloc_table()` expects (`unsigned int nents` per `includ= e/linux/scatterlist.h:464`). ```c + if (nents > UINT_MAX) + return 0; ``` Returning 0 as a sentinel for overflow is a reasonable convention given tha= t 0 nents is never a valid return from this function (it would mean zero-le= ngth mapping, which callers shouldn't request). **The caller-side overflow check =E2=80=94 correct:** ```c nents =3D calc_sg_nents(dma->state, phys_vec, nr_ranges, size); + if (!nents) { + ret =3D -EINVAL; + goto err_free_state; + } ``` The goto target `err_free_state` is correct for this point in the function = =E2=80=94 `dma->state` may have been allocated by the `PCI_P2PDMA_MAP_THRU_= HOST_BRIDGE` path above, and `dma` itself also needs freeing. Both are hand= led by the `err_free_state` =E2=86=92 `err_free_dma` cleanup chain. **Minor note:** This conflates "overflow" with "legitimately zero nents" un= der a single `-EINVAL`. In practice, zero nents would only happen if the ca= ller passes `size=3D0` or `nr_ranges=3D0`, both of which are caller bugs de= serving `-EINVAL` anyway, so no issue. **The fill_sg_entry type consistency fix =E2=80=94 fine:** ```c - int i; + unsigned int i; ``` This matches `i` to the type of `nents` (`unsigned int`), eliminating a sig= ned/unsigned comparison in `i < nents`. Not a practical bug (nents here is = computed from a single range's length, so always small), but it's the right= type and silences compiler warnings. **Commit message:** Clear and accurate. The Fixes tag references the correc= t introducing commit. The Cc: stable is appropriate for a data corruption b= ug. The changelog across v2-v5 shows responsive iteration to reviewer feedb= ack. **No issues found. Reviewed-by quality.** --- Generated by Claude Code Patch Reviewer