RE: [PATCH v5] dma-buf: Fix silent overflow for phys vec to sgt

Next message: Hongling Zeng: "[PATCH v2] scsi: myrb: Fix region leak in hw_init functions"
Previous message: Balakrishnan Sambath: "[PATCH v6 12/12] media: microchip-isc: scale DPC black level to sensor bit depth"
In reply to: David Hu: "[PATCH v5] dma-buf: Fix silent overflow for phys vec to sgt"
Next in thread: Leon Romanovsky: "Re: [PATCH v5] dma-buf: Fix silent overflow for phys vec to sgt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tian, Kevin

Date: Wed Jun 03 2026 - 03:24:10 EST

> From: David Hu <xuehaohu@xxxxxxxxxx>
> Sent: Tuesday, June 2, 2026 4:00 AM
>
> In case MMIO size is bigger than 4G and peer2peer DMA goes
> through host bridge, we trigger a code path that assigns the
> total linked IOVA (which is greater than 4G) to mapped_len.
>
> Previously, `mapped_len` was declared as 32-bit `unsigned int`.
> When accumulating `size_t` lengths, this leads to a silent wrap-around.
> This truncation causes truncated lengths to be passed to functions
> like `fill_sg_entry()`.
>
> Fix this by changing `mapped_len` to `size_t` (64-bit). While
> at it, fix similar potential overflow issues in `calc_sg_nents`
> by using `size_t` for `nents` and checking against `UINT_MAX`
> and using `unsigned int` for the loop iterator in `fill_sg_entry`
> to match.
>
> Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping
> routine")
> Cc: stable@xxxxxxxxxxxxxxx
> Cc: iommu@xxxxxxxxxxxxxxx
> Reviewed-by: Pranjal Shrivastava <praan@xxxxxxxxxx>
> Signed-off-by: David Hu <xuehaohu@xxxxxxxxxx>

Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>