[PATCH] dma-buf: Fix silent overflow for phys vec to sgt

Next message: Andrew Morton: "Re: [PATCH v4 00/55] make MM selftests more CI friendly"
Previous message: Minchan Kim: "[PATCH v3] mm: process_mrelease: introduce PROCESS_MRELEASE_REAP_KILL flag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Hu

Date: Mon May 11 2026 - 17:44:31 EST

In case MMIO size is bigger than 4G, and peer2peer
dma goes through host bridge, we trigger the code
path to assign total linked IVOA, greater than 4G
to mapped_len, and leading to a silent overflow

Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine")
Signed-off-by: David Hu <xuehaohu@xxxxxxxxxx>
---
drivers/dma-buf/dma-buf-mapping.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c
index 794acff2546a..658064140357 100644
--- a/drivers/dma-buf/dma-buf-mapping.c
+++ b/drivers/dma-buf/dma-buf-mapping.c
@@ -95,7 +95,8 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach,
size_t nr_ranges, size_t size,
enum dma_data_direction dir)
{
- unsigned int nents, mapped_len = 0;
+ unsigned int nents = 0;
+ size_t mapped_len = 0;
struct dma_buf_dma *dma;
struct scatterlist *sgl;
dma_addr_t addr;
--
2.54.0.563.g4f69b47b94-goog