> From: David Hu <[email protected]> > Sent: Tuesday, June 2, 2026 4:00 AM > > In case MMIO size is bigger than 4G and peer2peer DMA goes > through host bridge, we trigger a code path that assigns the > total linked IOVA (which is greater than 4G) to mapped_len. > > Previously, `mapped_len` was declared as 32-bit `unsigned int`. > When accumulating `size_t` lengths, this leads to a silent wrap-around. > This truncation causes truncated lengths to be passed to functions > like `fill_sg_entry()`. > > Fix this by changing `mapped_len` to `size_t` (64-bit). While > at it, fix similar potential overflow issues in `calc_sg_nents` > by using `size_t` for `nents` and checking against `UINT_MAX` > and using `unsigned int` for the loop iterator in `fill_sg_entry` > to match. > > Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping > routine") > Cc: [email protected] > Cc: [email protected] > Reviewed-by: Pranjal Shrivastava <[email protected]> > Signed-off-by: David Hu <[email protected]>
Reviewed-by: Kevin Tian <[email protected]>
