In case MMIO size is bigger than 4G, and peer2peer dma goes through host bridge, we trigger the code path to assign total linked IVOA, greater than 4G to mapped_len, and leading to a silent overflow

Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping routine") Signed-off-by: David Hu xuehaohu@google.com --- drivers/dma-buf/dma-buf-mapping.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-mapping.c index 794acff2546a..658064140357 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -95,7 +95,8 @@ struct sg_table *dma_buf_phys_vec_to_sgt(struct dma_buf_attachment *attach, size_t nr_ranges, size_t size, enum dma_data_direction dir) { - unsigned int nents, mapped_len = 0; + unsigned int nents = 0; + size_t mapped_len = 0; struct dma_buf_dma *dma; struct scatterlist *sgl; dma_addr_t addr;