From 69672c93bf0643db673c7bbe2e707bef95ddfd97 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Binh Date: Fri, 20 Mar 2026 02:25:57 +0700 Subject: [PATCH] Fix operator precedence and integer width in nv_dma_buf_mmap Fix two bugs in nv_dma_buf_mmap(): 1. Operator precedence error in the outer for-loop condition at line 1344. The expression `i < (priv->num_objects && (addr < vma->vm_end))` evaluates the `&&` first, producing a boolean (0 or 1). This means the loop body executes at most once (when i == 0), regardless of num_objects. For multi-object DMA-buf exports, only the first object's ranges are mapped. The function returns success despite the incomplete mapping. Fix: `(i < priv->num_objects) && (addr < vma->vm_end)` 2. Integer truncation in `total_skip_size` (NvU32) which accumulates NvU64 range sizes. For DMA-bufs larger than 4GB, the offset calculation wraps around, causing incorrect range lookups. Fix: widen `total_skip_size` from NvU32 to NvU64. --- kernel-open/nvidia/nv-dmabuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel-open/nvidia/nv-dmabuf.c b/kernel-open/nvidia/nv-dmabuf.c index 776befb8b..3c4b2dea4 100644 --- a/kernel-open/nvidia/nv-dmabuf.c +++ b/kernel-open/nvidia/nv-dmabuf.c @@ -1230,7 +1230,7 @@ nv_dma_buf_mmap( NvU32 i = 0; nv_dma_buf_file_private_t *priv = buf->priv; unsigned long addr = vma->vm_start; - NvU32 total_skip_size = 0; + NvU64 total_skip_size = 0; NvU64 total_map_len = NV_VMA_SIZE(vma); NvU64 off_in_range_array = 0; NvU32 index; @@ -1341,7 +1341,7 @@ nv_dma_buf_mmap( nv_vm_flags_set(vma, VM_SHARED | VM_DONTEXPAND | VM_DONTDUMP); // Create user mapping - for (; i < (priv->num_objects && (addr < vma->vm_end)); i++) + for (; (i < priv->num_objects) && (addr < vma->vm_end); i++) { NvU32 range_count = priv->handles[i].memArea.numRanges;