[MTD] potential division by 0 in cfi_build_cmd() and cfi_merge_status()?

Jörn Engel joern at logfs.org
Mon Jan 14 22:01:03 EST 2008


On Tue, 15 January 2008 01:28:12 +0100, Roel Kluin wrote:
> 
> Doing some grepping, I stumbled upon this possible error:
> 
> in include/linux/mtd/cfi.h, lines 302 and 366, resp. functions
> cfi_build_cmd() and cfi_merge_status() there is a division by
> cfi_interleave(cfi):
> 
> chip_mode = map_bankwidth(map) / cfi_interleave(cfi);
> 
> This could be problematic when No CONFIG_MTD_CFI_Ix is selected:
> cfi_interleave will triggers BUG(), but when BUG is disabled, the
> function returns 0, causing a subsequent division by zero.
> 
> When a CONFIG_MTD_CFI_Ix is selected, cfi_interleave(cfi) is either
> defined 1 or defined (cfi)->interleave.
> 
> cfi is a struct cfi_private pointer, with interleave as an int.
> 
> I am not sure whether interleave can ever be 0 in this division when 
> CONFIG_MTD_CFI_Ix is set.
> 
> shouldn't there be an error exit when cfi_interleave(cfi) evaluates
> to 0?

I don't think cfi_interleave(cfi) will ever be 0.  But the functions
definitely look a bit large for inlines.  Anyone having both cfi_probe
and jedec_probe will enjoy twice the kernel footprint from them.
Patches to move that code out-of-line are welcome.

Jörn

-- 
Fools ignore complexity.  Pragmatists suffer it.
Some can avoid it.  Geniuses remove it.
-- Perlis's Programming Proverb #58, SIGPLAN Notices, Sept.  1982



More information about the linux-mtd mailing list