[PATCH 4/4] mtd: fix possible overflow during mtd size multiplication

Ahmad Fatoum a.fatoum at pengutronix.de
Wed Mar 24 12:22:47 GMT 2021


LGTM[1] flags a couple of places where we write a 32-bit multiplication
result into a 64-bit destination. While it might very well be that
there are more places in need of fixing to support flashes bigger than
4G, fixing these issues is easy and reduces the noise. Do so.

[1]: https://lgtm.com/projects/g/saschahauer/barebox/alerts/?mode=list

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 drivers/mtd/core.c            | 2 +-
 drivers/mtd/mtdoob.c          | 2 +-
 drivers/mtd/peb.c             | 4 ++--
 drivers/mtd/spi-nor/spi-nor.c | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/mtd/core.c b/drivers/mtd/core.c
index 22eb2a056c4e..37fccda6be27 100644
--- a/drivers/mtd/core.c
+++ b/drivers/mtd/core.c
@@ -131,7 +131,7 @@ static struct mtd_erase_region_info *mtd_find_erase_region(struct mtd_info *mtd,
 
 	for (i = 0; i < mtd->numeraseregions; i++) {
 		struct mtd_erase_region_info *e = &mtd->eraseregions[i];
-		if (offset > e->offset + e->erasesize * e->numblocks)
+		if (offset > e->offset + (loff_t)e->erasesize * e->numblocks)
 			continue;
 		return e;
 	}
diff --git a/drivers/mtd/mtdoob.c b/drivers/mtd/mtdoob.c
index 04e064b227cb..19719c4d6279 100644
--- a/drivers/mtd/mtdoob.c
+++ b/drivers/mtd/mtdoob.c
@@ -77,7 +77,7 @@ static int add_mtdoob_device(struct mtd_info *mtd, const char *devname, void **p
 
 	mtdoob = xzalloc(sizeof(*mtdoob));
 	mtdoob->cdev.ops = &mtd_ops_oob;
-	mtdoob->cdev.size = mtd_div_by_wb(mtd->size, mtd) * mtd->oobsize;
+	mtdoob->cdev.size = mtd_div_by_wb(mtd->size, mtd) * (loff_t)mtd->oobsize;
 	mtdoob->cdev.name = basprintf("%s.oob", mtd->cdev.name);
 	mtdoob->cdev.priv = mtdoob;
 	mtdoob->cdev.dev = &mtd->dev;
diff --git a/drivers/mtd/peb.c b/drivers/mtd/peb.c
index f3c51a61b4eb..03d96c2a5a7e 100644
--- a/drivers/mtd/peb.c
+++ b/drivers/mtd/peb.c
@@ -695,7 +695,7 @@ int mtd_peb_create_bitflips(struct mtd_info *mtd, int pnum, int offset,
 	ops.ooblen = mtd->oobsize;
 
 	for (i = 0; i < pages_per_block; i++) {
-		loff_t offs = (loff_t)pnum * mtd->erasesize + i * mtd->writesize;
+		loff_t offs = (loff_t)pnum * mtd->erasesize + i * (loff_t)mtd->writesize;
 
 		ops.datbuf = buf + i * mtd->writesize;
 		ops.oobbuf = oobbuf + i * mtd->oobsize;
@@ -738,7 +738,7 @@ int mtd_peb_create_bitflips(struct mtd_info *mtd, int pnum, int offset,
 	}
 
 	for (i = 0; i < pages_per_block; i++) {
-		loff_t offs = (loff_t)pnum * mtd->erasesize + i * mtd->writesize;
+		loff_t offs = (loff_t)pnum * mtd->erasesize + i * (loff_t)mtd->writesize;
 
 		ops.datbuf = buf + i * mtd->writesize;
 		ops.oobbuf = oobbuf + i * mtd->oobsize;
diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
index bd748ff5b4b3..383916e3f4b0 100644
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -1131,7 +1131,7 @@ static int spi_nor_init_params(struct spi_nor *nor,
 	memset(params, 0, sizeof(*params));
 
 	/* Set SPI NOR sizes. */
-	params->size = info->sector_size * info->n_sectors;
+	params->size = info->sector_size * (u64)info->n_sectors;
 	params->page_size = info->page_size;
 
 	/* (Fast) Read settings. */
-- 
2.29.2




More information about the barebox mailing list