tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

mtd: tests: fix integer overflow issues

These multiplications are done with 32-bit arithmetic, then converted to
64-bit. We should widen the integers first to prevent overflow. This
could be a problem for large (>4GB) MTD's.

Detected by Coverity.

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Cc: Akinobu Mita <akinobu.mita@gmail.com>

Brian Norris 1001ff7a 8c3f3f1d

+22 -22
+2 -2
drivers/mtd/tests/mtd_test.c
··· 10 10 { 11 11 int err; 12 12 struct erase_info ei; 13 - loff_t addr = ebnum * mtd->erasesize; 13 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 14 14 15 15 memset(&ei, 0, sizeof(struct erase_info)); 16 16 ei.mtd = mtd; ··· 33 33 static int is_block_bad(struct mtd_info *mtd, unsigned int ebnum) 34 34 { 35 35 int ret; 36 - loff_t addr = ebnum * mtd->erasesize; 36 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 37 37 38 38 ret = mtd_block_isbad(mtd, addr); 39 39 if (ret)
+1 -1
drivers/mtd/tests/nandbiterrs.c
··· 364 364 365 365 pr_info("Device uses %d subpages of %d bytes\n", subcount, subsize); 366 366 367 - offset = page_offset * mtd->writesize; 367 + offset = (loff_t)page_offset * mtd->writesize; 368 368 eraseblock = mtd_div_by_eb(offset, mtd); 369 369 370 370 pr_info("Using page=%u, offset=%llu, eraseblock=%u\n",
+4 -4
drivers/mtd/tests/oobtest.c
··· 120 120 int i; 121 121 struct mtd_oob_ops ops; 122 122 int err = 0; 123 - loff_t addr = ebnum * mtd->erasesize; 123 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 124 124 125 125 prandom_bytes_state(&rnd_state, writebuf, use_len_max * pgcnt); 126 126 for (i = 0; i < pgcnt; ++i, addr += mtd->writesize) { ··· 214 214 { 215 215 struct mtd_oob_ops ops; 216 216 int err = 0; 217 - loff_t addr = ebnum * mtd->erasesize; 217 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 218 218 size_t len = mtd->ecclayout->oobavail * pgcnt; 219 219 220 220 prandom_bytes_state(&rnd_state, writebuf, len); ··· 568 568 size_t sz = mtd->ecclayout->oobavail; 569 569 if (bbt[i] || bbt[i + 1]) 570 570 continue; 571 - addr = (i + 1) * mtd->erasesize - mtd->writesize; 571 + addr = (loff_t)(i + 1) * mtd->erasesize - mtd->writesize; 572 572 prandom_bytes_state(&rnd_state, writebuf, sz * cnt); 573 573 for (pg = 0; pg < cnt; ++pg) { 574 574 ops.mode = MTD_OPS_AUTO_OOB; ··· 598 598 continue; 599 599 prandom_bytes_state(&rnd_state, writebuf, 600 600 mtd->ecclayout->oobavail * 2); 601 - addr = (i + 1) * mtd->erasesize - mtd->writesize; 601 + addr = (loff_t)(i + 1) * mtd->erasesize - mtd->writesize; 602 602 ops.mode = MTD_OPS_AUTO_OOB; 603 603 ops.len = 0; 604 604 ops.retlen = 0;
+2 -2
drivers/mtd/tests/pagetest.c
··· 52 52 53 53 static int write_eraseblock(int ebnum) 54 54 { 55 - loff_t addr = ebnum * mtd->erasesize; 55 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 56 56 57 57 prandom_bytes_state(&rnd_state, writebuf, mtd->erasesize); 58 58 cond_resched(); ··· 64 64 uint32_t j; 65 65 int err = 0, i; 66 66 loff_t addr0, addrn; 67 - loff_t addr = ebnum * mtd->erasesize; 67 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 68 68 69 69 addr0 = 0; 70 70 for (i = 0; i < ebcnt && bbt[i]; ++i)
+1 -1
drivers/mtd/tests/readtest.c
··· 47 47 static int read_eraseblock_by_page(int ebnum) 48 48 { 49 49 int i, ret, err = 0; 50 - loff_t addr = ebnum * mtd->erasesize; 50 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 51 51 void *buf = iobuf; 52 52 void *oobbuf = iobuf1; 53 53
+7 -7
drivers/mtd/tests/speedtest.c
··· 55 55 { 56 56 int err; 57 57 struct erase_info ei; 58 - loff_t addr = ebnum * mtd->erasesize; 58 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 59 59 60 60 memset(&ei, 0, sizeof(struct erase_info)); 61 61 ei.mtd = mtd; ··· 80 80 81 81 static int write_eraseblock(int ebnum) 82 82 { 83 - loff_t addr = ebnum * mtd->erasesize; 83 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 84 84 85 85 return mtdtest_write(mtd, addr, mtd->erasesize, iobuf); 86 86 } ··· 88 88 static int write_eraseblock_by_page(int ebnum) 89 89 { 90 90 int i, err = 0; 91 - loff_t addr = ebnum * mtd->erasesize; 91 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 92 92 void *buf = iobuf; 93 93 94 94 for (i = 0; i < pgcnt; i++) { ··· 106 106 { 107 107 size_t sz = pgsize * 2; 108 108 int i, n = pgcnt / 2, err = 0; 109 - loff_t addr = ebnum * mtd->erasesize; 109 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 110 110 void *buf = iobuf; 111 111 112 112 for (i = 0; i < n; i++) { ··· 124 124 125 125 static int read_eraseblock(int ebnum) 126 126 { 127 - loff_t addr = ebnum * mtd->erasesize; 127 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 128 128 129 129 return mtdtest_read(mtd, addr, mtd->erasesize, iobuf); 130 130 } ··· 132 132 static int read_eraseblock_by_page(int ebnum) 133 133 { 134 134 int i, err = 0; 135 - loff_t addr = ebnum * mtd->erasesize; 135 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 136 136 void *buf = iobuf; 137 137 138 138 for (i = 0; i < pgcnt; i++) { ··· 150 150 { 151 151 size_t sz = pgsize * 2; 152 152 int i, n = pgcnt / 2, err = 0; 153 - loff_t addr = ebnum * mtd->erasesize; 153 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 154 154 void *buf = iobuf; 155 155 156 156 for (i = 0; i < n; i++) {
+5 -5
drivers/mtd/tests/subpagetest.c
··· 57 57 { 58 58 size_t written; 59 59 int err = 0; 60 - loff_t addr = ebnum * mtd->erasesize; 60 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 61 61 62 62 prandom_bytes_state(&rnd_state, writebuf, subpgsize); 63 63 err = mtd_write(mtd, addr, subpgsize, &written, writebuf); ··· 92 92 { 93 93 size_t written; 94 94 int err = 0, k; 95 - loff_t addr = ebnum * mtd->erasesize; 95 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 96 96 97 97 for (k = 1; k < 33; ++k) { 98 98 if (addr + (subpgsize * k) > (ebnum + 1) * mtd->erasesize) ··· 131 131 { 132 132 size_t read; 133 133 int err = 0; 134 - loff_t addr = ebnum * mtd->erasesize; 134 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 135 135 136 136 prandom_bytes_state(&rnd_state, writebuf, subpgsize); 137 137 clear_data(readbuf, subpgsize); ··· 192 192 { 193 193 size_t read; 194 194 int err = 0, k; 195 - loff_t addr = ebnum * mtd->erasesize; 195 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 196 196 197 197 for (k = 1; k < 33; ++k) { 198 198 if (addr + (subpgsize * k) > (ebnum + 1) * mtd->erasesize) ··· 227 227 uint32_t j; 228 228 size_t read; 229 229 int err = 0; 230 - loff_t addr = ebnum * mtd->erasesize; 230 + loff_t addr = (loff_t)ebnum * mtd->erasesize; 231 231 232 232 memset(writebuf, 0xff, subpgsize); 233 233 for (j = 0; j < mtd->erasesize / subpgsize; ++j) {