mtd: tests: fix integer overflow issues

These multiplications are done with 32-bit arithmetic, then converted to 64-bit. We should widen the integers first to prevent overflow. This could be a problem for large (>4GB) MTD's. Detected by Coverity. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Cc: Akinobu Mita <akinobu.mita@gmail.com>

mtd: tests: fix integer overflow issues
These multiplications are done with 32-bit arithmetic, then converted to 64-bit. We should widen the integers first to prevent overflow. This could be a problem for large (>4GB) MTD's. Detected by Coverity. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Cc: Akinobu Mita <akinobu.mita@gmail.com>
Brian Norris
1 parent 8c3f3f1d79
Showing 7 changed files with 22 additions and 22 deletions Side-by-side Diff
drivers/mtd/tests/mtd_test.c
drivers/mtd/tests/nandbiterrs.c
drivers/mtd/tests/oobtest.c
drivers/mtd/tests/pagetest.c
drivers/mtd/tests/readtest.c
drivers/mtd/tests/speedtest.c
drivers/mtd/tests/subpagetest.c
@@ -10,7 +10,7 @@
 {
 	int err;
 	struct erase_info ei;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	memset(&ei, 0, sizeof(struct erase_info));
 	ei.mtd  = mtd;
@@ -33,7 +33,7 @@
 static int is_block_bad(struct mtd_info *mtd, unsigned int ebnum)
 {
 	int ret;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	ret = mtd_block_isbad(mtd, addr);
 	if (ret)
@@ -364,7 +364,7 @@
  
 	pr_info("Device uses %d subpages of %d bytes\n", subcount, subsize);
  
-	offset     = page_offset * mtd->writesize;
+	offset     = (loff_t)page_offset * mtd->writesize;
 	eraseblock = mtd_div_by_eb(offset, mtd);
  
 	pr_info("Using page=%u, offset=%llu, eraseblock=%u\n",
@@ -120,7 +120,7 @@
 	int i;
 	struct mtd_oob_ops ops;
 	int err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	prandom_bytes_state(&rnd_state, writebuf, use_len_max * pgcnt);
 	for (i = 0; i < pgcnt; ++i, addr += mtd->writesize) {
@@ -214,7 +214,7 @@
 {
 	struct mtd_oob_ops ops;
 	int err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
 	size_t len = mtd->ecclayout->oobavail * pgcnt;
  
 	prandom_bytes_state(&rnd_state, writebuf, len);
@@ -568,7 +568,7 @@
 		size_t sz = mtd->ecclayout->oobavail;
 		if (bbt[i] || bbt[i + 1])
 			continue;
-		addr = (i + 1) * mtd->erasesize - mtd->writesize;
+		addr = (loff_t)(i + 1) * mtd->erasesize - mtd->writesize;
 		prandom_bytes_state(&rnd_state, writebuf, sz * cnt);
 		for (pg = 0; pg < cnt; ++pg) {
 			ops.mode      = MTD_OPS_AUTO_OOB;
@@ -598,7 +598,7 @@
 			continue;
 		prandom_bytes_state(&rnd_state, writebuf,
 					mtd->ecclayout->oobavail * 2);
-		addr = (i + 1) * mtd->erasesize - mtd->writesize;
+		addr = (loff_t)(i + 1) * mtd->erasesize - mtd->writesize;
 		ops.mode      = MTD_OPS_AUTO_OOB;
 		ops.len       = 0;
 		ops.retlen    = 0;
@@ -52,7 +52,7 @@
  
 static int write_eraseblock(int ebnum)
 {
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	prandom_bytes_state(&rnd_state, writebuf, mtd->erasesize);
 	cond_resched();
@@ -64,7 +64,7 @@
 	uint32_t j;
 	int err = 0, i;
 	loff_t addr0, addrn;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	addr0 = 0;
 	for (i = 0; i < ebcnt && bbt[i]; ++i)
@@ -47,7 +47,7 @@
 static int read_eraseblock_by_page(int ebnum)
 {
 	int i, ret, err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
 	void *buf = iobuf;
 	void *oobbuf = iobuf1;
  
@@ -55,7 +55,7 @@
 {
 	int err;
 	struct erase_info ei;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	memset(&ei, 0, sizeof(struct erase_info));
 	ei.mtd  = mtd;
@@ -80,7 +80,7 @@
  
 static int write_eraseblock(int ebnum)
 {
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	return mtdtest_write(mtd, addr, mtd->erasesize, iobuf);
 }
@@ -88,7 +88,7 @@
 static int write_eraseblock_by_page(int ebnum)
 {
 	int i, err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
 	void *buf = iobuf;
  
 	for (i = 0; i < pgcnt; i++) {
@@ -106,7 +106,7 @@
 {
 	size_t sz = pgsize * 2;
 	int i, n = pgcnt / 2, err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
 	void *buf = iobuf;
  
 	for (i = 0; i < n; i++) {
@@ -124,7 +124,7 @@
  
 static int read_eraseblock(int ebnum)
 {
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	return mtdtest_read(mtd, addr, mtd->erasesize, iobuf);
 }
@@ -132,7 +132,7 @@
 static int read_eraseblock_by_page(int ebnum)
 {
 	int i, err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
 	void *buf = iobuf;
  
 	for (i = 0; i < pgcnt; i++) {
@@ -150,7 +150,7 @@
 {
 	size_t sz = pgsize * 2;
 	int i, n = pgcnt / 2, err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
 	void *buf = iobuf;
  
 	for (i = 0; i < n; i++) {
@@ -57,7 +57,7 @@
 {
 	size_t written;
 	int err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	prandom_bytes_state(&rnd_state, writebuf, subpgsize);
 	err = mtd_write(mtd, addr, subpgsize, &written, writebuf);
@@ -92,7 +92,7 @@
 {
 	size_t written;
 	int err = 0, k;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	for (k = 1; k < 33; ++k) {
 		if (addr + (subpgsize * k) > (ebnum + 1) * mtd->erasesize)
@@ -131,7 +131,7 @@
 {
 	size_t read;
 	int err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	prandom_bytes_state(&rnd_state, writebuf, subpgsize);
 	clear_data(readbuf, subpgsize);
@@ -192,7 +192,7 @@
 {
 	size_t read;
 	int err = 0, k;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	for (k = 1; k < 33; ++k) {
 		if (addr + (subpgsize * k) > (ebnum + 1) * mtd->erasesize)
@@ -227,7 +227,7 @@
 	uint32_t j;
 	size_t read;
 	int err = 0;
-	loff_t addr = ebnum * mtd->erasesize;
+	loff_t addr = (loff_t)ebnum * mtd->erasesize;
  
 	memset(writebuf, 0xff, subpgsize);
 	for (j = 0; j < mtd->erasesize / subpgsize; ++j) {
...	...	@@ -10,7 +10,7 @@
10	10	{
11	11	int err;
12	12	struct erase_info ei;
13		- loff_t addr = ebnum * mtd->erasesize;
	13	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
14	14
15	15	memset(&ei, 0, sizeof(struct erase_info));
16	16	ei.mtd = mtd;
...	...	@@ -33,7 +33,7 @@
33	33	static int is_block_bad(struct mtd_info *mtd, unsigned int ebnum)
34	34	{
35	35	int ret;
36		- loff_t addr = ebnum * mtd->erasesize;
	36	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
37	37
38	38	ret = mtd_block_isbad(mtd, addr);
39	39	if (ret)
...	...	@@ -364,7 +364,7 @@
364	364
365	365	pr_info("Device uses %d subpages of %d bytes\n", subcount, subsize);
366	366
367		- offset = page_offset * mtd->writesize;
	367	+ offset = (loff_t)page_offset * mtd->writesize;
368	368	eraseblock = mtd_div_by_eb(offset, mtd);
369	369
370	370	pr_info("Using page=%u, offset=%llu, eraseblock=%u\n",
...	...	@@ -120,7 +120,7 @@
120	120	int i;
121	121	struct mtd_oob_ops ops;
122	122	int err = 0;
123		- loff_t addr = ebnum * mtd->erasesize;
	123	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
124	124
125	125	prandom_bytes_state(&rnd_state, writebuf, use_len_max * pgcnt);
126	126	for (i = 0; i < pgcnt; ++i, addr += mtd->writesize) {
...	...	@@ -214,7 +214,7 @@
214	214	{
215	215	struct mtd_oob_ops ops;
216	216	int err = 0;
217		- loff_t addr = ebnum * mtd->erasesize;
	217	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
218	218	size_t len = mtd->ecclayout->oobavail * pgcnt;
219	219
220	220	prandom_bytes_state(&rnd_state, writebuf, len);
...	...	@@ -568,7 +568,7 @@
568	568	size_t sz = mtd->ecclayout->oobavail;
569	569	if (bbt[i] \|\| bbt[i + 1])
570	570	continue;
571		- addr = (i + 1) * mtd->erasesize - mtd->writesize;
	571	+ addr = (loff_t)(i + 1) * mtd->erasesize - mtd->writesize;
572	572	prandom_bytes_state(&rnd_state, writebuf, sz * cnt);
573	573	for (pg = 0; pg < cnt; ++pg) {
574	574	ops.mode = MTD_OPS_AUTO_OOB;
...	...	@@ -598,7 +598,7 @@
598	598	continue;
599	599	prandom_bytes_state(&rnd_state, writebuf,
600	600	mtd->ecclayout->oobavail * 2);
601		- addr = (i + 1) * mtd->erasesize - mtd->writesize;
	601	+ addr = (loff_t)(i + 1) * mtd->erasesize - mtd->writesize;
602	602	ops.mode = MTD_OPS_AUTO_OOB;
603	603	ops.len = 0;
604	604	ops.retlen = 0;
...	...	@@ -52,7 +52,7 @@
52	52
53	53	static int write_eraseblock(int ebnum)
54	54	{
55		- loff_t addr = ebnum * mtd->erasesize;
	55	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
56	56
57	57	prandom_bytes_state(&rnd_state, writebuf, mtd->erasesize);
58	58	cond_resched();
...	...	@@ -64,7 +64,7 @@
64	64	uint32_t j;
65	65	int err = 0, i;
66	66	loff_t addr0, addrn;
67		- loff_t addr = ebnum * mtd->erasesize;
	67	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
68	68
69	69	addr0 = 0;
70	70	for (i = 0; i < ebcnt && bbt[i]; ++i)
...	...	@@ -47,7 +47,7 @@
47	47	static int read_eraseblock_by_page(int ebnum)
48	48	{
49	49	int i, ret, err = 0;
50		- loff_t addr = ebnum * mtd->erasesize;
	50	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
51	51	void *buf = iobuf;
52	52	void *oobbuf = iobuf1;
53	53
...	...	@@ -55,7 +55,7 @@
55	55	{
56	56	int err;
57	57	struct erase_info ei;
58		- loff_t addr = ebnum * mtd->erasesize;
	58	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
59	59
60	60	memset(&ei, 0, sizeof(struct erase_info));
61	61	ei.mtd = mtd;
...	...	@@ -80,7 +80,7 @@
80	80
81	81	static int write_eraseblock(int ebnum)
82	82	{
83		- loff_t addr = ebnum * mtd->erasesize;
	83	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
84	84
85	85	return mtdtest_write(mtd, addr, mtd->erasesize, iobuf);
86	86	}
...	...	@@ -88,7 +88,7 @@
88	88	static int write_eraseblock_by_page(int ebnum)
89	89	{
90	90	int i, err = 0;
91		- loff_t addr = ebnum * mtd->erasesize;
	91	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
92	92	void *buf = iobuf;
93	93
94	94	for (i = 0; i < pgcnt; i++) {
...	...	@@ -106,7 +106,7 @@
106	106	{
107	107	size_t sz = pgsize * 2;
108	108	int i, n = pgcnt / 2, err = 0;
109		- loff_t addr = ebnum * mtd->erasesize;
	109	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
110	110	void *buf = iobuf;
111	111
112	112	for (i = 0; i < n; i++) {
...	...	@@ -124,7 +124,7 @@
124	124
125	125	static int read_eraseblock(int ebnum)
126	126	{
127		- loff_t addr = ebnum * mtd->erasesize;
	127	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
128	128
129	129	return mtdtest_read(mtd, addr, mtd->erasesize, iobuf);
130	130	}
...	...	@@ -132,7 +132,7 @@
132	132	static int read_eraseblock_by_page(int ebnum)
133	133	{
134	134	int i, err = 0;
135		- loff_t addr = ebnum * mtd->erasesize;
	135	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
136	136	void *buf = iobuf;
137	137
138	138	for (i = 0; i < pgcnt; i++) {
...	...	@@ -150,7 +150,7 @@
150	150	{
151	151	size_t sz = pgsize * 2;
152	152	int i, n = pgcnt / 2, err = 0;
153		- loff_t addr = ebnum * mtd->erasesize;
	153	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
154	154	void *buf = iobuf;
155	155
156	156	for (i = 0; i < n; i++) {
...	...	@@ -57,7 +57,7 @@
57	57	{
58	58	size_t written;
59	59	int err = 0;
60		- loff_t addr = ebnum * mtd->erasesize;
	60	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
61	61
62	62	prandom_bytes_state(&rnd_state, writebuf, subpgsize);
63	63	err = mtd_write(mtd, addr, subpgsize, &written, writebuf);
...	...	@@ -92,7 +92,7 @@
92	92	{
93	93	size_t written;
94	94	int err = 0, k;
95		- loff_t addr = ebnum * mtd->erasesize;
	95	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
96	96
97	97	for (k = 1; k < 33; ++k) {
98	98	if (addr + (subpgsize * k) > (ebnum + 1) * mtd->erasesize)
...	...	@@ -131,7 +131,7 @@
131	131	{
132	132	size_t read;
133	133	int err = 0;
134		- loff_t addr = ebnum * mtd->erasesize;
	134	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
135	135
136	136	prandom_bytes_state(&rnd_state, writebuf, subpgsize);
137	137	clear_data(readbuf, subpgsize);
...	...	@@ -192,7 +192,7 @@
192	192	{
193	193	size_t read;
194	194	int err = 0, k;
195		- loff_t addr = ebnum * mtd->erasesize;
	195	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
196	196
197	197	for (k = 1; k < 33; ++k) {
198	198	if (addr + (subpgsize * k) > (ebnum + 1) * mtd->erasesize)
...	...	@@ -227,7 +227,7 @@
227	227	uint32_t j;
228	228	size_t read;
229	229	int err = 0;
230		- loff_t addr = ebnum * mtd->erasesize;
	230	+ loff_t addr = (loff_t)ebnum * mtd->erasesize;
231	231
232	232	memset(writebuf, 0xff, subpgsize);
233	233	for (j = 0; j < mtd->erasesize / subpgsize; ++j) {