From: Brian Norris Date: Sat, 28 Feb 2015 10:13:13 +0000 (-0800) Subject: mtd: nand_bbt: fix theoretical integer overflow in BBT write X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f5cd2ae1e4ad23bc6527b4a667d3f27534730cc5;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git mtd: nand_bbt: fix theoretical integer overflow in BBT write This statement was written with a cast-to-loff_t to be sure to have a full 64-bit mask. However, we don't account for the fact that '1 << this->bbt_erase_shift' might already overflow. This will not be a problem in practice, since eraseblocks should never be anywhere near 4GiB. But we can do this for completeness, and quiet Coverity in the meantime. CID #1226806. Signed-off-by: Brian Norris --- diff --git a/drivers/mtd/nand/nand_bbt.c b/drivers/mtd/nand/nand_bbt.c index 516db2c4524b..2c4fa1a17031 100644 --- a/drivers/mtd/nand/nand_bbt.c +++ b/drivers/mtd/nand/nand_bbt.c @@ -719,7 +719,7 @@ static int write_bbt(struct mtd_info *mtd, uint8_t *buf, /* Must we save the block contents? */ if (td->options & NAND_BBT_SAVECONTENT) { /* Make it block aligned */ - to &= ~((loff_t)((1 << this->bbt_erase_shift) - 1)); + to &= ~(((loff_t)1 << this->bbt_erase_shift) - 1); len = 1 << this->bbt_erase_shift; res = mtd_read(mtd, to, len, &retlen, buf); if (res < 0) {