tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

mtd: lpddr_cmds: fix signed shifts in lpddr_cmds

There are several places where a value of type 'int' is shifted by
lpddr->chipshift. lpddr->chipshift is derived from QINFO geometry and
might reach 31 when QINFO reports a 2 GiB size - the maximum supported by
LPDDR(1) compliant chips. This may cause unexpected sign-extensions when
casting the integer value to the type of 'unsigned long'.

Use '1UL << lpddr->chipshift' and cast 'j' to unsigned long before
shifting so the computation is performed at the destination width.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: c68264711ca6 ("[MTD] LPDDR Command set driver")
Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>

authored by

Ivan Stepchenko and committed by
Miquel Raynal c909fec6 1cce5a5e

+4 -4
+4 -4
drivers/mtd/lpddr/lpddr_cmds.c
··· 79 79 mutex_init(&shared[i].lock); 80 80 for (j = 0; j < lpddr->qinfo->HWPartsNum; j++) { 81 81 *chip = lpddr->chips[i]; 82 - chip->start += j << lpddr->chipshift; 82 + chip->start += (unsigned long)j << lpddr->chipshift; 83 83 chip->oldstate = chip->state = FL_READY; 84 84 chip->priv = &shared[i]; 85 85 /* those should be reset too since ··· 559 559 break; 560 560 561 561 if ((len + ofs - 1) >> lpddr->chipshift) 562 - thislen = (1<<lpddr->chipshift) - ofs; 562 + thislen = (1UL << lpddr->chipshift) - ofs; 563 563 else 564 564 thislen = len; 565 565 /* get the chip */ ··· 575 575 len -= thislen; 576 576 577 577 ofs = 0; 578 - last_end += 1 << lpddr->chipshift; 578 + last_end += 1UL << lpddr->chipshift; 579 579 chipnum++; 580 580 chip = &lpddr->chips[chipnum]; 581 581 } ··· 601 601 break; 602 602 603 603 if ((len + ofs - 1) >> lpddr->chipshift) 604 - thislen = (1<<lpddr->chipshift) - ofs; 604 + thislen = (1UL << lpddr->chipshift) - ofs; 605 605 else 606 606 thislen = len; 607 607