nvme: Fix potential sign extension issue in nvme_blk_rw()

"lbas" with type "u16" (16 bits, unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long long" (64 bits, unsigned). If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Fix it by casting "lbas" to "u32". Reported-by: Coverity (CID: 166730) Signed-off-by: N Bin Meng <bmeng.cn@gmail.com> Reviewed-by: N Tom Rini <trini@konsulko.com>

nvme: Fix potential sign extension issue in nvme_blk_rw()
"lbas" with type "u16" (16 bits, unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long long" (64 bits, unsigned). If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. Fix it by casting "lbas" to "u32". Reported-by: Coverity (CID: 166730) Signed-off-by: N Bin Meng <bmeng.cn@gmail.com> Reviewed-by: N Tom Rini <trini@konsulko.com>
52a5690e · Bin Meng · Tom Rini · 37d46870 · 52a5690e
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/nvme/nvme.c drivers/nvme/nvme.c +1 -1

未找到文件。
--- a/drivers/nvme/nvme.c
+++ b/drivers/nvme/nvme.c
@@ -723,7 +723,7 @@ static ulong nvme_blk_rw(struct udevice *udev, lbaint_t blknr,
 				&c, NULL, IO_TIMEOUT);
 		if (status)
 			break;
-		temp_len -= lbas << ns->lba_shift;
+		temp_len -= (u32)lbas << ns->lba_shift;
 		buffer += lbas << ns->lba_shift;
 	}