mtd: fix possible integer overflow in erase_xfer()

[ Upstream commit 9358bdb9f9f54d94ceafc650deffefd737d19fdd ] The expression '1 << EraseUnitSize' is evaluated in int, which causes a negative result when shifting by 31 - the upper bound of the valid range [10, 31], enforced by scan_header(). This leads to incorrect extension when storing the result in 'erase->len' (uint64_t), producing a large unexpected value. Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Ivan Stepchenko <sid@itb.spb.ru> 2025-06-19 17:53:13 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-08-28 16:24:09 +0200
commit: e86cc0b9812cc13b7b0a268352955b671098be65 (patch)
tree: 2f20c11e5b8a71ea9dab40f0e5b03f1966c69d6a /drivers/mtd
parent: 9745eecf5b6936389e9104a94299ab45266d3883 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c
index f655d2905270..243d7faa128a 100644
--- a/drivers/mtd/ftl.c
+++ b/drivers/mtd/ftl.c
@@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part,
             return -ENOMEM;
 
     erase->addr = xfer->Offset;
-    erase->len = 1 << part->header.EraseUnitSize;
+    erase->len = 1ULL << part->header.EraseUnitSize;
 
     ret = mtd_erase(part->mbd.mtd, erase);
     if (!ret) {
author	Ivan Stepchenko <sid@itb.spb.ru>	2025-06-19 17:53:13 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-08-28 16:24:09 +0200
commit	e86cc0b9812cc13b7b0a268352955b671098be65 (patch)
tree	2f20c11e5b8a71ea9dab40f0e5b03f1966c69d6a /drivers/mtd
parent	9745eecf5b6936389e9104a94299ab45266d3883 (diff)