[RFC] spi: Prevent unexpected SPI time out due to arithmetic overflow

Commit Message

Sien Wu Aug. 29, 2016, 2:02 p.m. UTC

When reading SPI flash as MTD device, the transfer length is
directly passed to the spi driver. If the requested data size
exceeds 512KB, it will cause the time out calculation to
overflow since transfer length is 32-bit unsigned integer.
This issue is resolved by using 64-bit unsigned integer
to perform the arithmetic.

Signed-off-by: Sien Wu <sien.wu@ni.com>
Acked-by: Brad Keryan <brad.keryan@ni.com>
Acked-by: Gratian Crisan <gratian.crisan@ni.com>
Acked-by: Brad Mouring <brad.mouring@ni.com>

Natinst-ReviewBoard-ID 150232
---
 drivers/spi/spi.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

Comments

Mark Brown Sept. 1, 2016, 7:57 p.m. UTC | #1

On Mon, Aug 29, 2016 at 09:02:47AM -0500, Sien Wu wrote:
> When reading SPI flash as MTD device, the transfer length is
> directly passed to the spi driver. If the requested data size
> exceeds 512KB, it will cause the time out calculation to

This doesn't apply against current code, please check and resend.

Patch

diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 029dbd3..a186a62 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -678,7 +678,7 @@  static int spi_transfer_one_message(struct spi_master *master,
 	struct spi_transfer *xfer;
 	bool keep_cs = false;
 	int ret = 0;
-	unsigned long ms = 1;
+	unsigned long long ms = 1;
 
 	spi_set_cs(msg->spi, true);
 
@@ -697,11 +697,16 @@  static int spi_transfer_one_message(struct spi_master *master,
 
 			if (ret > 0) {
 				ret = 0;
-				ms = xfer->len * 8 * 1000 / xfer->speed_hz;
+
+				ms = 8LL * 1000LL * xfer->len;
+				do_div(ms, xfer->speed_hz);
 				ms += ms + 100; /* some tolerance */
 
+				if (ms > UINT_MAX)
+					ms = UINT_MAX;
+
 				ms = wait_for_completion_timeout(&master->xfer_completion,
-								 msecs_to_jiffies(ms));
+							msecs_to_jiffies(ms));
 			}
 
 			if (ms == 0) {