nand: fix address overflow

The shifts of the address mask and value shift beyond 32 bits when there
are 5 address cycles.

Signed-off-by: Rabin Vincent <rabin.vincent@axis.com>
---
 hw/block/nand.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

On 10/11/2015 14:25, Rabin Vincent wrote:
> The shifts of the address mask and value shift beyond 32 bits when there
> are 5 address cycles.
> 
> Signed-off-by: Rabin Vincent <rabin.vincent@axis.com>
> ---
>  hw/block/nand.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/block/nand.c b/hw/block/nand.c
> index 61d2cec..a68266f 100644
> --- a/hw/block/nand.c
> +++ b/hw/block/nand.c
> @@ -522,8 +522,8 @@ void nand_setio(DeviceState *dev, uint32_t value)
>  
>      if (s->ale) {
>          unsigned int shift = s->addrlen * 8;
> -        unsigned int mask = ~(0xff << shift);
> -        unsigned int v = value << shift;
> +        uint64_t mask = ~(0xffull << shift);
> +        uint64_t v = (uint64_t)value << shift;
>  
>          s->addr = (s->addr & mask) | v;
>          s->addrlen ++;
> 

Cc: qemu-trivial@nongnu.org
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>

On Tue, Nov 10, 2015 at 7:09 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
>
> On 10/11/2015 14:25, Rabin Vincent wrote:
>> The shifts of the address mask and value shift beyond 32 bits when there
>> are 5 address cycles.
>>
>> Signed-off-by: Rabin Vincent <rabin.vincent@axis.com>
>> ---
>>  hw/block/nand.c |    4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/block/nand.c b/hw/block/nand.c
>> index 61d2cec..a68266f 100644
>> --- a/hw/block/nand.c
>> +++ b/hw/block/nand.c
>> @@ -522,8 +522,8 @@ void nand_setio(DeviceState *dev, uint32_t value)
>>
>>      if (s->ale) {
>>          unsigned int shift = s->addrlen * 8;
>> -        unsigned int mask = ~(0xff << shift);
>> -        unsigned int v = value << shift;
>> +        uint64_t mask = ~(0xffull << shift);
>> +        uint64_t v = (uint64_t)value << shift;
>>
>>          s->addr = (s->addr & mask) | v;
>>          s->addrlen ++;
>>
>
> Cc: qemu-trivial@nongnu.org
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>

Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>

This is a bugfix right? IIUC This would not have worked for accesses
to devices above column address 255 at all. Should this go to
stable/2.5?

Regards,
Peter

>

> > On 10/11/2015 14:25, Rabin Vincent wrote:
> >> The shifts of the address mask and value shift beyond 32 bits when there
> >> are 5 address cycles.
> >>
> >> Signed-off-by: Rabin Vincent <rabin.vincent@axis.com>
> >> ---
> >>  hw/block/nand.c |    4 ++--
> >>  1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/hw/block/nand.c b/hw/block/nand.c
> >> index 61d2cec..a68266f 100644
> >> --- a/hw/block/nand.c
> >> +++ b/hw/block/nand.c
> >> @@ -522,8 +522,8 @@ void nand_setio(DeviceState *dev, uint32_t value)
> >>
> >>      if (s->ale) {
> >>          unsigned int shift = s->addrlen * 8;
> >> -        unsigned int mask = ~(0xff << shift);
> >> -        unsigned int v = value << shift;
> >> +        uint64_t mask = ~(0xffull << shift);
> >> +        uint64_t v = (uint64_t)value << shift;
> >>
> >>          s->addr = (s->addr & mask) | v;
> >>          s->addrlen ++;
> >>
> >
> > Cc: qemu-trivial@nongnu.org
> > Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
> 
> This is a bugfix right? IIUC This would not have worked for accesses
> to devices above column address 255 at all. Should this go to
> stable/2.5?

Yes, it should.  Michael, are you planning to send another pull
request during hard freeze?

Paolo

Am 13.11.2015 um 10:32 hat Paolo Bonzini geschrieben:
> > > On 10/11/2015 14:25, Rabin Vincent wrote:
> > >> The shifts of the address mask and value shift beyond 32 bits when there
> > >> are 5 address cycles.
> > >>
> > >> Signed-off-by: Rabin Vincent <rabin.vincent@axis.com>
> > >> ---
> > >>  hw/block/nand.c |    4 ++--
> > >>  1 file changed, 2 insertions(+), 2 deletions(-)
> > >>
> > >> diff --git a/hw/block/nand.c b/hw/block/nand.c
> > >> index 61d2cec..a68266f 100644
> > >> --- a/hw/block/nand.c
> > >> +++ b/hw/block/nand.c
> > >> @@ -522,8 +522,8 @@ void nand_setio(DeviceState *dev, uint32_t value)
> > >>
> > >>      if (s->ale) {
> > >>          unsigned int shift = s->addrlen * 8;
> > >> -        unsigned int mask = ~(0xff << shift);
> > >> -        unsigned int v = value << shift;
> > >> +        uint64_t mask = ~(0xffull << shift);
> > >> +        uint64_t v = (uint64_t)value << shift;
> > >>
> > >>          s->addr = (s->addr & mask) | v;
> > >>          s->addrlen ++;
> > >>
> > >
> > > Cc: qemu-trivial@nongnu.org
> > > Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
> > 
> > Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
> > 
> > This is a bugfix right? IIUC This would not have worked for accesses
> > to devices above column address 255 at all. Should this go to
> > stable/2.5?
> 
> Yes, it should.  Michael, are you planning to send another pull
> request during hard freeze?

The block layer catch-all entry in MAINTAINERS says that it's mine, so
I'll just take it through my block tree.

Kevin