libata: Avoid overflow in ata_tf_read_block() when tf->hba_lbal > 127
Roland Dreier [Tue, 4 Nov 2008 18:34:48 +0000 (10:34 -0800)]
Phillip O'Donnell <phillip.odonnell@gmail.com> pointed out that the same
sign extension bug that was fixed in commit ba14a9c2 ("libata: Avoid
overflow in ata_tf_to_lba48() when tf->hba_lbal > 127") also appears to
exist in ata_tf_read_block().  Fix this by adding a cast to u64.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>

drivers/ata/libata-core.c

index 0cd3ad4..4214bfb 100644 (file)
@@ -612,7 +612,7 @@ u64 ata_tf_read_block(struct ata_taskfile *tf, struct ata_device *dev)
                if (tf->flags & ATA_TFLAG_LBA48) {
                        block |= (u64)tf->hob_lbah << 40;
                        block |= (u64)tf->hob_lbam << 32;
-                       block |= tf->hob_lbal << 24;
+                       block |= (u64)tf->hob_lbal << 24;
                } else
                        block |= (tf->device & 0xf) << 24;