From 987db5228b13968193fcdf7942c2e721c311c7ae Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 22 Feb 2012 14:11:54 +0100
Subject: [PATCH 038/109] scsi: fix sign extension problems

RH-Author: Paolo Bonzini <pbonzini@redhat.com>
Message-id: <1329919979-20948-38-git-send-email-pbonzini@redhat.com>
Patchwork-id: 37516
O-Subject: [RHEL 6.3 qemu-kvm PATCH v2 037/102] scsi: fix sign extension problems
Bugzilla: 782029
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Orit Wasserman <owasserm@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>

When assigning a 32-bit value to cmd->xfer (which is 64-bits)
it can be erroneously sign extended because the intermediate
32-bit computation is signed.  Fix this by always casting to
uint64_t first.

Upstream used ld*_be_p functions, which are not available to
common code in RHEL6 qemu.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from bd5da23265ba3bb11a9f0913e016e3c3a16abf8e)
---
 hw/scsi-bus.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/scsi-bus.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index f4f92a8..1d374ba 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -582,7 +582,7 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
 {
     switch (buf[0] >> 5) {
     case 0:
-        cmd->xfer = buf[4];
+        cmd->xfer = (uint64_t) buf[4];
         cmd->len = 6;
         /* length 0 means 256 blocks */
         if (cmd->xfer == 0) {
@@ -591,15 +591,17 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
         break;
     case 1:
     case 2:
-        cmd->xfer = buf[8] | (buf[7] << 8);
+        cmd->xfer = (uint64_t) buf[8] | ((uint64_t) buf[7] << 8);
         cmd->len = 10;
         break;
     case 4:
-        cmd->xfer = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
+        cmd->xfer = (uint64_t) buf[13] | ((uint64_t) buf[12] << 8) |
+		    ((uint64_t) buf[11] << 16) | ((uint64_t) buf[10] << 24);
         cmd->len = 16;
         break;
     case 5:
-        cmd->xfer = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
+        cmd->xfer = (uint64_t) buf[9] | ((uint64_t) buf[8] << 8) |
+		    ((uint64_t) buf[7] << 16) | ((uint64_t) buf[6] << 24);
         cmd->len = 12;
         break;
     default:
-- 
1.7.7.6