On 9/18/20 10:36 PM, Klaus Jensen wrote: > From: Klaus Jensen <[email protected]> > > The raw NLB field is a 16 bit value, so use le16_to_cpu instead of > le32_to_cpu and cast to uint32_t before incrementing the value to not > wrap around. > > Signed-off-by: Klaus Jensen <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]> > --- > hw/block/nvme.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/hw/block/nvme.c b/hw/block/nvme.c > index 62db87460413..32267a3e4782 100644 > --- a/hw/block/nvme.c > +++ b/hw/block/nvme.c > @@ -645,7 +645,7 @@ static uint16_t nvme_write_zeroes(NvmeCtrl *n, > NvmeRequest *req) > NvmeRwCmd *rw = (NvmeRwCmd *)&req->cmd; > NvmeNamespace *ns = req->ns; > uint64_t slba = le64_to_cpu(rw->slba); > - uint32_t nlb = le16_to_cpu(rw->nlb) + 1; > + uint32_t nlb = (uint32_t)le16_to_cpu(rw->nlb) + 1; > uint64_t offset = nvme_l2b(ns, slba); > uint32_t count = nvme_l2b(ns, nlb); > uint16_t status; > @@ -669,7 +669,7 @@ static uint16_t nvme_rw(NvmeCtrl *n, NvmeRequest *req) > { > NvmeRwCmd *rw = (NvmeRwCmd *)&req->cmd; > NvmeNamespace *ns = req->ns; > - uint32_t nlb = le32_to_cpu(rw->nlb) + 1; > + uint32_t nlb = (uint32_t)le16_to_cpu(rw->nlb) + 1; > uint64_t slba = le64_to_cpu(rw->slba); > > uint64_t data_size = nvme_l2b(ns, nlb); >
