On Tue, Jul 05, 2022 at 12:05:28PM +0300, Dan Carpenter wrote:
> The casting on this makes the integer overflow check slightly wrong.
> "len" is an unsigned long. "*pos" and "requested_length" are signed
> long longs. Imagine "len" is ULONG_MAX and "*pos" is 2.
> "ULONG_MAX + 2 = 1".
I wonder if this can happen, len is a kernel controlled value bounded
by a memory allocation..
> Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
This code was copy and pasted from drivers/vfio/pci/mlx5/main.c, so it
should be fixed too
> It is strange that we are doing:
>
> pos = &filp->f_pos;
>
> instead of using the passed in value of pos.
IIRC the way we have the struct file configured the pos argument is
NULL.
Jason
