The casting on this overflow check is not done correctly, but
fortunately checks in the callers should prevent this from affecting
runtime.
The "len" variable is unsigned long while "*pos" and "requested_length"
are signed long long. Imagine "len" was ULONG_MAX and "*pos" was 2.
Then "ULONG_MAX + 2 = 1" which is an integer overflow so it will be
caught. However if we cast "len" to a long long then it becomes
"-1 + 2 = 1" which is not an integer overflow and will not be caught.
However "len" cannot actually be that high and the check for "*pos < 0"
means that this cannot happen. Still it's worth cleaning up just as a
hardenning measure and so that it's not copy and pasted to other places.
Fixes: 6fadb021266d ("vfio/mlx5: Implement vfio_pci driver for mlx5 devices")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/vfio/pci/mlx5/main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/pci/mlx5/main.c b/drivers/vfio/pci/mlx5/main.c
index a9b63d15c5d3..c65dca59caec 100644
--- a/drivers/vfio/pci/mlx5/main.c
+++ b/drivers/vfio/pci/mlx5/main.c
@@ -271,15 +271,15 @@ static ssize_t mlx5vf_resume_write(struct file *filp, const char __user *buf,
size_t len, loff_t *pos)
{
struct mlx5_vf_migration_file *migf = filp->private_data;
- loff_t requested_length;
+ unsigned long requested_length;
ssize_t done = 0;
if (pos)
return -ESPIPE;
pos = &filp->f_pos;
- if (*pos < 0 ||
- check_add_overflow((loff_t)len, *pos, &requested_length))
+ if (*pos < 0 || *pos > ULONG_MAX ||
+ check_add_overflow(len, (unsigned long)*pos, &requested_length))
return -EINVAL;
if (requested_length > MAX_MIGRATION_SIZE)
--
2.35.1
