vfio/qat: fix overflow check in qat_vf_resume_write()

The unsigned variable `size_t len` is cast to the signed type `loff_t`
when passed to the function check_add_overflow(). This function considers
the type of the destination, which is of type loff_t (signed),
potentially leading to an overflow. This issue is similar to the one
described in the link below.

Remove the cast.

Note that even if check_add_overflow() is bypassed, by setting `len` to
a value that is greater than LONG_MAX (which is considered as a negative
value after the cast), the function copy_from_user(), invoked a few lines
later, will not perform any copy and return `len` as (len > INT_MAX)
causing qat_vf_resume_write() to fail with -EFAULT.

Fixes: bb20881 ("vfio/qat: Add vfio_pci driver for Intel QAT SR-IOV VF devices")
CC: [email protected] # 6.10+
Link: https://lore.kernel.org/all/[email protected]
Reported-by: Zijie Zhao <[email protected]>
Signed-off-by: Giovanni Cabiddu <[email protected]>
Reviewed-by: Xin Zeng <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alex Williamson <[email protected]>

Author: gcabiddu

drivers/vfio/pci/qat/main.c

@@ -304,7 +304,7 @@ static ssize_t qat_vf_resume_write(struct file *filp, const char __user *buf,
 	offs = &filp->f_pos;
 
 	if (*offs < 0 ||
-	    check_add_overflow((loff_t)len, *offs, &end))
+	    check_add_overflow(len, *offs, &end))
 		return -EOVERFLOW;
 
 	if (end > mig_dev->state_size)