vfio/pci: clean up a type in vfio_pci_ioctl_pci_hot_reset_groups()

Dan Carpenter · Alex Williamson · commit aab439ffa1ca · 2024-09-12T14:15:07.000-06:00
The "array_count" value comes from the copy_from_user() in vfio_pci_ioctl_pci_hot_reset(). If the user passes a value larger than INT_MAX then we'll pass a negative value to kcalloc() which triggers an allocation failure and a stack trace. It's better to make the type unsigned so that if (array_count > count) returns -EINVAL instead. Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Link: https://lore.kernel.org/r/262ada03-d848-4369-9c37-81edeeed2da2@stanley.mountain Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
@@ -1323,7 +1323,7 @@ static int vfio_pci_ioctl_get_pci_hot_reset_info(
 
 static int
 vfio_pci_ioctl_pci_hot_reset_groups(struct vfio_pci_core_device *vdev,
-				    int array_count, bool slot,
+				    u32 array_count, bool slot,
 				    struct vfio_pci_hot_reset __user *arg)
 {
 	int32_t *group_fds;

Original file line number	Diff line number	Diff line change
`@@ -1323,7 +1323,7 @@ static int vfio_pci_ioctl_get_pci_hot_reset_info(`
`1323`	`1323`
`1324`	`1324`	`static int`
`1325`	`1325`	`vfio_pci_ioctl_pci_hot_reset_groups(struct vfio_pci_core_device *vdev,`
`1326`		`- int array_count, bool slot,`
	`1326`	`+ u32 array_count, bool slot,`
`1327`	`1327`	`struct vfio_pci_hot_reset __user *arg)`
`1328`	`1328`	`{`
`1329`	`1329`	`int32_t *group_fds;`