vfio/qat: fix f_pos race in qat_vf_resume_write()

qat_vf_resume_write() checks filp->f_pos before taking migf->lock, but
copies into the migration-state buffer after taking the lock and
re-reading the shared file position.

Two concurrent writers could therefore pass the bounds check with the
old offset, then have the second writer copy after the first advanced
f_pos, writing past the end of the migration-state buffer.

Take migf->lock before doing the boundary checks.

Fixes: bb208810b1ab ("vfio/qat: Add vfio_pci driver for Intel QAT SR-IOV VF devices")
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Link: https://lore.kernel.org/r/20260608151317.136613-1-giovanni.cabiddu@intel.com
Signed-off-by: Alex Williamson <alex@shazbot.org>

diff --git a/drivers/vfio/pci/qat/main.c b/drivers/vfio/pci/qat/main.c
index ac9652539d66a1e7943bea363ec243e44f9b746b..60ff907b6a67ac0eb789e835a148e3f71e152510 100644 (file)
--- a/drivers/vfio/pci/qat/main.c
+++ b/drivers/vfio/pci/qat/main.c
@@ -298,14 +298,18 @@ static ssize_t qat_vf_resume_write(struct file *filp, const char __user *buf,
                return -ESPIPE;
        offs = &filp->f_pos;
 
-       if (*offs < 0 ||
-           check_add_overflow(len, *offs, &end))
-               return -EOVERFLOW;
+       mutex_lock(&migf->lock);
 
-       if (end > mig_dev->state_size)
-               return -ENOMEM;
+       if (*offs < 0 || check_add_overflow(len, *offs, &end)) {
+               done = -EOVERFLOW;
+               goto out_unlock;
+       }
+
+       if (end > mig_dev->state_size) {
+               done = -ENOMEM;
+               goto out_unlock;
+       }
 
-       mutex_lock(&migf->lock);
        if (migf->disabled) {
                done = -ENODEV;
                goto out_unlock;