kernel: low-severity vfio driver integer overflow

[Vlad Tsyrklevich <vlad () tsyrklevich net>]

The vfio driver allows direct user access to devices. The
VFIO_DEVICE_SET_IRQS ioctl for vfio PCI devices has a state machine
confusion bug where specifying VFIO_IRQ_SET_DATA_NONE along with
another bit in VFIO_IRQ_SET_DATA_TYPE_MASK in hdr.flags allows integer
overflow checks to be skipped for hdr.start/hdr.count. This might
allow memory corruption later in vfio_pci_set_msi_trigger() with user
access to an appropriate vfio device file, but it seems difficult to
usefully exploit in practice.

https://patchwork.kernel.org/patch/9373631/