sfc: Correct validation of peer_page_count in efx_vfdi_set_status_page()

efx_vfdi_set_status_page() validates the peer page count by
calculating the size of a request containing that many addresses and
comparing that with the maximum valid request size (4KB).  The
calculation involves a multiplication that may overflow on a 32-bit
system.

We use kcalloc() to allocate memory to store the addresses; that also
does a multiplication and it does check for integer overflow, so any
values larger than 0x1fffffff will be rejected.  However, values in
the range [0x1fffffffc, 0x1fffffff] pass boh tests and result in an
attempt to allocate nearly 4GB on the heap.  This should be rejected
rather quickly as it's obviously impossible on a 32-bit system, and
indeed the maximum possible heap allocation is 32MB.  Still, let's
make absolutely sure by fixing the initial validation.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>

drivers/net/ethernet/sfc/siena_sriov.c

@@ -796,12 +796,13 @@ static int efx_vfdi_set_status_page(struct efx_vf *vf)
 {
 	struct efx_nic *efx = vf->efx;
 	struct vfdi_req *req = vf->buf.addr;
-	unsigned int page_count;
+	u64 page_count = req->u.set_status_page.peer_page_count;
+	u64 max_page_count =
+		(EFX_PAGE_SIZE -
+		 offsetof(struct vfdi_req, u.set_status_page.peer_page_addr[0]))
+		/ sizeof(req->u.set_status_page.peer_page_addr[0]);
 
-	page_count = req->u.set_status_page.peer_page_count;
-	if (!req->u.set_status_page.dma_addr || EFX_PAGE_SIZE <
-	    offsetof(struct vfdi_req,
-		     u.set_status_page.peer_page_addr[page_count])) {
+	if (!req->u.set_status_page.dma_addr || page_count > max_page_count) {
 		if (net_ratelimit())
 			netif_err(efx, hw, efx->net_dev,
 				  "ERROR: Invalid SET_STATUS_PAGE from %s\n",