Merge tag 'kvm-s390-master-4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux

KVM: s390: fixes for cmma migration

Two fixes for potential bitmap overruns in the cmma migration
code.

2 files changed, 6 insertions, 5 deletions

diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index ec8b68e97d3c..2c93cbbcd15e 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -792,11 +792,12 @@ static int kvm_s390_vm_start_migration(struct kvm *kvm)
 
         if (kvm->arch.use_cmma) {
                 /*
-                 * Get the last slot. They should be sorted by base_gfn, so the
-                 * last slot is also the one at the end of the address space.
-                 * We have verified above that at least one slot is present.
+                 * Get the first slot. They are reverse sorted by base_gfn, so
+                 * the first slot is also the one at the end of the address
+                 * space. We have verified above that at least one slot is
+                 * present.
                  */
-                ms = slots->memslots + slots->used_slots - 1;
+                ms = slots->memslots;
                 /* round up so we only use full longs */
                 ram_pages = roundup(ms->base_gfn + ms->npages, BITS_PER_LONG);
                 /* allocate enough bytes to store all the bits */
diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c
index 572496c688cc..0714bfa56da0 100644
--- a/arch/s390/kvm/priv.c
+++ b/arch/s390/kvm/priv.c
@@ -1006,7 +1006,7 @@ static inline int do_essa(struct kvm_vcpu *vcpu, const int orc)
                 cbrlo[entries] = gfn << PAGE_SHIFT;
         }
 
-        if (orc) {
+        if (orc && gfn < ms->bitmap_size) {
                 /* increment only if we are really flipping the bit to 1 */
                 if (!test_and_set_bit(gfn, ms->pgste_bitmap))
                         atomic64_inc(&ms->dirty_pages);