1 files changed, 9 insertions, 3 deletions

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 1f888a103f78..585845203db8 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1227,9 +1227,9 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm,
 {
         struct kvm_memslots *slots;
         struct kvm_memory_slot *memslot;
-        int as_id, id, n;
+        int as_id, id;
         gfn_t offset;
-        unsigned long i;
+        unsigned long i, n;
         unsigned long *dirty_bitmap;
         unsigned long *dirty_bitmap_buffer;
 
@@ -1249,6 +1249,11 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm,
                 return -ENOENT;
 
         n = kvm_dirty_bitmap_bytes(memslot);
+
+        if (log->first_page > memslot->npages ||
+            log->num_pages > memslot->npages - log->first_page)
+                        return -EINVAL;
+
         *flush = false;
         dirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot);
         if (copy_from_user(dirty_bitmap_buffer, log->dirty_bitmap, n))
@@ -2995,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
         if (ops->init)
                 ops->init(dev);
 
+        kvm_get_kvm(kvm);
         ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
         if (ret < 0) {
+                kvm_put_kvm(kvm);
                 mutex_lock(&kvm->lock);
                 list_del(&dev->vm_node);
                 mutex_unlock(&kvm->lock);
@@ -3004,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
                 return ret;
         }
 
-        kvm_get_kvm(kvm);
         cd->fd = ret;
         return 0;
 }