KVM: s390: check cpu_id prior to using it

commit 4d47555a80495657161a7e71ec3014ff2021e450 upstream.

We use the cpu id provided by userspace as array index here. Thus we
clearly need to check it first. Ooops.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

1 files changed, 10 insertions, 4 deletions

diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 67345ae7ce8..2ada634fc7c 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -301,11 +301,17 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
 struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
                                       unsigned int id)
 {
-        struct kvm_vcpu *vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
-        int rc = -ENOMEM;
+        struct kvm_vcpu *vcpu;
+        int rc = -EINVAL;
+
+        if (id >= KVM_MAX_VCPUS)
+                goto out;
+
+        rc = -ENOMEM;
 
+        vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
         if (!vcpu)
-                goto out_nomem;
+                goto out;
 
         vcpu->arch.sie_block = (struct kvm_s390_sie_block *)
                                         get_zeroed_page(GFP_KERNEL);
@@ -341,7 +347,7 @@ out_free_sie_block:
         free_page((unsigned long)(vcpu->arch.sie_block));
 out_free_cpu:
         kfree(vcpu);
-out_nomem:
+out:
         return ERR_PTR(rc);
 }