diff options
-rw-r--r-- | drivers/lguest/lguest_user.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/lguest/lguest_user.c b/drivers/lguest/lguest_user.c index 9f0a44329947..2562082a3ea3 100644 --- a/drivers/lguest/lguest_user.c +++ b/drivers/lguest/lguest_user.c | |||
@@ -227,14 +227,21 @@ static ssize_t write(struct file *file, const char __user *in, | |||
227 | struct lguest *lg = file->private_data; | 227 | struct lguest *lg = file->private_data; |
228 | const unsigned long __user *input = (const unsigned long __user *)in; | 228 | const unsigned long __user *input = (const unsigned long __user *)in; |
229 | unsigned long req; | 229 | unsigned long req; |
230 | struct lg_cpu *cpu; | ||
231 | unsigned int cpu_id = *off; | ||
230 | 232 | ||
231 | if (get_user(req, input) != 0) | 233 | if (get_user(req, input) != 0) |
232 | return -EFAULT; | 234 | return -EFAULT; |
233 | input++; | 235 | input++; |
234 | 236 | ||
235 | /* If you haven't initialized, you must do that first. */ | 237 | /* If you haven't initialized, you must do that first. */ |
236 | if (req != LHREQ_INITIALIZE && !lg) | 238 | if (req != LHREQ_INITIALIZE) { |
237 | return -EINVAL; | 239 | if (!lg || (cpu_id >= lg->nr_cpus)) |
240 | return -EINVAL; | ||
241 | cpu = &lg->cpus[cpu_id]; | ||
242 | if (!cpu) | ||
243 | return -EINVAL; | ||
244 | } | ||
238 | 245 | ||
239 | /* Once the Guest is dead, all you can do is read() why it died. */ | 246 | /* Once the Guest is dead, all you can do is read() why it died. */ |
240 | if (lg && lg->dead) | 247 | if (lg && lg->dead) |