Commit d7ad05c8 authored by Levi Yun's avatar Levi Yun Committed by Thomas Gleixner
Browse files

timers/migration: Prevent out of bounds access on failure 



When tmigr_setup_groups() fails the level 0 group allocation, then the
cleanup derefences index -1 of the local stack array.

Prevent this by checking the loop condition first.

Fixes: 7ee98877 ("timers: Implement the hierarchical pull model")
Signed-off-by: default avatarLevi Yun <ppbuk5246@gmail.com>
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Reviewed-by: default avatarAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20240506041059.86877-1-ppbuk5246@gmail.com
parent dd5a440a

kernel/time/timer_migration.c

+2 −2
Original line number Diff line number Diff line
@@ -1596,7 +1596,7 @@ static int tmigr_setup_groups(unsigned int cpu, unsigned int node) 


	} while (i < tmigr_hierarchy_levels);



	do {

	while (i > 0) {

		group = stack[--i];



		if (err < 0) {
@@ -1645,7 +1645,7 @@ static int tmigr_setup_groups(unsigned int cpu, unsigned int node) 
				tmigr_connect_child_parent(child, group);

			}

		}

	} while (i > 0);

	}



	kfree(stack);