timers/migration: Prevent out of bounds access on failure

SupremacistLevi · KAGA-KOKO · commit d7ad05c86e21 · 2024-05-08T11:19:43.000+02:00
When tmigr_setup_groups() fails the level 0 group allocation, then the cleanup derefences index -1 of the local stack array. Prevent this by checking the loop condition first. Fixes: 7ee9887 ("timers: Implement the hierarchical pull model") Signed-off-by: Levi Yun <ppbuk5246@gmail.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/r/20240506041059.86877-1-ppbuk5246@gmail.com
diff --git a/kernel/time/timer_migration.c b/kernel/time/timer_migration.c
@@ -1596,7 +1596,7 @@ static int tmigr_setup_groups(unsigned int cpu, unsigned int node)
 
 	} while (i < tmigr_hierarchy_levels);
 
-	do {
+	while (i > 0) {
 		group = stack[--i];
 
 		if (err < 0) {
@@ -1645,7 +1645,7 @@ static int tmigr_setup_groups(unsigned int cpu, unsigned int node)
 				tmigr_connect_child_parent(child, group);
 			}
 		}
-	} while (i > 0);
+	}
 
 	kfree(stack);
 

Original file line number	Diff line number	Diff line change
`@@ -1596,7 +1596,7 @@ static int tmigr_setup_groups(unsigned int cpu, unsigned int node)`
`1596`	`1596`
`1597`	`1597`	`} while (i < tmigr_hierarchy_levels);`
`1598`	`1598`
`1599`		`- do {`
	`1599`	`+ while (i > 0) {`
`1600`	`1600`	`group = stack[--i];`
`1601`	`1601`
`1602`	`1602`	`if (err < 0) {`
`@@ -1645,7 +1645,7 @@ static int tmigr_setup_groups(unsigned int cpu, unsigned int node)`
`1645`	`1645`	`tmigr_connect_child_parent(child, group);`
`1646`	`1646`	`}`
`1647`	`1647`	`}`
`1648`		`- } while (i > 0);`
	`1648`	`+ }`
`1649`	`1649`
`1650`	`1650`	`kfree(stack);`
`1651`	`1651`