timers/migration: Prevent out of bounds access on failure

When tmigr_setup_groups() fails the level 0 group allocation, then the
cleanup derefences index -1 of the local stack array.

Prevent this by checking the loop condition first.

Fixes: 7ee988770326 ("timers: Implement the hierarchical pull model")
Signed-off-by: Levi Yun <ppbuk5246@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20240506041059.86877-1-ppbuk5246@gmail.com

diff --git a/kernel/time/timer_migration.c b/kernel/time/timer_migration.c
index ccba875d2234fe582264e7d802dcb62f4864e4f6..84413114db5c5b34e7b11ceaaeb1167a2ad04635 100644 (file)
--- a/kernel/time/timer_migration.c
+++ b/kernel/time/timer_migration.c
@@ -1596,7 +1596,7 @@ static int tmigr_setup_groups(unsigned int cpu, unsigned int node)
 
        } while (i < tmigr_hierarchy_levels);
 
-       do {
+       while (i > 0) {
                group = stack[--i];
 
                if (err < 0) {
@@ -1645,7 +1645,7 @@ static int tmigr_setup_groups(unsigned int cpu, unsigned int node)
                                tmigr_connect_child_parent(child, group);
                        }
                }
-       } while (i > 0);
+       }
 
        kfree(stack);