| From: Li Zefan <lizefan@huawei.com> |
| Date: Tue, 12 Mar 2013 15:36:00 -0700 |
| Subject: cgroup: fix an off-by-one bug which may trigger BUG_ON() |
| |
| commit 3ac1707a13a3da9cfc8f242a15b2fae6df2c5f88 upstream. |
| |
| The 3rd parameter of flex_array_prealloc() is the number of elements, |
| not the index of the last element. |
| |
| The effect of the bug is, when opening cgroup.procs, a flex array will |
| be allocated and all elements of the array is allocated with |
| GFP_KERNEL flag, but the last one is GFP_ATOMIC, and if we fail to |
| allocate memory for it, it'll trigger a BUG_ON(). |
| |
| Signed-off-by: Li Zefan <lizefan@huawei.com> |
| Signed-off-by: Tejun Heo <tj@kernel.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| kernel/cgroup.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/kernel/cgroup.c |
| +++ b/kernel/cgroup.c |
| @@ -2029,7 +2029,7 @@ int cgroup_attach_proc(struct cgroup *cg |
| if (!group) |
| return -ENOMEM; |
| /* pre-allocate to guarantee space while iterating in rcu read-side. */ |
| - retval = flex_array_prealloc(group, 0, group_size - 1, GFP_KERNEL); |
| + retval = flex_array_prealloc(group, 0, group_size, GFP_KERNEL); |
| if (retval) |
| goto out_free_group_list; |
| |