releases/3.4.44/cgroup-fix-an-off-by-one-bug-which-may-trigger-bug_on.patch

   1 From 3ac1707a13a3da9cfc8f242a15b2fae6df2c5f88 Mon Sep 17 00:00:00 2001
   2 From: Li Zefan <lizefan@huawei.com>
   3 Date: Tue, 12 Mar 2013 15:36:00 -0700
   4 Subject: cgroup: fix an off-by-one bug which may trigger BUG_ON()
   5
   6 From: Li Zefan <lizefan@huawei.com>
   7
   8 commit 3ac1707a13a3da9cfc8f242a15b2fae6df2c5f88 upstream.
   9
  10 The 3rd parameter of flex_array_prealloc() is the number of elements,
  11 not the index of the last element.
  12
  13 The effect of the bug is, when opening cgroup.procs, a flex array will
  14 be allocated and all elements of the array is allocated with
  15 GFP_KERNEL flag, but the last one is GFP_ATOMIC, and if we fail to
  16 allocate memory for it, it'll trigger a BUG_ON().
  17
  18 Signed-off-by: Li Zefan <lizefan@huawei.com>
  19 Signed-off-by: Tejun Heo <tj@kernel.org>
  20 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21
  22 ---
  23  kernel/cgroup.c |    2 +-
  24  1 file changed, 1 insertion(+), 1 deletion(-)
  25
  26 --- a/kernel/cgroup.c
  27 +++ b/kernel/cgroup.c
  28 @@ -2020,7 +2020,7 @@ static int cgroup_attach_proc(struct cgr
  29         if (!group)
  30                 return -ENOMEM;
  31         /* pre-allocate to guarantee space while iterating in rcu read-side. */
  32 -       retval = flex_array_prealloc(group, 0, group_size - 1, GFP_KERNEL);
  33 +       retval = flex_array_prealloc(group, 0, group_size, GFP_KERNEL);
  34         if (retval)
  35                 goto out_free_group_list;
  36