diff options
author | Jeremy Kerr <jk@ozlabs.org> | 2008-08-14 14:59:12 +1000 |
---|---|---|
committer | Jeremy Kerr <jk@ozlabs.org> | 2008-08-14 14:59:12 +1000 |
commit | 8d5636fbca202f61fdb808fc9e20c0142291d802 (patch) | |
tree | e6d9d9375f0f7894931749b687e66a19e5dffa84 | |
parent | d9dd421fd6ed17af55d27c8d93a9f561be0ff50f (diff) | |
download | linux-stable-8d5636fbca202f61fdb808fc9e20c0142291d802.tar.gz linux-stable-8d5636fbca202f61fdb808fc9e20c0142291d802.tar.bz2 linux-stable-8d5636fbca202f61fdb808fc9e20c0142291d802.zip |
powerpc/spufs: reference context while dropping state mutex in scheduler
Based on an original patch from Christoph Hellwig <hch@lst.de>.
Currently, there is a possible reference-after-free in the spusched
code - contexts may be freed after we have released their state_mutex
in spusched_tick and find_victim.
This change takes a reference to the context before releasing the
mutex, so that the context doesn't get destroyed.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
-rw-r--r-- | arch/powerpc/platforms/cell/spufs/sched.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/arch/powerpc/platforms/cell/spufs/sched.c b/arch/powerpc/platforms/cell/spufs/sched.c index 2deeeba7eccf..4b6b0c3a8c95 100644 --- a/arch/powerpc/platforms/cell/spufs/sched.c +++ b/arch/powerpc/platforms/cell/spufs/sched.c @@ -641,8 +641,10 @@ static struct spu *find_victim(struct spu_context *ctx) if (tmp && tmp->prio > ctx->prio && !(tmp->flags & SPU_CREATE_NOSCHED) && - (!victim || tmp->prio > victim->prio)) + (!victim || tmp->prio > victim->prio)) { victim = spu->ctx; + get_spu_context(victim); + } } mutex_unlock(&cbe_spu_info[node].list_mutex); @@ -658,6 +660,7 @@ static struct spu *find_victim(struct spu_context *ctx) * look at another context or give up after X retries. */ if (!mutex_trylock(&victim->state_mutex)) { + put_spu_context(victim); victim = NULL; goto restart; } @@ -670,6 +673,7 @@ static struct spu *find_victim(struct spu_context *ctx) * restart the search. */ mutex_unlock(&victim->state_mutex); + put_spu_context(victim); victim = NULL; goto restart; } @@ -687,6 +691,7 @@ static struct spu *find_victim(struct spu_context *ctx) spu_add_to_rq(victim); mutex_unlock(&victim->state_mutex); + put_spu_context(victim); return spu; } @@ -985,9 +990,11 @@ static int spusched_thread(void *unused) struct spu_context *ctx = spu->ctx; if (ctx) { + get_spu_context(ctx); mutex_unlock(mtx); spusched_tick(ctx); mutex_lock(mtx); + put_spu_context(ctx); } } mutex_unlock(mtx); |