diff options
author | Ingo Molnar <mingo@elte.hu> | 2008-11-18 09:23:08 -0500 |
---|---|---|
committer | Ingo Molnar <mingo@elte.hu> | 2008-11-18 09:34:36 -0500 |
commit | 10db4ef7b9a65b86e4d047671a1886f4c101a859 (patch) | |
tree | 2d47105e6cf1e88c5a83def331c5d6302578e607 | |
parent | 93ce99e849433ede4ce8b410b749dc0cad1100b2 (diff) |
x86, PEBS/DS: fix code flow in ds_request()
this compiler warning:
arch/x86/kernel/ds.c: In function 'ds_request':
arch/x86/kernel/ds.c:368: warning: 'context' may be used uninitialized in this function
Shows that the code flow in ds_request() is buggy - it goes into
the unlock+release-context path even when the context is not allocated
yet.
First allocate the context, then do the other checks.
Also, take care with GFP allocations under the ds_lock spinlock.
Cc: <stable@kernel.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
-rw-r--r-- | arch/x86/kernel/ds.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/arch/x86/kernel/ds.c b/arch/x86/kernel/ds.c index ac1d5b0586ba..d1a121443bde 100644 --- a/arch/x86/kernel/ds.c +++ b/arch/x86/kernel/ds.c | |||
@@ -236,17 +236,33 @@ static inline struct ds_context *ds_alloc_context(struct task_struct *task) | |||
236 | struct ds_context *context = *p_context; | 236 | struct ds_context *context = *p_context; |
237 | 237 | ||
238 | if (!context) { | 238 | if (!context) { |
239 | spin_unlock(&ds_lock); | ||
240 | |||
239 | context = kzalloc(sizeof(*context), GFP_KERNEL); | 241 | context = kzalloc(sizeof(*context), GFP_KERNEL); |
240 | 242 | ||
241 | if (!context) | 243 | if (!context) { |
244 | spin_lock(&ds_lock); | ||
242 | return NULL; | 245 | return NULL; |
246 | } | ||
243 | 247 | ||
244 | context->ds = kzalloc(ds_cfg.sizeof_ds, GFP_KERNEL); | 248 | context->ds = kzalloc(ds_cfg.sizeof_ds, GFP_KERNEL); |
245 | if (!context->ds) { | 249 | if (!context->ds) { |
246 | kfree(context); | 250 | kfree(context); |
251 | spin_lock(&ds_lock); | ||
247 | return NULL; | 252 | return NULL; |
248 | } | 253 | } |
249 | 254 | ||
255 | spin_lock(&ds_lock); | ||
256 | /* | ||
257 | * Check for race - another CPU could have allocated | ||
258 | * it meanwhile: | ||
259 | */ | ||
260 | if (*p_context) { | ||
261 | kfree(context->ds); | ||
262 | kfree(context); | ||
263 | return *p_context; | ||
264 | } | ||
265 | |||
250 | *p_context = context; | 266 | *p_context = context; |
251 | 267 | ||
252 | context->this = p_context; | 268 | context->this = p_context; |
@@ -384,15 +400,15 @@ static int ds_request(struct task_struct *task, void *base, size_t size, | |||
384 | 400 | ||
385 | spin_lock(&ds_lock); | 401 | spin_lock(&ds_lock); |
386 | 402 | ||
387 | error = -EPERM; | ||
388 | if (!check_tracer(task)) | ||
389 | goto out_unlock; | ||
390 | |||
391 | error = -ENOMEM; | 403 | error = -ENOMEM; |
392 | context = ds_alloc_context(task); | 404 | context = ds_alloc_context(task); |
393 | if (!context) | 405 | if (!context) |
394 | goto out_unlock; | 406 | goto out_unlock; |
395 | 407 | ||
408 | error = -EPERM; | ||
409 | if (!check_tracer(task)) | ||
410 | goto out_unlock; | ||
411 | |||
396 | error = -EALREADY; | 412 | error = -EALREADY; |
397 | if (context->owner[qual] == current) | 413 | if (context->owner[qual] == current) |
398 | goto out_unlock; | 414 | goto out_unlock; |