diff options
author | Jeremy Kerr <jk@ozlabs.org> | 2008-08-14 00:59:12 -0400 |
---|---|---|
committer | Jeremy Kerr <jk@ozlabs.org> | 2008-08-14 00:59:12 -0400 |
commit | 8d5636fbca202f61fdb808fc9e20c0142291d802 (patch) | |
tree | e6d9d9375f0f7894931749b687e66a19e5dffa84 | |
parent | d9dd421fd6ed17af55d27c8d93a9f561be0ff50f (diff) |
powerpc/spufs: reference context while dropping state mutex in scheduler
Based on an original patch from Christoph Hellwig <hch@lst.de>.
Currently, there is a possible reference-after-free in the spusched
code - contexts may be freed after we have released their state_mutex
in spusched_tick and find_victim.
This change takes a reference to the context before releasing the
mutex, so that the context doesn't get destroyed.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
-rw-r--r-- | arch/powerpc/platforms/cell/spufs/sched.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/arch/powerpc/platforms/cell/spufs/sched.c b/arch/powerpc/platforms/cell/spufs/sched.c index 2deeeba7eccf..4b6b0c3a8c95 100644 --- a/arch/powerpc/platforms/cell/spufs/sched.c +++ b/arch/powerpc/platforms/cell/spufs/sched.c | |||
@@ -641,8 +641,10 @@ static struct spu *find_victim(struct spu_context *ctx) | |||
641 | 641 | ||
642 | if (tmp && tmp->prio > ctx->prio && | 642 | if (tmp && tmp->prio > ctx->prio && |
643 | !(tmp->flags & SPU_CREATE_NOSCHED) && | 643 | !(tmp->flags & SPU_CREATE_NOSCHED) && |
644 | (!victim || tmp->prio > victim->prio)) | 644 | (!victim || tmp->prio > victim->prio)) { |
645 | victim = spu->ctx; | 645 | victim = spu->ctx; |
646 | get_spu_context(victim); | ||
647 | } | ||
646 | } | 648 | } |
647 | mutex_unlock(&cbe_spu_info[node].list_mutex); | 649 | mutex_unlock(&cbe_spu_info[node].list_mutex); |
648 | 650 | ||
@@ -658,6 +660,7 @@ static struct spu *find_victim(struct spu_context *ctx) | |||
658 | * look at another context or give up after X retries. | 660 | * look at another context or give up after X retries. |
659 | */ | 661 | */ |
660 | if (!mutex_trylock(&victim->state_mutex)) { | 662 | if (!mutex_trylock(&victim->state_mutex)) { |
663 | put_spu_context(victim); | ||
661 | victim = NULL; | 664 | victim = NULL; |
662 | goto restart; | 665 | goto restart; |
663 | } | 666 | } |
@@ -670,6 +673,7 @@ static struct spu *find_victim(struct spu_context *ctx) | |||
670 | * restart the search. | 673 | * restart the search. |
671 | */ | 674 | */ |
672 | mutex_unlock(&victim->state_mutex); | 675 | mutex_unlock(&victim->state_mutex); |
676 | put_spu_context(victim); | ||
673 | victim = NULL; | 677 | victim = NULL; |
674 | goto restart; | 678 | goto restart; |
675 | } | 679 | } |
@@ -687,6 +691,7 @@ static struct spu *find_victim(struct spu_context *ctx) | |||
687 | spu_add_to_rq(victim); | 691 | spu_add_to_rq(victim); |
688 | 692 | ||
689 | mutex_unlock(&victim->state_mutex); | 693 | mutex_unlock(&victim->state_mutex); |
694 | put_spu_context(victim); | ||
690 | 695 | ||
691 | return spu; | 696 | return spu; |
692 | } | 697 | } |
@@ -985,9 +990,11 @@ static int spusched_thread(void *unused) | |||
985 | struct spu_context *ctx = spu->ctx; | 990 | struct spu_context *ctx = spu->ctx; |
986 | 991 | ||
987 | if (ctx) { | 992 | if (ctx) { |
993 | get_spu_context(ctx); | ||
988 | mutex_unlock(mtx); | 994 | mutex_unlock(mtx); |
989 | spusched_tick(ctx); | 995 | spusched_tick(ctx); |
990 | mutex_lock(mtx); | 996 | mutex_lock(mtx); |
997 | put_spu_context(ctx); | ||
991 | } | 998 | } |
992 | } | 999 | } |
993 | mutex_unlock(mtx); | 1000 | mutex_unlock(mtx); |