aboutsummaryrefslogtreecommitdiffstats
path: root/arch/powerpc
diff options
context:
space:
mode:
authorJeremy Kerr <jk@ozlabs.org>2008-08-14 00:59:12 -0400
committerJeremy Kerr <jk@ozlabs.org>2008-08-14 00:59:12 -0400
commit8d5636fbca202f61fdb808fc9e20c0142291d802 (patch)
treee6d9d9375f0f7894931749b687e66a19e5dffa84 /arch/powerpc
parentd9dd421fd6ed17af55d27c8d93a9f561be0ff50f (diff)
powerpc/spufs: reference context while dropping state mutex in scheduler
Based on an original patch from Christoph Hellwig <hch@lst.de>. Currently, there is a possible reference-after-free in the spusched code - contexts may be freed after we have released their state_mutex in spusched_tick and find_victim. This change takes a reference to the context before releasing the mutex, so that the context doesn't get destroyed. Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Diffstat (limited to 'arch/powerpc')
-rw-r--r--arch/powerpc/platforms/cell/spufs/sched.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/arch/powerpc/platforms/cell/spufs/sched.c b/arch/powerpc/platforms/cell/spufs/sched.c
index 2deeeba7eccf..4b6b0c3a8c95 100644
--- a/arch/powerpc/platforms/cell/spufs/sched.c
+++ b/arch/powerpc/platforms/cell/spufs/sched.c
@@ -641,8 +641,10 @@ static struct spu *find_victim(struct spu_context *ctx)
641 641
642 if (tmp && tmp->prio > ctx->prio && 642 if (tmp && tmp->prio > ctx->prio &&
643 !(tmp->flags & SPU_CREATE_NOSCHED) && 643 !(tmp->flags & SPU_CREATE_NOSCHED) &&
644 (!victim || tmp->prio > victim->prio)) 644 (!victim || tmp->prio > victim->prio)) {
645 victim = spu->ctx; 645 victim = spu->ctx;
646 get_spu_context(victim);
647 }
646 } 648 }
647 mutex_unlock(&cbe_spu_info[node].list_mutex); 649 mutex_unlock(&cbe_spu_info[node].list_mutex);
648 650
@@ -658,6 +660,7 @@ static struct spu *find_victim(struct spu_context *ctx)
658 * look at another context or give up after X retries. 660 * look at another context or give up after X retries.
659 */ 661 */
660 if (!mutex_trylock(&victim->state_mutex)) { 662 if (!mutex_trylock(&victim->state_mutex)) {
663 put_spu_context(victim);
661 victim = NULL; 664 victim = NULL;
662 goto restart; 665 goto restart;
663 } 666 }
@@ -670,6 +673,7 @@ static struct spu *find_victim(struct spu_context *ctx)
670 * restart the search. 673 * restart the search.
671 */ 674 */
672 mutex_unlock(&victim->state_mutex); 675 mutex_unlock(&victim->state_mutex);
676 put_spu_context(victim);
673 victim = NULL; 677 victim = NULL;
674 goto restart; 678 goto restart;
675 } 679 }
@@ -687,6 +691,7 @@ static struct spu *find_victim(struct spu_context *ctx)
687 spu_add_to_rq(victim); 691 spu_add_to_rq(victim);
688 692
689 mutex_unlock(&victim->state_mutex); 693 mutex_unlock(&victim->state_mutex);
694 put_spu_context(victim);
690 695
691 return spu; 696 return spu;
692 } 697 }
@@ -985,9 +990,11 @@ static int spusched_thread(void *unused)
985 struct spu_context *ctx = spu->ctx; 990 struct spu_context *ctx = spu->ctx;
986 991
987 if (ctx) { 992 if (ctx) {
993 get_spu_context(ctx);
988 mutex_unlock(mtx); 994 mutex_unlock(mtx);
989 spusched_tick(ctx); 995 spusched_tick(ctx);
990 mutex_lock(mtx); 996 mutex_lock(mtx);
997 put_spu_context(ctx);
991 } 998 }
992 } 999 }
993 mutex_unlock(mtx); 1000 mutex_unlock(mtx);