[POWERPC] spusched: Fix null pointer dereference in find_victim

find_victim can dereference a NULL pointer when iterating over the list
of victim spus because list_mutex only guarantees spu->ct to be stable,
but of course not to be non-NULL.

Also fix find_victim to not call spu_unbind_context without list_mutex
because that violates the above guarantee.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/arch/powerpc/platforms/cell/spufs/sched.c b/arch/powerpc/platforms/cell/spufs/sched.c
index c784edd40ea7..5bebe7fbe056 100644
--- a/arch/powerpc/platforms/cell/spufs/sched.c
+++ b/arch/powerpc/platforms/cell/spufs/sched.c
@@ -579,7 +579,7 @@ static struct spu *find_victim(struct spu_context *ctx)
                 list_for_each_entry(spu, &cbe_spu_info[node].spus, cbe_list) {
                         struct spu_context *tmp = spu->ctx;
 
-                        if (tmp->prio > ctx->prio &&
+                        if (tmp && tmp->prio > ctx->prio &&
                             (!victim || tmp->prio > victim->prio))
                                 victim = spu->ctx;
                 }
@@ -611,9 +611,9 @@ static struct spu *find_victim(struct spu_context *ctx)
 
                         mutex_lock(&cbe_spu_info[node].list_mutex);
                         cbe_spu_info[node].nr_active--;
+                        spu_unbind_context(spu, victim);
                         mutex_unlock(&cbe_spu_info[node].list_mutex);
 
-                        spu_unbind_context(spu, victim);
                         victim->stats.invol_ctx_switch++;
                         spu->stats.invol_ctx_switch++;
                         mutex_unlock(&victim->state_mutex);