powerpc/spufs: reference context while dropping state mutex in scheduler
authorJeremy Kerr <jk@ozlabs.org>
Thu, 14 Aug 2008 04:59:12 +0000 (14:59 +1000)
committerJeremy Kerr <jk@ozlabs.org>
Thu, 14 Aug 2008 04:59:12 +0000 (14:59 +1000)
Based on an original patch from Christoph Hellwig <hch@lst.de>.

Currently, there is a possible reference-after-free in the spusched
code - contexts may be freed after we have released their state_mutex
in spusched_tick and find_victim.

This change takes a reference to the context before releasing the
mutex, so that the context doesn't get destroyed.

Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
arch/powerpc/platforms/cell/spufs/sched.c

index 2deeeba7eccfc9c555d5d32aca370507f08268be..4b6b0c3a8c9511eeb5c7fe2f98eaefe4522a1a1e 100644 (file)
@@ -641,8 +641,10 @@ static struct spu *find_victim(struct spu_context *ctx)
 
                        if (tmp && tmp->prio > ctx->prio &&
                            !(tmp->flags & SPU_CREATE_NOSCHED) &&
-                           (!victim || tmp->prio > victim->prio))
+                           (!victim || tmp->prio > victim->prio)) {
                                victim = spu->ctx;
+                               get_spu_context(victim);
+                       }
                }
                mutex_unlock(&cbe_spu_info[node].list_mutex);
 
@@ -658,6 +660,7 @@ static struct spu *find_victim(struct spu_context *ctx)
                         * look at another context or give up after X retries.
                         */
                        if (!mutex_trylock(&victim->state_mutex)) {
+                               put_spu_context(victim);
                                victim = NULL;
                                goto restart;
                        }
@@ -670,6 +673,7 @@ static struct spu *find_victim(struct spu_context *ctx)
                                 * restart the search.
                                 */
                                mutex_unlock(&victim->state_mutex);
+                               put_spu_context(victim);
                                victim = NULL;
                                goto restart;
                        }
@@ -687,6 +691,7 @@ static struct spu *find_victim(struct spu_context *ctx)
                                spu_add_to_rq(victim);
 
                        mutex_unlock(&victim->state_mutex);
+                       put_spu_context(victim);
 
                        return spu;
                }
@@ -985,9 +990,11 @@ static int spusched_thread(void *unused)
                                struct spu_context *ctx = spu->ctx;
 
                                if (ctx) {
+                                       get_spu_context(ctx);
                                        mutex_unlock(mtx);
                                        spusched_tick(ctx);
                                        mutex_lock(mtx);
+                                       put_spu_context(ctx);
                                }
                        }
                        mutex_unlock(mtx);