Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
powerpc/spufs: reference context while dropping state mutex in scheduler
Based on an original patch from Christoph Hellwig <hch@lst.de>.
Currently, there is a possible reference-after-free in the spusched
code - contexts may be freed after we have released their state_mutex
in spusched_tick and find_victim.
This change takes a reference to the context before releasing the
mutex, so that the context doesn't get destroyed.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
+8
-1
arch/powerpc/platforms/cell/spufs/sched.c
+8
-1
arch/powerpc/platforms/cell/spufs/sched.c
···
641
641
642
642
if (tmp && tmp->prio > ctx->prio &&
643
643
!(tmp->flags & SPU_CREATE_NOSCHED) &&
644
-
(!victim || tmp->prio > victim->prio))
644
+
(!victim || tmp->prio > victim->prio)) {
645
645
victim = spu->ctx;
646
+
get_spu_context(victim);
647
+
}
646
648
}
647
649
mutex_unlock(&cbe_spu_info[node].list_mutex);
648
650
···
660
658
* look at another context or give up after X retries.
661
659
*/
662
660
if (!mutex_trylock(&victim->state_mutex)) {
661
+
put_spu_context(victim);
663
662
victim = NULL;
664
663
goto restart;
665
664
}
···
673
670
* restart the search.
674
671
*/
675
672
mutex_unlock(&victim->state_mutex);
673
+
put_spu_context(victim);
676
674
victim = NULL;
677
675
goto restart;
678
676
}
···
691
687
spu_add_to_rq(victim);
692
688
693
689
mutex_unlock(&victim->state_mutex);
690
+
put_spu_context(victim);
694
691
695
692
return spu;
696
693
}
···
990
985
struct spu_context *ctx = spu->ctx;
991
986
992
987
if (ctx) {
988
+
get_spu_context(ctx);
993
989
mutex_unlock(mtx);
994
990
spusched_tick(ctx);
995
991
mutex_lock(mtx);
992
+
put_spu_context(ctx);
996
993
}
997
994
}
998
995
mutex_unlock(mtx);