commit c0e7b4aa1c09ea992808ea8c079141bc8dd0f5bc · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[POWERPC] spusched: Fix null pointer dereference in find_victim

find_victim can dereference a NULL pointer when iterating over the list
of victim spus because list_mutex only guarantees spu->ct to be stable,
but of course not to be non-NULL.

Also fix find_victim to not call spu_unbind_context without list_mutex
because that violates the above guarantee.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>

authored by Christoph Hellwig and committed by Paul Mackerras 18 years ago c0e7b4aa c2f82897

+2 -2

1 changed file

expand all

unified split

arch

powerpc

platforms

cell

spufs

sched.c

+2 -2

arch/powerpc/platforms/cell/spufs/sched.c

··· 579 579 list_for_each_entry(spu, &cbe_spu_info[node].spus, cbe_list) { 580 580 struct spu_context *tmp = spu->ctx; 581 581 582 - if (tmp->prio > ctx->prio && 582 + if (tmp && tmp->prio > ctx->prio && 583 583 (!victim || tmp->prio > victim->prio)) 584 584 victim = spu->ctx; 585 585 } ··· 611 611 612 612 mutex_lock(&cbe_spu_info[node].list_mutex); 613 613 cbe_spu_info[node].nr_active--; 614 + spu_unbind_context(spu, victim); 614 615 mutex_unlock(&cbe_spu_info[node].list_mutex); 615 616 616 - spu_unbind_context(spu, victim); 617 617 victim->stats.invol_ctx_switch++; 618 618 spu->stats.invol_ctx_switch++; 619 619 mutex_unlock(&victim->state_mutex);