Commit 8d5636fb authored by Jeremy Kerr's avatar Jeremy Kerr

powerpc/spufs: reference context while dropping state mutex in scheduler

Based on an original patch from Christoph Hellwig <hch@lst.de>.

Currently, there is a possible reference-after-free in the spusched
code - contexts may be freed after we have released their state_mutex
in spusched_tick and find_victim.

This change takes a reference to the context before releasing the
mutex, so that the context doesn't get destroyed.
Signed-off-by: default avatarJeremy Kerr <jk@ozlabs.org>
parent d9dd421f
...@@ -641,8 +641,10 @@ static struct spu *find_victim(struct spu_context *ctx) ...@@ -641,8 +641,10 @@ static struct spu *find_victim(struct spu_context *ctx)
if (tmp && tmp->prio > ctx->prio && if (tmp && tmp->prio > ctx->prio &&
!(tmp->flags & SPU_CREATE_NOSCHED) && !(tmp->flags & SPU_CREATE_NOSCHED) &&
(!victim || tmp->prio > victim->prio)) (!victim || tmp->prio > victim->prio)) {
victim = spu->ctx; victim = spu->ctx;
get_spu_context(victim);
}
} }
mutex_unlock(&cbe_spu_info[node].list_mutex); mutex_unlock(&cbe_spu_info[node].list_mutex);
...@@ -658,6 +660,7 @@ static struct spu *find_victim(struct spu_context *ctx) ...@@ -658,6 +660,7 @@ static struct spu *find_victim(struct spu_context *ctx)
* look at another context or give up after X retries. * look at another context or give up after X retries.
*/ */
if (!mutex_trylock(&victim->state_mutex)) { if (!mutex_trylock(&victim->state_mutex)) {
put_spu_context(victim);
victim = NULL; victim = NULL;
goto restart; goto restart;
} }
...@@ -670,6 +673,7 @@ static struct spu *find_victim(struct spu_context *ctx) ...@@ -670,6 +673,7 @@ static struct spu *find_victim(struct spu_context *ctx)
* restart the search. * restart the search.
*/ */
mutex_unlock(&victim->state_mutex); mutex_unlock(&victim->state_mutex);
put_spu_context(victim);
victim = NULL; victim = NULL;
goto restart; goto restart;
} }
...@@ -687,6 +691,7 @@ static struct spu *find_victim(struct spu_context *ctx) ...@@ -687,6 +691,7 @@ static struct spu *find_victim(struct spu_context *ctx)
spu_add_to_rq(victim); spu_add_to_rq(victim);
mutex_unlock(&victim->state_mutex); mutex_unlock(&victim->state_mutex);
put_spu_context(victim);
return spu; return spu;
} }
...@@ -985,9 +990,11 @@ static int spusched_thread(void *unused) ...@@ -985,9 +990,11 @@ static int spusched_thread(void *unused)
struct spu_context *ctx = spu->ctx; struct spu_context *ctx = spu->ctx;
if (ctx) { if (ctx) {
get_spu_context(ctx);
mutex_unlock(mtx); mutex_unlock(mtx);
spusched_tick(ctx); spusched_tick(ctx);
mutex_lock(mtx); mutex_lock(mtx);
put_spu_context(ctx);
} }
} }
mutex_unlock(mtx); mutex_unlock(mtx);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment