diff options
author | Christoph Hellwig <hch@lst.de> | 2007-09-19 14:38:12 +1000 |
---|---|---|
committer | Paul Mackerras <paulus@samba.org> | 2007-09-19 15:26:29 +1000 |
commit | c0e7b4aa1c09ea992808ea8c079141bc8dd0f5bc (patch) | |
tree | 04526571476d3f4e5f28f2043c025b72275c6b4a /arch/powerpc | |
parent | c2f828977ba5d17c13debba374ea252d18e5ccfb (diff) | |
download | op-kernel-dev-c0e7b4aa1c09ea992808ea8c079141bc8dd0f5bc.zip op-kernel-dev-c0e7b4aa1c09ea992808ea8c079141bc8dd0f5bc.tar.gz |
[POWERPC] spusched: Fix null pointer dereference in find_victim
find_victim can dereference a NULL pointer when iterating over the list
of victim spus because list_mutex only guarantees spu->ct to be stable,
but of course not to be non-NULL.
Also fix find_victim to not call spu_unbind_context without list_mutex
because that violates the above guarantee.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Diffstat (limited to 'arch/powerpc')
-rw-r--r-- | arch/powerpc/platforms/cell/spufs/sched.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/arch/powerpc/platforms/cell/spufs/sched.c b/arch/powerpc/platforms/cell/spufs/sched.c index c784edd..5bebe7f 100644 --- a/arch/powerpc/platforms/cell/spufs/sched.c +++ b/arch/powerpc/platforms/cell/spufs/sched.c @@ -579,7 +579,7 @@ static struct spu *find_victim(struct spu_context *ctx) list_for_each_entry(spu, &cbe_spu_info[node].spus, cbe_list) { struct spu_context *tmp = spu->ctx; - if (tmp->prio > ctx->prio && + if (tmp && tmp->prio > ctx->prio && (!victim || tmp->prio > victim->prio)) victim = spu->ctx; } @@ -611,9 +611,9 @@ static struct spu *find_victim(struct spu_context *ctx) mutex_lock(&cbe_spu_info[node].list_mutex); cbe_spu_info[node].nr_active--; + spu_unbind_context(spu, victim); mutex_unlock(&cbe_spu_info[node].list_mutex); - spu_unbind_context(spu, victim); victim->stats.invol_ctx_switch++; spu->stats.invol_ctx_switch++; mutex_unlock(&victim->state_mutex); |