padata: Fix race in the serialization path
authorSteffen Klassert <steffen.klassert@secunet.com>
Fri, 9 Mar 2012 06:20:12 +0000 (07:20 +0100)
committerHerbert Xu <herbert@gondor.apana.org.au>
Wed, 14 Mar 2012 09:25:56 +0000 (17:25 +0800)
When a padata object is queued to the serialization queue, another
cpu might process and free the padata object. So don't dereference
it after queueing to the serialization queue.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
kernel/padata.c

index b45259931512e99cd3dfd8214cce7895ee34fe54..aa9929545855b0d2dcbef19cfedd37f77bf56c07 100644 (file)
@@ -230,6 +230,7 @@ out:
 
 static void padata_reorder(struct parallel_data *pd)
 {
+       int cb_cpu;
        struct padata_priv *padata;
        struct padata_serial_queue *squeue;
        struct padata_instance *pinst = pd->pinst;
@@ -270,13 +271,14 @@ static void padata_reorder(struct parallel_data *pd)
                        return;
                }
 
-               squeue = per_cpu_ptr(pd->squeue, padata->cb_cpu);
+               cb_cpu = padata->cb_cpu;
+               squeue = per_cpu_ptr(pd->squeue, cb_cpu);
 
                spin_lock(&squeue->serial.lock);
                list_add_tail(&padata->list, &squeue->serial.list);
                spin_unlock(&squeue->serial.lock);
 
-               queue_work_on(padata->cb_cpu, pinst->wq, &squeue->work);
+               queue_work_on(cb_cpu, pinst->wq, &squeue->work);
        }
 
        spin_unlock_bh(&pd->lock);