diff options
author | Robin Holt <holt@sgi.com> | 2009-12-15 16:47:57 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-12-09 13:27:15 -0800 |
commit | 0b9c55355f283356e7d767098ebe074f15acd021 (patch) | |
tree | 3d30088859790de9bc23bae42af00a124bba3e0d | |
parent | 48286a6e86d003d469f1ac50bb27d29cf90a8567 (diff) | |
download | lwn-0b9c55355f283356e7d767098ebe074f15acd021.tar.gz lwn-0b9c55355f283356e7d767098ebe074f15acd021.zip |
x86: uv: xpc NULL deref when mesq becomes empty
commit 15b87d67ff3dc042bee42f991858d6b121b3b3ca upstream.
Under heavy load conditions, our set of xpc messages may become exhausted.
The code handles this correctly with the exception of the management code
which hits a NULL pointer dereference.
Signed-off-by: Robin Holt <holt@sgi.com>
Cc: Jack Steiner <steiner@sgi.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/misc/sgi-xp/xpc_uv.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/misc/sgi-xp/xpc_uv.c b/drivers/misc/sgi-xp/xpc_uv.c index 8be12d6d5e73..8e08d71df104 100644 --- a/drivers/misc/sgi-xp/xpc_uv.c +++ b/drivers/misc/sgi-xp/xpc_uv.c @@ -965,11 +965,13 @@ xpc_get_fifo_entry_uv(struct xpc_fifo_head_uv *head) head->first = first->next; if (head->first == NULL) head->last = NULL; + + head->n_entries--; + BUG_ON(head->n_entries < 0); + + first->next = NULL; } - head->n_entries--; - BUG_ON(head->n_entries < 0); spin_unlock_irqrestore(&head->lock, irq_flags); - first->next = NULL; return first; } |