From dd4c950f7b5637b2e3e8ccc7a86d6326732d424c Mon Sep 17 00:00:00 2001 From: Srivatsa Vaddagiri Date: Thu, 11 Sep 2014 16:33:11 +0530 Subject: sched: Fix reference to stale task_struct in try_to_wake_up() try_to_wake_up() currently drops p->pi_lock and later checks for need to notify cpufreq governor on task migrations or wakeups. However the woken task could exit between the time p->pi_lock is released and the time the test for notification is run. As a result, the test for notification could refer to an exited task. task_notify_on_migrate(p) could thus lead to invalid memory reference. Fix this by running the test for notification with task's pi_lock held. Change-Id: I1c7a337473d2d8e79342a015a179174ce00702e1 Signed-off-by: Srivatsa Vaddagiri Signed-off-by: Syed Rameez Mustafa --- kernel/sched/core.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 34cb8805c55d..3199e233222b 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -3135,6 +3135,8 @@ try_to_wake_up(struct task_struct *p, unsigned int state, int wake_flags) { unsigned long flags; int cpu, src_cpu, success = 0; + int notify = 0; + struct migration_notify_data mnd; #ifdef CONFIG_SMP struct rq *rq; u64 wallclock; @@ -3232,12 +3234,8 @@ try_to_wake_up(struct task_struct *p, unsigned int state, int wake_flags) ttwu_queue(p, cpu); stat: ttwu_stat(p, cpu, wake_flags); -out: - raw_spin_unlock_irqrestore(&p->pi_lock, flags); if (task_notify_on_migrate(p)) { - struct migration_notify_data mnd; - mnd.src_cpu = src_cpu; mnd.dest_cpu = cpu; mnd.load = pct_task_load(p); @@ -3251,10 +3249,16 @@ out: */ if ((src_cpu != cpu) || (mnd.load > sysctl_sched_wakeup_load_threshold)) - atomic_notifier_call_chain(&migration_notifier_head, - 0, (void *)&mnd); + notify = 1; } +out: + raw_spin_unlock_irqrestore(&p->pi_lock, flags); + + if (notify) + atomic_notifier_call_chain(&migration_notifier_head, + 0, (void *)&mnd); + return success; } -- cgit v1.2.3