[Cbe-oss-dev] [PATCH] spufs: avoid accessing to released inode

[Masato Noguchi]

This patch modifies the kernel not to access to an address_space
of already released inode. Originally, at closing spe context
directory, the kernel called unbind_context() and spu_unmap_mappings(),
and accessed ctx->local_store (and so on.) after ctx's files purned.

FYI, This bug can reproduce reliably by running libspe2 application
on the kernel with CONFIG_DEBUG_SLAB and CONFIG_DEBUG_SPINLOCK.


Signed-off-by: Masato Noguchi <Masato.Noguchi at jp.sony.com>
---

 context.c |    1 -
 inode.c   |    3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)

---
diff --git a/arch/powerpc/platforms/cell/spufs/context.c b/arch/powerpc/platforms/cell/spufs/context.c
index 04ad2e3..5d9ed48 100644
--- a/arch/powerpc/platforms/cell/spufs/context.c
+++ b/arch/powerpc/platforms/cell/spufs/context.c
@@ -93,7 +93,6 @@ int put_spu_context(struct spu_context *ctx)
 void spu_forget(struct spu_context *ctx)
 {
 	struct mm_struct *mm;
-	spu_acquire_saved(ctx);
 	mm = ctx->owner;
 	ctx->owner = NULL;
 	mmput(mm);
diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
index 8079983..d826f1d 100644
--- a/arch/powerpc/platforms/cell/spufs/inode.c
+++ b/arch/powerpc/platforms/cell/spufs/inode.c
@@ -209,6 +209,8 @@ static int spufs_dir_close(struct inode *inode, struct file *file)
 	parent = dir->d_parent->d_inode;
 	ctx = SPUFS_I(dir->d_inode)->i_ctx;
 
+	spu_acquire_saved(ctx);
+
 	mutex_lock(&parent->i_mutex);
 	ret = spufs_rmdir(parent, dir);
 	mutex_unlock(&parent->i_mutex);
@@ -339,6 +341,7 @@ static int spufs_create_context(struct inode *inode,
 	if (ret < 0) {
 		WARN_ON(spufs_rmdir(inode, dentry));
 		mutex_unlock(&inode->i_mutex);
+		spu_acquire_saved(SPUFS_I(dentry->d_inode)->i_ctx);
 		spu_forget(SPUFS_I(dentry->d_inode)->i_ctx);
 		goto out;
 	}