x86: uv: xpc NULL deref when mesq becomes empty

Under heavy load conditions, our set of xpc messages may become exhausted. The code handles this correctly with the exception of the management code which hits a NULL pointer dereference. Signed-off-by: Robin Holt <holt@sgi.com> Cc: Jack Steiner <steiner@sgi.com> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Robin Holt <holt@sgi.com> 2009-12-16 00:47:57 (GMT)
committer: Linus Torvalds <torvalds@linux-foundation.org> 2009-12-16 15:20:14 (GMT)
commit: 15b87d67ff3dc042bee42f991858d6b121b3b3ca (patch)
tree: 48e72a7ce8b4113b3dfcdcd31ca9bdce38ee3cd9 /drivers/misc
parent: c2c9f115741453715d6b4da1cd2de65af8c7ad86 (diff)
download: linux-15b87d67ff3dc042bee42f991858d6b121b3b3ca.tar.xz
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/misc/sgi-xp/xpc_uv.c b/drivers/misc/sgi-xp/xpc_uv.c
index bbf0e2e..19bd7b0 100644
--- a/drivers/misc/sgi-xp/xpc_uv.c
+++ b/drivers/misc/sgi-xp/xpc_uv.c
@@ -949,11 +949,13 @@ xpc_get_fifo_entry_uv(struct xpc_fifo_head_uv *head)
 		head->first = first->next;
 		if (head->first == NULL)
 			head->last = NULL;
+
+		head->n_entries--;
+		BUG_ON(head->n_entries < 0);
+
+		first->next = NULL;
 	}
-	head->n_entries--;
-	BUG_ON(head->n_entries < 0);
 	spin_unlock_irqrestore(&head->lock, irq_flags);
-	first->next = NULL;
 	return first;
 }
author	Robin Holt <holt@sgi.com>	2009-12-16 00:47:57 (GMT)
committer	Linus Torvalds <torvalds@linux-foundation.org>	2009-12-16 15:20:14 (GMT)
commit	15b87d67ff3dc042bee42f991858d6b121b3b3ca (patch)
tree	48e72a7ce8b4113b3dfcdcd31ca9bdce38ee3cd9 /drivers/misc
parent	c2c9f115741453715d6b4da1cd2de65af8c7ad86 (diff)
download	linux-15b87d67ff3dc042bee42f991858d6b121b3b3ca.tar.xz