Date: Mon, 30 Nov 2015 14:35:35 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r291490 - stable/9/sys/netsmb Message-ID: <201511301435.tAUEZZLW041022@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Mon Nov 30 14:35:35 2015 New Revision: 291490 URL: https://svnweb.freebsd.org/changeset/base/291490 Log: MFC: r290959 When the smbfs iod thread (smb_iod_thread()) is shutting down, smb_iod_destroy() would call smb_iod_request(). This call could return as soon as the wakeup(evp) in smb_iod_main() call is done and then could destroy the mutexes. This caused a race with the rest of smb_iod_main()s use of these mutexes. A crash reported on freebsd-stable@ by Christian Kratzer was diagnosed as a use of one of these mutexes after it was destroyed. This patch moves destruction of the mutexes from smb_iod_destroy() to the end of smb_iod_thread(), so that they aren't destroyed before the thread is done with them. Christian comfirmed that the patch stopped the crashes from happening. Modified: stable/9/sys/netsmb/smb_iod.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netsmb/smb_iod.c ============================================================================== --- stable/9/sys/netsmb/smb_iod.c Mon Nov 30 13:46:22 2015 (r291489) +++ stable/9/sys/netsmb/smb_iod.c Mon Nov 30 14:35:35 2015 (r291490) @@ -659,6 +659,11 @@ smb_iod_thread(void *arg) break; tsleep(&iod->iod_flags, PWAIT, "90idle", iod->iod_sleeptimo); } + + /* We can now safely destroy the mutexes and free the iod structure. */ + smb_sl_destroy(&iod->iod_rqlock); + smb_sl_destroy(&iod->iod_evlock); + free(iod, M_SMBIOD); mtx_unlock(&Giant); kproc_exit(0); } @@ -695,9 +700,6 @@ int smb_iod_destroy(struct smbiod *iod) { smb_iod_request(iod, SMBIOD_EV_SHUTDOWN | SMBIOD_EV_SYNC, NULL); - smb_sl_destroy(&iod->iod_rqlock); - smb_sl_destroy(&iod->iod_evlock); - free(iod, M_SMBIOD); return 0; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201511301435.tAUEZZLW041022>