From owner-svn-src-head@freebsd.org Mon Nov 16 23:19:55 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C669A3038E; Mon, 16 Nov 2015 23:19:55 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C98911EB5; Mon, 16 Nov 2015 23:19:54 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tAGNJr1J006591; Mon, 16 Nov 2015 23:19:53 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tAGNJrsB006590; Mon, 16 Nov 2015 23:19:53 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <201511162319.tAGNJrsB006590@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Mon, 16 Nov 2015 23:19:53 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r290959 - head/sys/netsmb X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2015 23:19:55 -0000 Author: rmacklem Date: Mon Nov 16 23:19:53 2015 New Revision: 290959 URL: https://svnweb.freebsd.org/changeset/base/290959 Log: When the smbfs iod thread (smb_iod_thread()) is shutting down, smb_iod_destroy() would call smb_iod_request(). This call could return as soon as the wakeup(evp) in smb_iod_main() call is done and then could destroy the mutexes. This caused a race with the rest of smb_iod_main()s use of these mutexes. A crash reported on freebsd-stable@ by Christian Kratzer was diagnosed as a use of one of these mutexes after it was destroyed. This patch moves destruction of the mutexes from smb_iod_destroy() to the end of smb_iod_thread(), so that they aren't destroyed before the thread is done with them. Christian comfirmed that the patch stopped the crashes from happening. Reported by: ck-lists@cksoft.de (Christian Kratzer) Tested by: ck-lists@cksoft.de (Christian Kratzer) Diagnosed by: jhb Reviewed by: jhb MFC after: 2 weeks Modified: head/sys/netsmb/smb_iod.c Modified: head/sys/netsmb/smb_iod.c ============================================================================== --- head/sys/netsmb/smb_iod.c Mon Nov 16 23:11:01 2015 (r290958) +++ head/sys/netsmb/smb_iod.c Mon Nov 16 23:19:53 2015 (r290959) @@ -659,6 +659,11 @@ smb_iod_thread(void *arg) break; tsleep(&iod->iod_flags, PWAIT, "90idle", iod->iod_sleeptimo); } + + /* We can now safely destroy the mutexes and free the iod structure. */ + smb_sl_destroy(&iod->iod_rqlock); + smb_sl_destroy(&iod->iod_evlock); + free(iod, M_SMBIOD); mtx_unlock(&Giant); kproc_exit(0); } @@ -695,9 +700,6 @@ int smb_iod_destroy(struct smbiod *iod) { smb_iod_request(iod, SMBIOD_EV_SHUTDOWN | SMBIOD_EV_SYNC, NULL); - smb_sl_destroy(&iod->iod_rqlock); - smb_sl_destroy(&iod->iod_evlock); - free(iod, M_SMBIOD); return 0; }