From owner-svn-src-stable-9@freebsd.org Mon Nov 30 14:35:36 2015 Return-Path: Delivered-To: svn-src-stable-9@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2742A3C5A7; Mon, 30 Nov 2015 14:35:36 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7C6511ADA; Mon, 30 Nov 2015 14:35:36 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tAUEZZFG041023; Mon, 30 Nov 2015 14:35:35 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tAUEZZLW041022; Mon, 30 Nov 2015 14:35:35 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <201511301435.tAUEZZLW041022@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Mon, 30 Nov 2015 14:35:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r291490 - stable/9/sys/netsmb X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 14:35:36 -0000 Author: rmacklem Date: Mon Nov 30 14:35:35 2015 New Revision: 291490 URL: https://svnweb.freebsd.org/changeset/base/291490 Log: MFC: r290959 When the smbfs iod thread (smb_iod_thread()) is shutting down, smb_iod_destroy() would call smb_iod_request(). This call could return as soon as the wakeup(evp) in smb_iod_main() call is done and then could destroy the mutexes. This caused a race with the rest of smb_iod_main()s use of these mutexes. A crash reported on freebsd-stable@ by Christian Kratzer was diagnosed as a use of one of these mutexes after it was destroyed. This patch moves destruction of the mutexes from smb_iod_destroy() to the end of smb_iod_thread(), so that they aren't destroyed before the thread is done with them. Christian comfirmed that the patch stopped the crashes from happening. Modified: stable/9/sys/netsmb/smb_iod.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netsmb/smb_iod.c ============================================================================== --- stable/9/sys/netsmb/smb_iod.c Mon Nov 30 13:46:22 2015 (r291489) +++ stable/9/sys/netsmb/smb_iod.c Mon Nov 30 14:35:35 2015 (r291490) @@ -659,6 +659,11 @@ smb_iod_thread(void *arg) break; tsleep(&iod->iod_flags, PWAIT, "90idle", iod->iod_sleeptimo); } + + /* We can now safely destroy the mutexes and free the iod structure. */ + smb_sl_destroy(&iod->iod_rqlock); + smb_sl_destroy(&iod->iod_evlock); + free(iod, M_SMBIOD); mtx_unlock(&Giant); kproc_exit(0); } @@ -695,9 +700,6 @@ int smb_iod_destroy(struct smbiod *iod) { smb_iod_request(iod, SMBIOD_EV_SHUTDOWN | SMBIOD_EV_SYNC, NULL); - smb_sl_destroy(&iod->iod_rqlock); - smb_sl_destroy(&iod->iod_evlock); - free(iod, M_SMBIOD); return 0; }