diff options
author | rmacklem <rmacklem@FreeBSD.org> | 2015-11-30 13:46:22 +0000 |
---|---|---|
committer | rmacklem <rmacklem@FreeBSD.org> | 2015-11-30 13:46:22 +0000 |
commit | c0ccffc7fa91a385842a6bb8d30e6c489ba1d9c1 (patch) | |
tree | 25cbe27e19eb51a2884f40ae7f6fde9f4da0c8bc /sys/netsmb | |
parent | 76801872045ff4c113f5d6a14b326152c2d4bb6d (diff) | |
download | FreeBSD-src-c0ccffc7fa91a385842a6bb8d30e6c489ba1d9c1.zip FreeBSD-src-c0ccffc7fa91a385842a6bb8d30e6c489ba1d9c1.tar.gz |
MFC: r290959
When the smbfs iod thread (smb_iod_thread()) is shutting down, smb_iod_destroy()
would call smb_iod_request(). This call could return as soon as the
wakeup(evp) in smb_iod_main() call is done and then could destroy
the mutexes. This caused a race with the rest of smb_iod_main()s
use of these mutexes.
A crash reported on freebsd-stable@ by Christian Kratzer was
diagnosed as a use of one of these mutexes after it was destroyed.
This patch moves destruction of the mutexes from smb_iod_destroy()
to the end of smb_iod_thread(), so that they aren't destroyed before
the thread is done with them. Christian comfirmed that the patch
stopped the crashes from happening.
Diffstat (limited to 'sys/netsmb')
-rw-r--r-- | sys/netsmb/smb_iod.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/netsmb/smb_iod.c b/sys/netsmb/smb_iod.c index dfdd6f2..ae5c6f7 100644 --- a/sys/netsmb/smb_iod.c +++ b/sys/netsmb/smb_iod.c @@ -659,6 +659,11 @@ smb_iod_thread(void *arg) break; tsleep(&iod->iod_flags, PWAIT, "90idle", iod->iod_sleeptimo); } + + /* We can now safely destroy the mutexes and free the iod structure. */ + smb_sl_destroy(&iod->iod_rqlock); + smb_sl_destroy(&iod->iod_evlock); + free(iod, M_SMBIOD); mtx_unlock(&Giant); kproc_exit(0); } @@ -695,9 +700,6 @@ int smb_iod_destroy(struct smbiod *iod) { smb_iod_request(iod, SMBIOD_EV_SHUTDOWN | SMBIOD_EV_SYNC, NULL); - smb_sl_destroy(&iod->iod_rqlock); - smb_sl_destroy(&iod->iod_evlock); - free(iod, M_SMBIOD); return 0; } |