Author: rmacklem
Date: Mon Nov 16 23:19:53 2015
New Revision: 290959
URL: https://svnweb.freebsd.org/changeset/base/290959
Log:
When the smbfs iod thread (smb_iod_thread()) is shutting down,
smb_iod_destroy()
would call smb_iod_request(). This call could return as soon as the
wakeup(evp) in smb_iod_main() call is done and then could destroy
the mutexes. This caused a race with the rest of smb_iod_main()s
use of these mutexes.
A crash reported on freebsd-stable@ by Christian Kratzer was
diagnosed as a use of one of these mutexes after it was destroyed.
This patch moves destruction of the mutexes from smb_iod_destroy()
to the end of smb_iod_thread(), so that they aren't destroyed before
the thread is done with them. Christian comfirmed that the patch
stopped the crashes from happening.
Reported by: ck-li...@cksoft.de (Christian Kratzer)
Tested by: ck-li...@cksoft.de (Christian Kratzer)
Diagnosed by: jhb
Reviewed by: jhb
MFC after: 2 weeks
Modified:
head/sys/netsmb/smb_iod.c
Modified: head/sys/netsmb/smb_iod.c
==============================================================================
--- head/sys/netsmb/smb_iod.c Mon Nov 16 23:11:01 2015 (r290958)
+++ head/sys/netsmb/smb_iod.c Mon Nov 16 23:19:53 2015 (r290959)
@@ -659,6 +659,11 @@ smb_iod_thread(void *arg)
break;
tsleep(&iod->iod_flags, PWAIT, "90idle", iod->iod_sleeptimo);
}
+
+ /* We can now safely destroy the mutexes and free the iod structure. */
+ smb_sl_destroy(&iod->iod_rqlock);
+ smb_sl_destroy(&iod->iod_evlock);
+ free(iod, M_SMBIOD);
mtx_unlock(&Giant);
kproc_exit(0);
}
@@ -695,9 +700,6 @@ int
smb_iod_destroy(struct smbiod *iod)
{
smb_iod_request(iod, SMBIOD_EV_SHUTDOWN | SMBIOD_EV_SYNC, NULL);
- smb_sl_destroy(&iod->iod_rqlock);
- smb_sl_destroy(&iod->iod_evlock);
- free(iod, M_SMBIOD);
return 0;
}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
