Author: rmacklem Date: Mon Nov 16 23:19:53 2015 New Revision: 290959 URL: https://svnweb.freebsd.org/changeset/base/290959
Log: When the smbfs iod thread (smb_iod_thread()) is shutting down, smb_iod_destroy() would call smb_iod_request(). This call could return as soon as the wakeup(evp) in smb_iod_main() call is done and then could destroy the mutexes. This caused a race with the rest of smb_iod_main()s use of these mutexes. A crash reported on freebsd-stable@ by Christian Kratzer was diagnosed as a use of one of these mutexes after it was destroyed. This patch moves destruction of the mutexes from smb_iod_destroy() to the end of smb_iod_thread(), so that they aren't destroyed before the thread is done with them. Christian comfirmed that the patch stopped the crashes from happening. Reported by: ck-li...@cksoft.de (Christian Kratzer) Tested by: ck-li...@cksoft.de (Christian Kratzer) Diagnosed by: jhb Reviewed by: jhb MFC after: 2 weeks Modified: head/sys/netsmb/smb_iod.c Modified: head/sys/netsmb/smb_iod.c ============================================================================== --- head/sys/netsmb/smb_iod.c Mon Nov 16 23:11:01 2015 (r290958) +++ head/sys/netsmb/smb_iod.c Mon Nov 16 23:19:53 2015 (r290959) @@ -659,6 +659,11 @@ smb_iod_thread(void *arg) break; tsleep(&iod->iod_flags, PWAIT, "90idle", iod->iod_sleeptimo); } + + /* We can now safely destroy the mutexes and free the iod structure. */ + smb_sl_destroy(&iod->iod_rqlock); + smb_sl_destroy(&iod->iod_evlock); + free(iod, M_SMBIOD); mtx_unlock(&Giant); kproc_exit(0); } @@ -695,9 +700,6 @@ int smb_iod_destroy(struct smbiod *iod) { smb_iod_request(iod, SMBIOD_EV_SHUTDOWN | SMBIOD_EV_SYNC, NULL); - smb_sl_destroy(&iod->iod_rqlock); - smb_sl_destroy(&iod->iod_evlock); - free(iod, M_SMBIOD); return 0; } _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"