From 1e91412e40491571bff67e5e84290f743d933e11 Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Fri, 14 Apr 2017 17:08:37 +0000 Subject: [PATCH] Don't set the mirror GEOM softc to NULL in g_mirror_destroy(). At this point we have not rendezvous'ed with the mirror worker thread, and I/O may still be in flight. Various I/O completion paths expect to be able to obtain a reference to the mirror softc from the GEOM, so setting it to NULL may result in various NULL pointer dereferences if the mirror is stopped with -f or the kernel is shut down while a mirror is synchronizing. The worker thread will clear the softc pointer before exiting. Tested by: pho MFC after: 2 weeks Sponsored by: Dell EMC Isilon --- sys/geom/mirror/g_mirror.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/sys/geom/mirror/g_mirror.c b/sys/geom/mirror/g_mirror.c index b5504327b28d..345b341ba113 100644 --- a/sys/geom/mirror/g_mirror.c +++ b/sys/geom/mirror/g_mirror.c @@ -3076,15 +3076,8 @@ g_mirror_destroy(struct g_mirror_softc *sc, int how) } } - g_topology_lock(); - if (sc->sc_geom->softc == NULL) { - g_topology_unlock(); + if ((sc->sc_flags & G_MIRROR_DEVICE_FLAG_DESTROY) != 0) return (0); - } - sc->sc_geom->softc = NULL; - sc->sc_sync.ds_geom->softc = NULL; - g_topology_unlock(); - sc->sc_flags |= G_MIRROR_DEVICE_FLAG_DESTROY; sc->sc_flags |= G_MIRROR_DEVICE_FLAG_WAIT; G_MIRROR_DEBUG(4, "%s: Waking up %p.", __func__, sc);