When the smbfs iod thread (smb_iod_thread()) is shutting down, smb_iod_destroy()
would call smb_iod_request(). This call could return as soon as the wakeup(evp) in smb_iod_main() call is done and then could destroy the mutexes. This caused a race with the rest of smb_iod_main()s use of these mutexes. A crash reported on freebsd-stable@ by Christian Kratzer was diagnosed as a use of one of these mutexes after it was destroyed. This patch moves destruction of the mutexes from smb_iod_destroy() to the end of smb_iod_thread(), so that they aren't destroyed before the thread is done with them. Christian comfirmed that the patch stopped the crashes from happening. Reported by: ck-lists@cksoft.de (Christian Kratzer) Tested by: ck-lists@cksoft.de (Christian Kratzer) Diagnosed by: jhb Reviewed by: jhb MFC after: 2 weeks
This commit is contained in:
rmacklem
parent
7965ca51f7
commit
ee4d679462
@ -659,6 +659,11 @@ smb_iod_thread(void *arg)
|
||||
break;
|
||||
tsleep(&iod->iod_flags, PWAIT, "90idle", iod->iod_sleeptimo);
|
||||
}
|
||||
|
||||
/* We can now safely destroy the mutexes and free the iod structure. */
|
||||
smb_sl_destroy(&iod->iod_rqlock);
|
||||
smb_sl_destroy(&iod->iod_evlock);
|
||||
free(iod, M_SMBIOD);
|
||||
mtx_unlock(&Giant);
|
||||
kproc_exit(0);
|
||||
}
|
||||
@ -695,9 +700,6 @@ int
|
||||
smb_iod_destroy(struct smbiod *iod)
|
||||
{
|
||||
smb_iod_request(iod, SMBIOD_EV_SHUTDOWN | SMBIOD_EV_SYNC, NULL);
|
||||
smb_sl_destroy(&iod->iod_rqlock);
|
||||
smb_sl_destroy(&iod->iod_evlock);
|
||||
free(iod, M_SMBIOD);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user