svn commit: r291489 - stable/10/sys/netsmb

[Rick Macklem]

Author: rmacklem
Date: Mon Nov 30 13:46:22 2015
New Revision: 291489
URL: https://svnweb.freebsd.org/changeset/base/291489

Log:
  MFC: r290959
  When the smbfs iod thread (smb_iod_thread()) is shutting down, smb_iod_destroy()
  would call smb_iod_request(). This call could return as soon as the
  wakeup(evp) in smb_iod_main() call is done and then could destroy
  the mutexes. This caused a race with the rest of smb_iod_main()s
  use of these mutexes.
  A crash reported on freebsd-stable@ by Christian Kratzer was
  diagnosed as a use of one of these mutexes after it was destroyed.
  This patch moves destruction of the mutexes from smb_iod_destroy()
  to the end of smb_iod_thread(), so that they aren't destroyed before
  the thread is done with them. Christian comfirmed that the patch
  stopped the crashes from happening.

Modified:
  stable/10/sys/netsmb/smb_iod.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netsmb/smb_iod.c
==============================================================================
--- stable/10/sys/netsmb/smb_iod.c	Mon Nov 30 13:27:40 2015	(r291488)
+++ stable/10/sys/netsmb/smb_iod.c	Mon Nov 30 13:46:22 2015	(r291489)
@@ -659,6 +659,11 @@ smb_iod_thread(void *arg)
 			break;
 		tsleep(&iod->iod_flags, PWAIT, "90idle", iod->iod_sleeptimo);
 	}
+
+	/* We can now safely destroy the mutexes and free the iod structure. */
+	smb_sl_destroy(&iod->iod_rqlock);
+	smb_sl_destroy(&iod->iod_evlock);
+	free(iod, M_SMBIOD);
 	mtx_unlock(&Giant);
 	kproc_exit(0);
 }
@@ -695,9 +700,6 @@ int
 smb_iod_destroy(struct smbiod *iod)
 {
 	smb_iod_request(iod, SMBIOD_EV_SHUTDOWN | SMBIOD_EV_SYNC, NULL);
-	smb_sl_destroy(&iod->iod_rqlock);
-	smb_sl_destroy(&iod->iod_evlock);
-	free(iod, M_SMBIOD);
 	return 0;
 }