From ea66e04fe1a803f6a9ddf31cb999641d4396d67c Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@fb.com>
Date: Mon, 10 Feb 2014 13:57:09 -0700
Subject: [PATCH] Fix issue with td->mutex being used-after-free

Depending on how the OS schedules the threads, it's not necessarily
safe to immediately free a mutex after we have been woken up.
Remove the td->mutex freeing to normal cleanup after the job is done.

Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
---
 backend.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/backend.c b/backend.c
index 501c59a3..a607134b 100644
--- a/backend.c
+++ b/backend.c
@@ -1235,13 +1235,6 @@ static void *thread_main(void *data)
 	fio_mutex_down(td->mutex);
 	dprint(FD_MUTEX, "done waiting on td->mutex\n");
 
-	/*
-	 * the ->mutex mutex is now no longer used, close it to avoid
-	 * eating a file descriptor
-	 */
-	fio_mutex_remove(td->mutex);
-	td->mutex = NULL;
-
 	/*
 	 * A new gid requires privilege, so we need to do this before setting
 	 * the uid.
@@ -1521,6 +1514,9 @@ err:
 	fio_mutex_remove(td->rusage_sem);
 	td->rusage_sem = NULL;
 
+	fio_mutex_remove(td->mutex);
+	td->mutex = NULL;
+
 	td_set_runstate(td, TD_EXITED);
 	return (void *) (uintptr_t) td->error;
 }
-- 
2.25.1