Fix issue with td->mutex being used-after-free

[fio.git] / backend.c

diff --git a/backend.c b/backend.c
index 62fa17c3a209665252a25e322aa084b15ce86c25..a607134b878d4603fcb0d3e32e6273847fa2dc7a 100644 (file)
--- a/backend.c
+++ b/backend.c
@@ -725,14 +725,14 @@ static uint64_t do_io(struct thread_data *td)
                        td_set_runstate(td, TD_RUNNING);
 
                /*
-                * Verify_backlog disabled: We need to log rand seed before the
-                * actual IO to be able to replay it correctly in the verify phase.
+                * Always log IO before it's issued, so we know the specific
+                * order of it. The logged unit will track when the IO has
+                * completed.
                 */
                if (td_write(td) && io_u->ddir == DDIR_WRITE &&
                    td->o.do_verify &&
                    td->o.verify != VERIFY_NONE &&
-                   !td->o.experimental_verify &&
-                   !(td->flags & TD_F_VER_BACKLOG))
+                   !td->o.experimental_verify)
                        log_io_piece(td, io_u);
 
                ret = td_io_queue(td, io_u);
@@ -1235,13 +1235,6 @@ static void *thread_main(void *data)
        fio_mutex_down(td->mutex);
        dprint(FD_MUTEX, "done waiting on td->mutex\n");
 
-       /*
-        * the ->mutex mutex is now no longer used, close it to avoid
-        * eating a file descriptor
-        */
-       fio_mutex_remove(td->mutex);
-       td->mutex = NULL;
-
        /*
         * A new gid requires privilege, so we need to do this before setting
         * the uid.
@@ -1521,6 +1514,9 @@ err:
        fio_mutex_remove(td->rusage_sem);
        td->rusage_sem = NULL;
 
+       fio_mutex_remove(td->mutex);
+       td->mutex = NULL;
+
        td_set_runstate(td, TD_EXITED);
        return (void *) (uintptr_t) td->error;
 }