backend: move freeing of td->mutex to main thread

On some platforms, we can end up freeing td->mutex while the wakee
is still inside fio_mutex_up(). This introduces a use-after-free
condition, and we crash.

Free the main thread_data mutex from the main thread instead,
when we know the process/thread is long dead and gone.

Signed-off-by: Jens Axboe <axboe@fb.com>

diff --git a/backend.c b/backend.c
index b61de7c0782bfd1400d97b2077da521c7a55e152..38ef3482f85139143aca01dfea12a49ec232db19 100644 (file)
--- a/backend.c
+++ b/backend.c
@@ -1836,9 +1836,6 @@ err:
        if (o->write_iolog_file)
                write_iolog_close(td);
 
-       fio_mutex_remove(td->mutex);
-       td->mutex = NULL;
-
        td_set_runstate(td, TD_EXITED);
 
        /*
@@ -2435,6 +2432,8 @@ int fio_backend(struct sk_out *sk_out)
                        fio_mutex_remove(td->rusage_sem);
                        td->rusage_sem = NULL;
                }
+               fio_mutex_remove(td->mutex);
+               td->mutex = NULL;
        }
 
        free_disk_util();