Fix issue with td->mutex being used-after-free
authorJens Axboe <axboe@fb.com>
Mon, 10 Feb 2014 20:57:09 +0000 (13:57 -0700)
committerJens Axboe <axboe@fb.com>
Mon, 10 Feb 2014 20:57:09 +0000 (13:57 -0700)
Depending on how the OS schedules the threads, it's not necessarily
safe to immediately free a mutex after we have been woken up.
Remove the td->mutex freeing to normal cleanup after the job is done.

Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
backend.c

index 501c59a322a5551e174a108c7989c70c0db9f09c..a607134b878d4603fcb0d3e32e6273847fa2dc7a 100644 (file)
--- a/backend.c
+++ b/backend.c
@@ -1235,13 +1235,6 @@ static void *thread_main(void *data)
        fio_mutex_down(td->mutex);
        dprint(FD_MUTEX, "done waiting on td->mutex\n");
 
-       /*
-        * the ->mutex mutex is now no longer used, close it to avoid
-        * eating a file descriptor
-        */
-       fio_mutex_remove(td->mutex);
-       td->mutex = NULL;
-
        /*
         * A new gid requires privilege, so we need to do this before setting
         * the uid.
@@ -1521,6 +1514,9 @@ err:
        fio_mutex_remove(td->rusage_sem);
        td->rusage_sem = NULL;
 
+       fio_mutex_remove(td->mutex);
+       td->mutex = NULL;
+
        td_set_runstate(td, TD_EXITED);
        return (void *) (uintptr_t) td->error;
 }