From: Jens Axboe <axboe@fb.com>
Date: Mon, 3 Apr 2017 14:46:34 +0000 (-0600)
Subject: backend: move freeing of td->mutex to main thread
X-Git-Tag: fio-2.19~1
X-Git-Url: https://git.kernel.dk/?p=fio.git;a=commitdiff_plain;h=5ba01402d96e113ac451441f45d0c8b4dd281f4d

backend: move freeing of td->mutex to main thread

On some platforms, we can end up freeing td->mutex while the wakee
is still inside fio_mutex_up(). This introduces a use-after-free
condition, and we crash.

Free the main thread_data mutex from the main thread instead,
when we know the process/thread is long dead and gone.

Signed-off-by: Jens Axboe <axboe@fb.com>
---

diff --git a/backend.c b/backend.c
index b61de7c0..38ef3482 100644
--- a/backend.c
+++ b/backend.c
@@ -1836,9 +1836,6 @@ err:
 	if (o->write_iolog_file)
 		write_iolog_close(td);
 
-	fio_mutex_remove(td->mutex);
-	td->mutex = NULL;
-
 	td_set_runstate(td, TD_EXITED);
 
 	/*
@@ -2435,6 +2432,8 @@ int fio_backend(struct sk_out *sk_out)
 			fio_mutex_remove(td->rusage_sem);
 			td->rusage_sem = NULL;
 		}
+		fio_mutex_remove(td->mutex);
+		td->mutex = NULL;
 	}
 
 	free_disk_util();