From 5ba01402d96e113ac451441f45d0c8b4dd281f4d Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@fb.com>
Date: Mon, 3 Apr 2017 08:46:34 -0600
Subject: [PATCH 1/1] backend: move freeing of td->mutex to main thread

On some platforms, we can end up freeing td->mutex while the wakee
is still inside fio_mutex_up(). This introduces a use-after-free
condition, and we crash.

Free the main thread_data mutex from the main thread instead,
when we know the process/thread is long dead and gone.

Signed-off-by: Jens Axboe <axboe@fb.com>
---
 backend.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/backend.c b/backend.c
index b61de7c0..38ef3482 100644
--- a/backend.c
+++ b/backend.c
@@ -1836,9 +1836,6 @@ err:
 	if (o->write_iolog_file)
 		write_iolog_close(td);
 
-	fio_mutex_remove(td->mutex);
-	td->mutex = NULL;
-
 	td_set_runstate(td, TD_EXITED);
 
 	/*
@@ -2435,6 +2432,8 @@ int fio_backend(struct sk_out *sk_out)
 			fio_mutex_remove(td->rusage_sem);
 			td->rusage_sem = NULL;
 		}
+		fio_mutex_remove(td->mutex);
+		td->mutex = NULL;
 	}
 
 	free_disk_util();
-- 
2.25.1