Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / fio / ea66e04fe1a803f6a9ddf31cb999641d4396d67c^! / . / backend.c
commitea66e04fe1a803f6a9ddf31cb999641d4396d67c[log] [tgz]
authorJens Axboe <axboe@fb.com>Mon Feb 10 13:57:09 2014 -0700
committerJens Axboe <axboe@fb.com>Mon Feb 10 13:57:09 2014 -0700
treeb0b681cc320f71a813af11ba1a7a6d4602f550d1
parent782744ef60b7ed47a529d30b9f8e0c528c436fdb [diff] [blame]
Fix issue with td->mutex being used-after-free

Depending on how the OS schedules the threads, it's not necessarily
safe to immediately free a mutex after we have been woken up.
Remove the td->mutex freeing to normal cleanup after the job is done.

Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Jens Axboe <axboe@fb.com>

diff --git a/backend.c b/backend.c
index 501c59a..a607134 100644
--- a/backend.c
+++ b/backend.c

@@ -1236,13 +1236,6 @@
 	dprint(FD_MUTEX, "done waiting on td->mutex\n");
 
 	/*
-	 * the ->mutex mutex is now no longer used, close it to avoid
-	 * eating a file descriptor
-	 */
-	fio_mutex_remove(td->mutex);
-	td->mutex = NULL;
-
-	/*
 	 * A new gid requires privilege, so we need to do this before setting
 	 * the uid.
 	 */
@@ -1521,6 +1514,9 @@
 	fio_mutex_remove(td->rusage_sem);
 	td->rusage_sem = NULL;
 
+	fio_mutex_remove(td->mutex);
+	td->mutex = NULL;
+
 	td_set_runstate(td, TD_EXITED);
 	return (void *) (uintptr_t) td->error;
 }