The problem report was for a crash that happened when smbfs was

trying to do a mount. Given the backtrace, it appears that the crash occurred when smb_vc_create() failed and then called smb_vc_put() with vcp->vc_iod == NULL. smb_vc_put() subsequently called smb_vc_disconnect() with vcp->vc_iod == NULL, causing the crash. This patch adds a check for vcp->vc_iod != NULL in smb_vc_disconnect() to avoid the crash. It also fixes the case in smb_vc_create() where kproc_create() fails so that it destroys the mutexes and sets vcp->vc_iod == NULL before free()'ing the iod structure. The person who reported the PR tested the patch, but was not able to reproduce the crash with or without the patch. PR: 201912 Reviewed by: jhb MFC after: 2 weeks
svn path=/head/; revision=291035
2024-07-22 02:37:15 +00:00 · 2015-11-18 23:04:01 +00:00 · 2015-11-18 23:04:01 +00:00 · 69527b11bb · 2020-12-20 02:59:44 +00:00
parent e90df06388
commit 69527b11bb
2 changed files with 6 additions and 1 deletions
--- a/sys/netsmb/smb_conn.c
+++ b/sys/netsmb/smb_conn.c
@ -683,7 +683,9 @@ int
 smb_vc_disconnect(struct smb_vc *vcp)
 {

-	smb_iod_request(vcp->vc_iod, SMBIOD_EV_DISCONNECT | SMBIOD_EV_SYNC, NULL);
+	if (vcp->vc_iod != NULL)
+		smb_iod_request(vcp->vc_iod, SMBIOD_EV_DISCONNECT |
+		    SMBIOD_EV_SYNC, NULL);
 	return 0;
 }

--- a/sys/netsmb/smb_iod.c
+++ b/sys/netsmb/smb_iod.c
@ -690,6 +690,9 @@ smb_iod_create(struct smb_vc *vcp)
 	    RFNOWAIT, 0, "smbiod%d", iod->iod_id);
 	if (error) {
 		SMBERROR("can't start smbiod: %d", error);
+		vcp->vc_iod = NULL;
+		smb_sl_destroy(&iod->iod_rqlock);
+		smb_sl_destroy(&iod->iod_evlock);
 		free(iod, M_SMBIOD);
 		return error;
 	}