From ce20f1f15103226667bc872378cf9b2e4b3e8cd7 Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <sxw@your-file-system.com>
Date: Wed, 27 Feb 2013 10:11:21 +0000
Subject: [PATCH] libafscp: Can't unlock something we've freed

When we call _StatCleanup on a stored statent structure, it
deletes the mutex, and frees the structure itself. This means it
can't be called with a locked structure as the mutex deletion
will fail, and then we'll try to reference freed memory when we
later unlock that mutex.

Fix this by unlocking the mutex before calling _StatCleanup. This
is safe because the only reference to the structure visible to other
threads must have been deleted by the time we reach this point.

Caught by coverity (#986058, #986059)

Change-Id: I346d4c8a7cd478db044af919662c1cf1c093e205
Reviewed-on: http://gerrit.openafs.org/9297
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
---
 src/libafscp/afscp_fid.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/libafscp/afscp_fid.c b/src/libafscp/afscp_fid.c
index c7582c95d..7c3ca6536 100644
--- a/src/libafscp/afscp_fid.c
+++ b/src/libafscp/afscp_fid.c
@@ -144,11 +144,13 @@ afscp_WaitForCallback(const struct afscp_venusfid *fid, int seconds)
 	    code = pthread_cond_timedwait(&(stored->cv), &(stored->mtx), &ts);
 	else
 	    pthread_cond_wait(&(stored->cv), &(stored->mtx));
-	if ((stored->nwaiters == 1) && stored->cleanup)
+	if ((stored->nwaiters == 1) && stored->cleanup) {
+	    pthread_mutex_unlock(&(stored->mtx));
 	    _StatCleanup(stored);
-	else
+	} else {
 	    stored->nwaiters--;
-        pthread_mutex_unlock(&(stored->mtx));
+	    pthread_mutex_unlock(&(stored->mtx));
+	}
     }
     if ((code == EINTR) || (code == ETIMEDOUT)) {
 	afscp_errno = code;
@@ -312,9 +314,11 @@ _StatInvalidate(const struct afscp_venusfid *fid)
 	    /* avoid blocking callback thread */
 	    pthread_cond_broadcast(&(stored->cv));
 	    stored->cleanup = 1;
-	} else
+	    pthread_mutex_unlock(&(stored->mtx));
+	} else {
+	    pthread_mutex_unlock(&(stored->mtx));
 	    _StatCleanup(stored);
-	pthread_mutex_unlock(&(stored->mtx));
+	}
     }
     return 0;
 }
-- 
2.39.5