If using ioengine=/path/to/ioengine to dynamically load an ioengine, there is a race between free_ioengine()'s dlclose() and the td->io_ops dereference in reap_threads(). To resolve, td->io_ops must be set to NULL before calling dlclose() - this ensures the name check in reap_threads() does not try to reference memory no longer accessible due to the ioengine getting closed. Signed-off-by: Jim Harris <james.r.harris@xxxxxxxxx> --- ioengines.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ioengines.c b/ioengines.c index c90a2ca5..6caf73da 100644 --- a/ioengines.c +++ b/ioengines.c @@ -170,10 +170,10 @@ void free_ioengine(struct thread_data *td) td->eo = NULL; } + td->io_ops = NULL; + if (td->io_ops_dlhandle) dlclose(td->io_ops_dlhandle); - - td->io_ops = NULL; } void close_ioengine(struct thread_data *td) -- 2.12.2 -- To unsubscribe from this list: send the line "unsubscribe fio" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
