From 234234ca4de9b2121f69d2cd3b2928197234336d Mon Sep 17 00:00:00 2001 From: Roman Strashkin Date: Fri, 22 Mar 2019 23:11:36 +0300 Subject: [PATCH] Panic when running 'zpool split' Added missing remove of detachable VDEV from txg's DTL list to avoid use-after-free for the split VDEV Reviewed by: Pavel Zakharov Reviewed-by: Brian Behlendorf Reviewed-by: Jorgen Lundman Signed-off-by: Roman Strashkin Closes #5565 Closes #7856 --- module/zfs/spa.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/module/zfs/spa.c b/module/zfs/spa.c index 9d798ebac..71744139e 100644 --- a/module/zfs/spa.c +++ b/module/zfs/spa.c @@ -6842,6 +6842,18 @@ spa_vdev_split_mirror(spa_t *spa, char *newname, nvlist_t *config, dmu_tx_abort(tx); for (c = 0; c < children; c++) { if (vml[c] != NULL) { + vdev_t *tvd = vml[c]->vdev_top; + + /* + * Need to be sure the detachable VDEV is not + * on any *other* txg's DTL list to prevent it + * from being accessed after it's freed. + */ + for (int t = 0; t < TXG_SIZE; t++) { + (void) txg_list_remove_this( + &tvd->vdev_dtl_list, vml[c], t); + } + vdev_split(vml[c]); if (error == 0) spa_history_log_internal(spa, "detach", tx,