Preserve LIFO ordering of kmap ops in abd_raidz_gen_iterate()

ZFS typically preserves proper LIFO ordering regarding map/unmap operations that wrap the Linux kernel's kmap interfaces that require such ordering, but one instance in abd_raidz_gen_iterate() did not. Similar issues have been fixed in the Linux kernel in the past, see for instance CVE-2025-39899 for userfaultfd. Reviewed-by: RageLtMan <rageltman@sempervictus> Reviewed-by: Rob Norris <robn@despairlabs.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: bspengler-oss <94915855+bspengler-oss@users.noreply.github.com> Closes #15668 Closes #18030
2026-01-14 01:02:04 +03:00 · 2025-11-17 20:42:44 -05:00 · 2025-11-17 20:42:44 -05:00 · 5946eeb8df
commit 5946eeb8df
parent 5e271995d1
1 changed files with 8 additions and 8 deletions
--- a/module/zfs/abd.c
+++ b/module/zfs/abd.c
@ -1111,13 +1111,6 @@ abd_raidz_gen_iterate(abd_t **cabds, abd_t *dabd, size_t off,

 		func_raidz_gen(caddrs, daddr, len, dlen);

-		for (i = parity-1; i >= 0; i--) {
-			abd_iter_unmap(&caiters[i]);
-			c_cabds[i] =
-			    abd_advance_abd_iter(cabds[i], c_cabds[i],
-			    &caiters[i], len);
-		}
-
 		if (dsize > 0) {
 			abd_iter_unmap(&daiter);
 			c_dabd =
@ -1126,6 +1119,13 @@ abd_raidz_gen_iterate(abd_t **cabds, abd_t *dabd, size_t off,
 			dsize -= dlen;
 		}

+		for (i = parity - 1; i >= 0; i--) {
+			abd_iter_unmap(&caiters[i]);
+			c_cabds[i] =
+			    abd_advance_abd_iter(cabds[i], c_cabds[i],
+			    &caiters[i], len);
+		}
+
 		csize -= len;
 	}
 	abd_exit_critical(flags);
@ -1194,7 +1194,7 @@ abd_raidz_rec_iterate(abd_t **cabds, abd_t **tabds,

 		func_raidz_rec(xaddrs, len, caddrs, mul);

-		for (i = parity-1; i >= 0; i--) {
+		for (i = parity - 1; i >= 0; i--) {
 			abd_iter_unmap(&xiters[i]);
 			abd_iter_unmap(&citers[i]);
 			c_tabds[i] =