From 5946eeb8dfa1baf8170303c3f3c7519f4e8070d0 Mon Sep 17 00:00:00 2001 From: bspengler-oss <94915855+bspengler-oss@users.noreply.github.com> Date: Mon, 17 Nov 2025 20:42:44 -0500 Subject: [PATCH] Preserve LIFO ordering of kmap ops in abd_raidz_gen_iterate() ZFS typically preserves proper LIFO ordering regarding map/unmap operations that wrap the Linux kernel's kmap interfaces that require such ordering, but one instance in abd_raidz_gen_iterate() did not. Similar issues have been fixed in the Linux kernel in the past, see for instance CVE-2025-39899 for userfaultfd. Reviewed-by: RageLtMan Reviewed-by: Rob Norris Reviewed-by: Brian Behlendorf Signed-off-by: bspengler-oss <94915855+bspengler-oss@users.noreply.github.com> Closes #15668 Closes #18030 --- module/zfs/abd.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/module/zfs/abd.c b/module/zfs/abd.c index bf9b13c30..2d310276a 100644 --- a/module/zfs/abd.c +++ b/module/zfs/abd.c @@ -1111,13 +1111,6 @@ abd_raidz_gen_iterate(abd_t **cabds, abd_t *dabd, size_t off, func_raidz_gen(caddrs, daddr, len, dlen); - for (i = parity-1; i >= 0; i--) { - abd_iter_unmap(&caiters[i]); - c_cabds[i] = - abd_advance_abd_iter(cabds[i], c_cabds[i], - &caiters[i], len); - } - if (dsize > 0) { abd_iter_unmap(&daiter); c_dabd = @@ -1126,6 +1119,13 @@ abd_raidz_gen_iterate(abd_t **cabds, abd_t *dabd, size_t off, dsize -= dlen; } + for (i = parity - 1; i >= 0; i--) { + abd_iter_unmap(&caiters[i]); + c_cabds[i] = + abd_advance_abd_iter(cabds[i], c_cabds[i], + &caiters[i], len); + } + csize -= len; } abd_exit_critical(flags); @@ -1194,7 +1194,7 @@ abd_raidz_rec_iterate(abd_t **cabds, abd_t **tabds, func_raidz_rec(xaddrs, len, caddrs, mul); - for (i = parity-1; i >= 0; i--) { + for (i = parity - 1; i >= 0; i--) { abd_iter_unmap(&xiters[i]); abd_iter_unmap(&citers[i]); c_tabds[i] =