Fix null dereference in spa_vdev_remove_cancel_sync()

We don't really need to access space map to know where the metaslab ends, while msp->ms_sm might be NULL. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Rob Norris <robn@despairlabs.com> Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com> Signed-off-by: Alexander Motin <mav@FreeBSD.org> Sponsored by: iXsystems, Inc. Fixes #17164 Fixes #17359 Closes #17361
2025-06-25 10:38:00 +03:00 · 2025-05-22 10:47:43 -04:00 · 2025-05-22 10:47:43 -04:00 · 5c30b24381
commit 5c30b24381
parent a6f20250de
1 changed files with 3 additions and 4 deletions
--- a/module/zfs/vdev_removal.c
+++ b/module/zfs/vdev_removal.c
@ -1931,10 +1931,9 @@ spa_vdev_remove_cancel_sync(void *arg, dmu_tx_t *tx)
 		 * because we have not allocated mappings for it yet.
 		 */
 		uint64_t syncd = vdev_indirect_mapping_max_offset(vim);
-		uint64_t sm_end = msp->ms_sm->sm_start +
-		    msp->ms_sm->sm_size;
-		if (sm_end > syncd)
-			zfs_range_tree_clear(segs, syncd, sm_end - syncd);
+		uint64_t ms_end = msp->ms_start + msp->ms_size;
+		if (ms_end > syncd)
+			zfs_range_tree_clear(segs, syncd, ms_end - syncd);

 		zfs_range_tree_vacate(segs, free_mapped_segment_cb, vd);
 	}