From 78d95eaa732f074a6351045e59cd974380ad50ab Mon Sep 17 00:00:00 2001 From: LOLi Date: Wed, 10 May 2017 00:22:46 +0200 Subject: [PATCH] Fix NULL pointer dereference in 'zfs create' A race condition between 'zpool export' and 'zfs create' can crash the latter: this is because we never check libzfs`zpool_open() return value in libzfs`zfs_create(). Reviewed-by: George Melikov Reviewed-by: Giuseppe Di Natale Reviewed-by: Brian Behlendorf Signed-off-by: loli10K Closes #6096 --- lib/libzfs/libzfs_dataset.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/libzfs/libzfs_dataset.c b/lib/libzfs/libzfs_dataset.c index 8130e400f..0f18fd690 100644 --- a/lib/libzfs/libzfs_dataset.c +++ b/lib/libzfs/libzfs_dataset.c @@ -3370,6 +3370,7 @@ zfs_create(libzfs_handle_t *hdl, const char *path, zfs_type_t type, char errbuf[1024]; uint64_t zoned; enum lzc_dataset_type ost; + zpool_handle_t *zpool_handle; (void) snprintf(errbuf, sizeof (errbuf), dgettext(TEXT_DOMAIN, "cannot create '%s'"), path); @@ -3409,7 +3410,8 @@ zfs_create(libzfs_handle_t *hdl, const char *path, zfs_type_t type, if (p != NULL) *p = '\0'; - zpool_handle_t *zpool_handle = zpool_open(hdl, pool_path); + if ((zpool_handle = zpool_open(hdl, pool_path)) == NULL) + return (-1); if (props && (props = zfs_valid_proplist(hdl, type, props, zoned, NULL, zpool_handle, errbuf)) == 0) {