c/mirror_zfs
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_zfs.git synced 2024-11-17 10:01:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix use after free regression in spa_remove_healed_errors()

Browse Source 
6839ec6f10 placed code in
spa_remove_healed_errors() that uses a pointer after the kmem_free()
call that frees it.

Reported-by: Coverity (CID-1562375)
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: George Amanakis <gamanakis@gmail.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #14860
This commit is contained in:
Richard Yao 2023-05-12 16:47:56 -04:00 committed by Brian Behlendorf
parent 7381ddf1ab
commit c87798d8ff
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
module/zfs/spa_errlog.c
View File

@ -683,7 +683,6 @@ spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
&cookie)) != NULL) {
remove_error_from_list(spa, s, &se->se_bookmark);
remove_error_from_list(spa, l, &se->se_bookmark);
kmem_free(se, sizeof (spa_error_entry_t));
if (!spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
bookmark_to_name(&se->se_bookmark, name, sizeof (name));
@ -713,6 +712,7 @@ spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
}
zap_cursor_fini(&zc);
}
kmem_free(se, sizeof (spa_error_entry_t));
}
}