From c87cb22ba9fa5f4ed4c9afa0eb66092c2f08841e Mon Sep 17 00:00:00 2001 From: George Amanakis Date: Mon, 15 Jul 2024 18:05:42 +0200 Subject: [PATCH] head_errlog: fix use-after-free In the commit of the head_errlog feature we introduced a bug in dsl_dataset_promote_sync(): we may dereference origin_head and hds, both dereferencing ddpa after calling promote_sync() on ddpa. Reviewed-by: Brian Behlendorf Reviewed-by: Chunwei Chen Reviewed-by: Rob Norris Reviewed-by: Tony Hutter Signed-off-by: George Amanakis Closes #16272 Closes #16273 --- module/zfs/dsl_dataset.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/module/zfs/dsl_dataset.c b/module/zfs/dsl_dataset.c index b4de0e7ff..45d8a290d 100644 --- a/module/zfs/dsl_dataset.c +++ b/module/zfs/dsl_dataset.c @@ -3712,16 +3712,19 @@ dsl_dataset_promote_sync(void *arg, dmu_tx_t *tx) spa_history_log_internal_ds(hds, "promote", tx, " "); dsl_dir_rele(odd, FTAG); - promote_rele(ddpa, FTAG); /* - * Transfer common error blocks from old head to new head. + * Transfer common error blocks from old head to new head, before + * calling promote_rele() on ddpa since we need to dereference + * origin_head and hds. */ if (spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_HEAD_ERRLOG)) { uint64_t old_head = origin_head->ds_object; uint64_t new_head = hds->ds_object; spa_swap_errlog(dp->dp_spa, new_head, old_head, tx); } + + promote_rele(ddpa, FTAG); } /*