Fix ARC pointer overrun

Only access the `b_crypt_hdr` field of an ARC header if the content is encrypted. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Tom Caputi <tcaputi@datto.com> Reviewed-by: George Melikov <mail@gmelikov.ru> Reviewed-by: Giuseppe Di Natale <dinatale2@llnl.gov> Signed-off-by: DHE <git@dehacked.net> Closes #6877
2025-01-13 19:50:25 +03:00 · 2017-11-17 18:11:39 -05:00 · 2017-11-17 18:11:39 -05:00 · da5d4697a8
commit da5d4697a8
parent d4a72f2386
1 changed files with 11 additions and 9 deletions
--- a/module/zfs/arc.c
+++ b/module/zfs/arc.c
@ -3155,17 +3155,19 @@ arc_buf_destroy_impl(arc_buf_t *buf)
 		ASSERT(hdr->b_l1hdr.b_bufcnt > 0);
 		hdr->b_l1hdr.b_bufcnt -= 1;

-		if (ARC_BUF_ENCRYPTED(buf))
+		if (ARC_BUF_ENCRYPTED(buf)) {
 			hdr->b_crypt_hdr.b_ebufcnt -= 1;

-		/*
-		 * If we have no more encrypted buffers and we've already
-		 * gotten a copy of the decrypted data we can free b_rabd to
-		 * save some space.
-		 */
-		if (hdr->b_crypt_hdr.b_ebufcnt == 0 && HDR_HAS_RABD(hdr) &&
-		    hdr->b_l1hdr.b_pabd != NULL && !HDR_IO_IN_PROGRESS(hdr)) {
-			arc_hdr_free_abd(hdr, B_TRUE);
+			/*
+			 * If we have no more encrypted buffers and we've
+			 * already gotten a copy of the decrypted data we can
+			 * free b_rabd to save some space.
+			 */
+			if (hdr->b_crypt_hdr.b_ebufcnt == 0 &&
+			    HDR_HAS_RABD(hdr) && hdr->b_l1hdr.b_pabd != NULL &&
+			    !HDR_IO_IN_PROGRESS(hdr)) {
+				arc_hdr_free_abd(hdr, B_TRUE);
+			}
 		}
 	}