mirror_zfs/module
Matthew Ahrens df7eeccc75 panic in bpobj_space(): null pointer dereference
This is a race condition in the deadlist code.

A thread executing an administrative command that uses
dsl_deadlist_space_range() holds the lock of the whole deadlist_t to
protect the access of all its entries that the deadlist contains in an
avl tree.

Sync threads trying to insert a new entry in the deadlist (through
dsl_deadlist_insert() -> dle_enqueue()) do not hold the deadlist lock at
that moment.  If the dle_bpobj is the empty bpobj (our sentinel value),
we close and reopen it.  Between these two operations, it is possible
for the dsl_deadlist_space_range() thread to dereference that bpobj
which is NULL during that window.

Threads should hold the a deadlist's dl_lock when they manipulate its
internal data so scenarios like the one above are avoided.

Reviewed-by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: George Melikov <mail@gmelikov.ru>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #5762
2017-02-09 10:19:12 -08:00
..
avl Fix uninitialized variable in avl_add() 2016-07-25 14:21:34 -07:00
icp codebase style improvements for OpenZFS 6459 port 2017-01-22 13:25:40 -08:00
nvpair Fix spelling 2017-01-03 11:31:18 -06:00
unicode codebase style improvements for OpenZFS 6459 port 2017-01-22 13:25:40 -08:00
zcommon OpenZFS 6931 - lib/libzfs: cleanup gcc warnings 2017-02-07 14:02:27 -08:00
zfs panic in bpobj_space(): null pointer dereference 2017-02-09 10:19:12 -08:00
zpios codebase style improvements for OpenZFS 6459 port 2017-01-22 13:25:40 -08:00
.gitignore module/.gitignore: Add *.dwo (#4580) 2016-05-02 09:07:04 -07:00
Makefile.in module/Makefile.in: use relative cp 2017-01-13 15:18:34 -08:00