From 0a2f95748dd4eabd44cb7e85da00090d600f1860 Mon Sep 17 00:00:00 2001
From: Brian Behlendorf <behlendorf1@llnl.gov>
Date: Tue, 19 Jan 2016 10:41:21 -0800
Subject: [PATCH] Close possible zfs_znode_held() race

Check if the lock is held while holding the z_hold_locks() lock.
This prevents a possible use-after-free bug for callers which are
not holding the lock.  There currently are no such callers so this
can't cause a problem today but it has been fixed regardless.

Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <tuxoko@gmail.com>
Closes #4244
Issue #4124
---
 module/zfs/zfs_znode.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/module/zfs/zfs_znode.c b/module/zfs/zfs_znode.c
index 90ead539d7..860354b11b 100644
--- a/module/zfs/zfs_znode.c
+++ b/module/zfs/zfs_znode.c
@@ -248,17 +248,16 @@ zfs_znode_held(zfs_sb_t *zsb, uint64_t obj)
 {
 	znode_hold_t *zh, search;
 	int i = ZFS_OBJ_HASH(zsb, obj);
+	boolean_t held;
 
 	search.zh_obj = obj;
 
 	mutex_enter(&zsb->z_hold_locks[i]);
 	zh = avl_find(&zsb->z_hold_trees[i], &search, NULL);
+	held = (zh && MUTEX_HELD(&zh->zh_lock)) ? B_TRUE : B_FALSE;
 	mutex_exit(&zsb->z_hold_locks[i]);
 
-	if (zh && MUTEX_HELD(&zh->zh_lock))
-		return (B_TRUE);
-
-	return (B_FALSE);
+	return (held);
 }
 
 static znode_hold_t *