Archive-Team
/
zfs
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 103 Wiki Activity

Illumos #1475: zfs spill block hold can access invalid spill blkptr 

Reviewed by: Dan McDonald <danmcd@nexenta.com>
Reviewed by: Gordon Ross <gwr@nexenta.com>
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: George Wilson <gwilson@zfsmail.com>
Approved by: Garrett D'Amore <garrett@nexenta.com>

References to Illumos issue:
  https://www.illumos.org/issues/1475

Ported-by: Richard Yao <ryao@cs.stonybrook.edu>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #648
This commit is contained in:
Albert Lee 2012-04-08 13:10:49 -04:00 committed by Brian Behlendorf
parent 5ffb9d1d05
commit 22cd4a4653
1 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
module/zfs/dmu_tx.c
View File

@ -21,6 +21,9 @@
/* /*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
*/ */
/*
* Copyright 2011 Nexenta Systems, Inc. All rights reserved.
*/
#include <sys/dmu.h> #include <sys/dmu.h>
#include <sys/dmu_impl.h> #include <sys/dmu_impl.h>
@ -693,6 +696,8 @@ dmu_tx_hold_zap(dmu_tx_t *tx, uint64_t object, int add, const char *name)
ASSERT3P(dmu_ot[dn->dn_type].ot_byteswap, ==, zap_byteswap); ASSERT3P(dmu_ot[dn->dn_type].ot_byteswap, ==, zap_byteswap);
if (dn->dn_maxblkid == 0 && !add) { if (dn->dn_maxblkid == 0 && !add) {
blkptr_t *bp;
/* /*
* If there is only one block (i.e. this is a micro-zap) * If there is only one block (i.e. this is a micro-zap)
* and we are not adding anything, the accounting is simple. * and we are not adding anything, the accounting is simple.
@ -707,14 +712,13 @@ dmu_tx_hold_zap(dmu_tx_t *tx, uint64_t object, int add, const char *name)
* Use max block size here, since we don't know how much * Use max block size here, since we don't know how much
* the size will change between now and the dbuf dirty call. * the size will change between now and the dbuf dirty call.
*/ */
bp = &dn->dn_phys->dn_blkptr[0];
if (dsl_dataset_block_freeable(dn->dn_objset->os_dsl_dataset, if (dsl_dataset_block_freeable(dn->dn_objset->os_dsl_dataset,
&dn->dn_phys->dn_blkptr[0], bp, bp->blk_birth))
dn->dn_phys->dn_blkptr[0].blk_birth)) {
txh->txh_space_tooverwrite += SPA_MAXBLOCKSIZE; txh->txh_space_tooverwrite += SPA_MAXBLOCKSIZE;
} else { else
txh->txh_space_towrite += SPA_MAXBLOCKSIZE; txh->txh_space_towrite += SPA_MAXBLOCKSIZE;
} if (!BP_IS_HOLE(bp))
if (dn->dn_phys->dn_blkptr[0].blk_birth)
txh->txh_space_tounref += SPA_MAXBLOCKSIZE; txh->txh_space_tounref += SPA_MAXBLOCKSIZE;
return; return;
} }
@ -1300,7 +1304,6 @@ dmu_tx_hold_spill(dmu_tx_t *tx, uint64_t object)
{ {
dnode_t *dn; dnode_t *dn;
dmu_tx_hold_t *txh; dmu_tx_hold_t *txh;
blkptr_t *bp;
txh = dmu_tx_hold_object_impl(tx, tx->tx_objset, object, txh = dmu_tx_hold_object_impl(tx, tx->tx_objset, object,
THT_SPILL, 0, 0); THT_SPILL, 0, 0);
@ -1311,17 +1314,18 @@ dmu_tx_hold_spill(dmu_tx_t *tx, uint64_t object)
return; return;
/* If blkptr doesn't exist then add space to towrite */ /* If blkptr doesn't exist then add space to towrite */
bp = &dn->dn_phys->dn_spill; if (!(dn->dn_phys->dn_flags & DNODE_FLAG_SPILL_BLKPTR)) {
if (BP_IS_HOLE(bp)) {
txh->txh_space_towrite += SPA_MAXBLOCKSIZE; txh->txh_space_towrite += SPA_MAXBLOCKSIZE;
txh->txh_space_tounref = 0;
} else { } else {
blkptr_t *bp;
bp = &dn->dn_phys->dn_spill;
if (dsl_dataset_block_freeable(dn->dn_objset->os_dsl_dataset, if (dsl_dataset_block_freeable(dn->dn_objset->os_dsl_dataset,
bp, bp->blk_birth)) bp, bp->blk_birth))
txh->txh_space_tooverwrite += SPA_MAXBLOCKSIZE; txh->txh_space_tooverwrite += SPA_MAXBLOCKSIZE;
else else
txh->txh_space_towrite += SPA_MAXBLOCKSIZE; txh->txh_space_towrite += SPA_MAXBLOCKSIZE;
if (bp->blk_birth) if (!BP_IS_HOLE(bp))
txh->txh_space_tounref += SPA_MAXBLOCKSIZE; txh->txh_space_tounref += SPA_MAXBLOCKSIZE;
} }
} }