Illumos #4088 use after free in arc_release()
4088 use after free in arc_release() Reviewed by: Matthew Ahrens <mahrens@delphix.com> Reviewed by: Garrett D'Amore <garrett@damore.org> Reviewed by: Saso Kiselkov <skiselkov.ml@gmail.com> Approved by: Dan McDonald <danmcd@nexenta.com> References: https://www.illumos.org/issues/4088 illumos/illumos-gate@ccc22e1304 From the illumos issue: A race-induced use after free occurs in arc_release() where the ARC header is used outside the critical section protected by the hash_lock. Ported by: Tim Chase <tim@chase2k.com> Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <ryao@gentoo.org> Closes #2162
This commit is contained in:
parent
a45fc6a677
commit
47fe91b54c
|
@ -3665,6 +3665,7 @@ arc_release(arc_buf_t *buf, void *tag)
|
||||||
if (l2hdr) {
|
if (l2hdr) {
|
||||||
mutex_enter(&l2arc_buflist_mtx);
|
mutex_enter(&l2arc_buflist_mtx);
|
||||||
hdr->b_l2hdr = NULL;
|
hdr->b_l2hdr = NULL;
|
||||||
|
list_remove(l2hdr->b_dev->l2ad_buflist, hdr);
|
||||||
}
|
}
|
||||||
buf_size = hdr->b_size;
|
buf_size = hdr->b_size;
|
||||||
|
|
||||||
|
@ -3758,7 +3759,6 @@ arc_release(arc_buf_t *buf, void *tag)
|
||||||
|
|
||||||
if (l2hdr) {
|
if (l2hdr) {
|
||||||
ARCSTAT_INCR(arcstat_l2_asize, -l2hdr->b_asize);
|
ARCSTAT_INCR(arcstat_l2_asize, -l2hdr->b_asize);
|
||||||
list_remove(l2hdr->b_dev->l2ad_buflist, hdr);
|
|
||||||
kmem_cache_free(l2arc_hdr_cache, l2hdr);
|
kmem_cache_free(l2arc_hdr_cache, l2hdr);
|
||||||
arc_space_return(L2HDR_SIZE, ARC_SPACE_L2HDRS);
|
arc_space_return(L2HDR_SIZE, ARC_SPACE_L2HDRS);
|
||||||
ARCSTAT_INCR(arcstat_l2_size, -buf_size);
|
ARCSTAT_INCR(arcstat_l2_size, -buf_size);
|
||||||
|
|
Loading…
Reference in New Issue