head_errlog: fix use-after-free
In the commit of the head_errlog feature we introduced a bug in dsl_dataset_promote_sync(): we may dereference origin_head and hds, both dereferencing ddpa after calling promote_sync() on ddpa. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Chunwei Chen <david.chen@nutanix.com> Reviewed-by: Rob Norris <robn@despairlabs.com> Reviewed-by: Tony Hutter <hutter2@llnl.gov> Signed-off-by: George Amanakis <gamanakis@gmail.com> Closes #16272 Closes #16273
This commit is contained in:
parent
2eab4f7b39
commit
54ef0fdf60
|
@ -3710,16 +3710,19 @@ dsl_dataset_promote_sync(void *arg, dmu_tx_t *tx)
|
|||
spa_history_log_internal_ds(hds, "promote", tx, " ");
|
||||
|
||||
dsl_dir_rele(odd, FTAG);
|
||||
promote_rele(ddpa, FTAG);
|
||||
|
||||
/*
|
||||
* Transfer common error blocks from old head to new head.
|
||||
* Transfer common error blocks from old head to new head, before
|
||||
* calling promote_rele() on ddpa since we need to dereference
|
||||
* origin_head and hds.
|
||||
*/
|
||||
if (spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_HEAD_ERRLOG)) {
|
||||
uint64_t old_head = origin_head->ds_object;
|
||||
uint64_t new_head = hds->ds_object;
|
||||
spa_swap_errlog(dp->dp_spa, new_head, old_head, tx);
|
||||
}
|
||||
|
||||
promote_rele(ddpa, FTAG);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in New Issue