Fix potential NULL pointer dereference in dsl_dataset_promote_check()

If the `list_head()` returns NULL, we dereference it, right before we
check to see if it returned NULL.

We have defined two different pointers that both point to the same
thing, which are `origin_head` and `origin_ds`. Almost everything uses
`origin_ds`, so we switch them to use `origin_ds`.

We also promote `origin_ds` to a const pointer so that the compiler
verifies that nothing modifies it.

Coverity complained about this.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Neal Gompa <ngompa@datto.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes 
This commit is contained in:
Richard Yao 2022-09-30 19:59:51 -04:00 committed by GitHub
parent a2d5643f88
commit a36b37d4de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 5 deletions
module/zfs

View File

@ -3285,7 +3285,6 @@ dsl_dataset_promote_check(void *arg, dmu_tx_t *tx)
dsl_pool_t *dp = dmu_tx_pool(tx); dsl_pool_t *dp = dmu_tx_pool(tx);
dsl_dataset_t *hds; dsl_dataset_t *hds;
struct promotenode *snap; struct promotenode *snap;
dsl_dataset_t *origin_ds, *origin_head;
int err; int err;
uint64_t unused; uint64_t unused;
uint64_t ss_mv_cnt; uint64_t ss_mv_cnt;
@ -3305,12 +3304,11 @@ dsl_dataset_promote_check(void *arg, dmu_tx_t *tx)
} }
snap = list_head(&ddpa->shared_snaps); snap = list_head(&ddpa->shared_snaps);
origin_head = snap->ds;
if (snap == NULL) { if (snap == NULL) {
err = SET_ERROR(ENOENT); err = SET_ERROR(ENOENT);
goto out; goto out;
} }
origin_ds = snap->ds; dsl_dataset_t *const origin_ds = snap->ds;
/* /*
* Encrypted clones share a DSL Crypto Key with their origin's dsl dir. * Encrypted clones share a DSL Crypto Key with their origin's dsl dir.
@ -3406,10 +3404,10 @@ dsl_dataset_promote_check(void *arg, dmu_tx_t *tx)
* Check that bookmarks that are being transferred don't have * Check that bookmarks that are being transferred don't have
* name conflicts. * name conflicts.
*/ */
for (dsl_bookmark_node_t *dbn = avl_first(&origin_head->ds_bookmarks); for (dsl_bookmark_node_t *dbn = avl_first(&origin_ds->ds_bookmarks);
dbn != NULL && dbn->dbn_phys.zbm_creation_txg <= dbn != NULL && dbn->dbn_phys.zbm_creation_txg <=
dsl_dataset_phys(origin_ds)->ds_creation_txg; dsl_dataset_phys(origin_ds)->ds_creation_txg;
dbn = AVL_NEXT(&origin_head->ds_bookmarks, dbn)) { dbn = AVL_NEXT(&origin_ds->ds_bookmarks, dbn)) {
if (strlen(dbn->dbn_name) >= max_snap_len) { if (strlen(dbn->dbn_name) >= max_snap_len) {
err = SET_ERROR(ENAMETOOLONG); err = SET_ERROR(ENAMETOOLONG);
goto out; goto out;