Skip to content

Commit

Permalink
Fix use after free regression in spa_remove_healed_errors()
Browse files Browse the repository at this point in the history 
6839ec6 placed code in
spa_remove_healed_errors() that uses a pointer after the kmem_free()
call that frees it.

Reported-by: Coverity (CID-1562375)
Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: George Amanakis <[email protected]>
Signed-off-by: Richard Yao <[email protected]>
Closes openzfs#14860
  • Loading branch information
@ryao @behlendorf
ryao authored and behlendorf committed May 15, 2023
1 parent 7381ddf commit c87798d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion module/zfs/spa_errlog.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -683,7 683,6 @@ spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
&cookie)) != NULL) {
remove_error_from_list(spa, s, &se->se_bookmark);
remove_error_from_list(spa, l, &se->se_bookmark);
kmem_free(se, sizeof (spa_error_entry_t));

if (!spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
bookmark_to_name(&se->se_bookmark, name, sizeof (name));
Expand Down Expand Up @@ -713,6 712,7 @@ spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
}
zap_cursor_fini(&zc);
}
kmem_free(se, sizeof (spa_error_entry_t));
}
}

Expand Down

0 comments on commit c87798d

Please sign in to comment.