Fix theoretical "use-after-free" in dbuf_prefetch_indirect_done()
d954ca19ba8b
Actions

Description

Fix theoretical "use-after-free" in dbuf_prefetch_indirect_done()

Coverity complains about a "use-after-free" bug in
dbuf_prefetch_indirect_done() because we use a pointer value after
freeing its buffer. The pointer is used for refcounting in ARC (as the
reference holder). There is a theoretical situation where the pointer
would be reused in a way that causes the refcounting to collide, so we
change the order in which we call arc_buf_destroy() and
dbuf_prefetch_fini() to match the rest of the function. This prevents
the theoretical situation from being a possibility.

Also, we have a few return statements with a value, despite this being a
void function. We clean those up while we are making changes here.

Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Neal Gompa <ngompa@datto.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13869

Details

Provenance

Richard Yao <richard.yao@alumni.stonybrook.edu>	Authored on Sep 14 2022, 12:58 AM
GitHub <noreply@github.com>	Committed on Sep 14 2022, 12:58 AM

Parents

rGfcd7293d4e78: Remove incorrect free() in zfs_get_pci_slots_sys_path()

Branches

Unknown

Tags

Unknown

Event Timeline

GitHub <noreply@github.com> committed rGd954ca19ba8b: Fix theoretical "use-after-free" in dbuf_prefetch_indirect_done() (authored by Richard Yao <richard.yao@alumni.stonybrook.edu>).Sep 14 2022, 12:58 AM

Changes (1)

Path

Size

module/

zfs/

dbuf.c

rGd954ca19ba8b

View Options