abd_return_buf() should call zfs_refcount_remove_many() early

ryao · andrewc12 · commit 9224070c4046 · 2022-10-21T18:50:45.000+08:00
Calling zfs_refcount_remove_many() after freeing memory means we pass a reference to freed memory as the holder. This is not believed to be able to cause a problem, but there is a bit of a tradition of fixing these issues when they appear so that they do not obscure more serious issues in static analyzer output, so we fix this one too. Clang's static analyzer found this with the help of CodeChecker's CTU analysis. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes openzfs#14043
diff --git a/module/zfs/abd.c b/module/zfs/abd.c
@@ -667,15 +667,15 @@ abd_return_buf(abd_t *abd, void *buf, size_t n)
 {
 	abd_verify(abd);
 	ASSERT3U(abd->abd_size, >=, n);
+#ifdef ZFS_DEBUG
+	(void) zfs_refcount_remove_many(&abd->abd_children, n, buf);
+#endif
 	if (abd_is_linear(abd)) {
 		ASSERT3P(buf, ==, abd_to_buf(abd));
 	} else {
 		ASSERT0(abd_cmp_buf(abd, buf, n));
 		zio_buf_free(buf, n);
 	}
-#ifdef ZFS_DEBUG
-	(void) zfs_refcount_remove_many(&abd->abd_children, n, buf);
-#endif
 }
 
 void

Original file line number	Diff line number	Diff line change
`@@ -667,15 +667,15 @@ abd_return_buf(abd_t abd, void buf, size_t n)`
`667`	`667`	`{`
`668`	`668`	`abd_verify(abd);`
`669`	`669`	`ASSERT3U(abd->abd_size, >=, n);`
	`670`	`+#ifdef ZFS_DEBUG`
	`671`	`+ (void) zfs_refcount_remove_many(&abd->abd_children, n, buf);`
	`672`	`+#endif`
`670`	`673`	`if (abd_is_linear(abd)) {`
`671`	`674`	`ASSERT3P(buf, ==, abd_to_buf(abd));`
`672`	`675`	`} else {`
`673`	`676`	`ASSERT0(abd_cmp_buf(abd, buf, n));`
`674`	`677`	`zio_buf_free(buf, n);`
`675`	`678`	`}`
`676`		`-#ifdef ZFS_DEBUG`
`677`		`- (void) zfs_refcount_remove_many(&abd->abd_children, n, buf);`
`678`		`-#endif`
`679`	`679`	`}`
`680`	`680`
`681`	`681`	`void`