Fix use-afer-free regression in RAIDZ expansion

amotin · web-flow · commit ff6266ee9bd0 · 2024-12-14T14:02:11.000-08:00
We should not dereference rra after the last zio_nowait() is called. It seems very unlikely, but ASAN in ztest managed to catch it. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Alexander Motin <mav@FreeBSD.org> Sponsored by: iXsystems, Inc. Closes #16868
diff --git a/module/zfs/vdev_raidz.c b/module/zfs/vdev_raidz.c
@@ -3914,8 +3914,8 @@ raidz_reflow_read_done(zio_t *zio)
 
 	if (atomic_dec_32_nv(&rra->rra_tbd) > 0)
 		return;
-	rra->rra_tbd = rra->rra_writes;
-	for (uint64_t i = 0; i < rra->rra_writes; i++)
+	uint32_t writes = rra->rra_tbd = rra->rra_writes;
+	for (uint64_t i = 0; i < writes; i++)
 		zio_nowait(rra->rra_zio[i]);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3914,8 +3914,8 @@ raidz_reflow_read_done(zio_t *zio)`
`3914`	`3914`
`3915`	`3915`	`if (atomic_dec_32_nv(&rra->rra_tbd) > 0)`
`3916`	`3916`	`return;`
`3917`		`- rra->rra_tbd = rra->rra_writes;`
`3918`		`- for (uint64_t i = 0; i < rra->rra_writes; i++)`
	`3917`	`+ uint32_t writes = rra->rra_tbd = rra->rra_writes;`
	`3918`	`+ for (uint64_t i = 0; i < writes; i++)`
`3919`	`3919`	`zio_nowait(rra->rra_zio[i]);`
`3920`	`3920`	`}`
`3921`	`3921`