diff options
author | DeHackEd <[email protected]> | 2017-11-17 18:11:39 -0500 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2017-11-17 15:11:39 -0800 |
commit | da5d4697a84f0baf7d8fb9dbdf2e1312a370c075 (patch) | |
tree | 9de45c9631a42e63cdd59073ded719025a49d59e | |
parent | d4a72f23863382bdf6d0ae33196f5b5decbc48fd (diff) |
Fix ARC pointer overrun
Only access the `b_crypt_hdr` field of an ARC header if the content
is encrypted.
Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Tom Caputi <[email protected]>
Reviewed-by: George Melikov <[email protected]>
Reviewed-by: Giuseppe Di Natale <[email protected]>
Signed-off-by: DHE <[email protected]>
Closes #6877
-rw-r--r-- | module/zfs/arc.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/module/zfs/arc.c b/module/zfs/arc.c index 698357632..10b1c60d5 100644 --- a/module/zfs/arc.c +++ b/module/zfs/arc.c @@ -3155,17 +3155,19 @@ arc_buf_destroy_impl(arc_buf_t *buf) ASSERT(hdr->b_l1hdr.b_bufcnt > 0); hdr->b_l1hdr.b_bufcnt -= 1; - if (ARC_BUF_ENCRYPTED(buf)) + if (ARC_BUF_ENCRYPTED(buf)) { hdr->b_crypt_hdr.b_ebufcnt -= 1; - /* - * If we have no more encrypted buffers and we've already - * gotten a copy of the decrypted data we can free b_rabd to - * save some space. - */ - if (hdr->b_crypt_hdr.b_ebufcnt == 0 && HDR_HAS_RABD(hdr) && - hdr->b_l1hdr.b_pabd != NULL && !HDR_IO_IN_PROGRESS(hdr)) { - arc_hdr_free_abd(hdr, B_TRUE); + /* + * If we have no more encrypted buffers and we've + * already gotten a copy of the decrypted data we can + * free b_rabd to save some space. + */ + if (hdr->b_crypt_hdr.b_ebufcnt == 0 && + HDR_HAS_RABD(hdr) && hdr->b_l1hdr.b_pabd != NULL && + !HDR_IO_IN_PROGRESS(hdr)) { + arc_hdr_free_abd(hdr, B_TRUE); + } } } |