Fix zfs_allow_log_destroy() NULL dereference

In zfs_ioc_log_history() function the tsd_set() function is called with NULL which causes the zfs_allow_log_destroy() to be run. In this case the passed value will be NULL. This is normally entirely safe because strfree() maps directly to kfree() which may be passed a NULL. However, since alternate implementations of strfree() may not handle this gracefully add a check for NULL. Observed under an embedded Linux 2.6.32.41 kernel running the automated testing while running the ZFS Test Suite. Signed-off-by: caoxuewen <[email protected]> Signed-off-by: Brian Behlendorf <[email protected]> Closes #4872
author: heary-cao <[email protected]> 2016-07-27 14:58:17 +0800
committer: Brian Behlendorf <[email protected]> 2016-07-29 15:34:12 -0700
commit: 9f3d1407dcfa7a8548b17d36ef501dd72a215560 (patch)
tree: 3e4ce1c50676908c06d40a014fc393bab3d8cb03 /module/zfs/zfs_ioctl.c
parent: 3b86aeb2952c91aeb8ed0ebf9d5e43119fa537a0 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/module/zfs/zfs_ioctl.c b/module/zfs/zfs_ioctl.c
index 3cd3628ce..8e187d59c 100644
--- a/module/zfs/zfs_ioctl.c
+++ b/module/zfs/zfs_ioctl.c
@@ -3345,6 +3345,8 @@ zfs_ioc_log_history(const char *unused, nvlist_t *innvl, nvlist_t *outnvl)
 	 * we clear the TSD here.
 	 */
 	poolname = tsd_get(zfs_allow_log_key);
+	if (poolname == NULL)
+		return (SET_ERROR(EINVAL));
 	(void) tsd_set(zfs_allow_log_key, NULL);
 	error = spa_open(poolname, &spa, FTAG);
 	strfree(poolname);
@@ -6297,7 +6299,9 @@ static void
 zfs_allow_log_destroy(void *arg)
 {
 	char *poolname = arg;
-	strfree(poolname);
+
+	if (poolname != NULL)
+		strfree(poolname);
 }
 
 #ifdef DEBUG
author	heary-cao <[email protected]>	2016-07-27 14:58:17 +0800
committer	Brian Behlendorf <[email protected]>	2016-07-29 15:34:12 -0700
commit	9f3d1407dcfa7a8548b17d36ef501dd72a215560 (patch)
tree	3e4ce1c50676908c06d40a014fc393bab3d8cb03 /module/zfs/zfs_ioctl.c
parent	3b86aeb2952c91aeb8ed0ebf9d5e43119fa537a0 (diff)