diff options
author | Brian Behlendorf <[email protected]> | 2017-12-04 11:44:39 -0800 |
---|---|---|
committer | GitHub <[email protected]> | 2017-12-04 11:44:39 -0800 |
commit | 72841b9fd957a392bb621393685b06dc042d4523 (patch) | |
tree | 77e1918dc3ae43a657f5cb059e43ce29c8e25e5e /module | |
parent | d4677269f286005768ae1a0fcd3389aa6015c4c7 (diff) |
Preserve itx alloc size for zio_data_buf_free()
Using zio_data_buf_alloc() to allocate the itx's may be unsafe
because the itx->itx_lr.lrc_reclen field is not constant from
allocation to free. Using a different itx->itx_lr.lrc_reclen
size in zio_data_buf_free() can result in the allocation being
returned to the wrong kmem cache.
This issue can be avoided entirely by storing the allocation size
in itx->itx_size and using that for zio_data_buf_free().
Reviewed by: Prakash Surya <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Closes #6912
Diffstat (limited to 'module')
-rw-r--r-- | module/zfs/zil.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/module/zfs/zil.c b/module/zfs/zil.c index d43b26937..9f4312a5a 100644 --- a/module/zfs/zil.c +++ b/module/zfs/zil.c @@ -1254,17 +1254,20 @@ cont: itx_t * zil_itx_create(uint64_t txtype, size_t lrsize) { + size_t itxsize; itx_t *itx; lrsize = P2ROUNDUP_TYPED(lrsize, sizeof (uint64_t), size_t); + itxsize = offsetof(itx_t, itx_lr) + lrsize; - itx = zio_data_buf_alloc(offsetof(itx_t, itx_lr) + lrsize); + itx = zio_data_buf_alloc(itxsize); itx->itx_lr.lrc_txtype = txtype; itx->itx_lr.lrc_reclen = lrsize; itx->itx_lr.lrc_seq = 0; /* defensive */ itx->itx_sync = B_TRUE; /* default is synchronous */ itx->itx_callback = NULL; itx->itx_callback_data = NULL; + itx->itx_size = itxsize; return (itx); } @@ -1272,7 +1275,7 @@ zil_itx_create(uint64_t txtype, size_t lrsize) void zil_itx_destroy(itx_t *itx) { - zio_data_buf_free(itx, offsetof(itx_t, itx_lr)+itx->itx_lr.lrc_reclen); + zio_data_buf_free(itx, itx->itx_size); } /* |