Fix use after free regression in spa_remove_healed_errors()

6839ec6f1098c28ff7b772f1b31b832d05e6b567 placed code in spa_remove_healed_errors() that uses a pointer after the kmem_free() call that frees it. Reported-by: Coverity (CID-1562375) Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: George Amanakis <[email protected]> Signed-off-by: Richard Yao <[email protected]> Closes #14860
author: Richard Yao <[email protected]> 2023-05-12 16:47:56 -0400
committer: Brian Behlendorf <[email protected]> 2023-05-15 10:29:01 -0700
commit: c87798d8ff6a63158e80acbbce8b034518a1656e (patch)
tree: a8a7e03b2b9c353a00772b46eb7f3bc0cf1e7762 /module
parent: 7381ddf1abd16152646c921384c094ffbcae2271 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/module/zfs/spa_errlog.c b/module/zfs/spa_errlog.c
index 31719063a..5fe352786 100644
--- a/module/zfs/spa_errlog.c
+++ b/module/zfs/spa_errlog.c
@@ -683,7 +683,6 @@ spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
 	    &cookie)) != NULL) {
 		remove_error_from_list(spa, s, &se->se_bookmark);
 		remove_error_from_list(spa, l, &se->se_bookmark);
-		kmem_free(se, sizeof (spa_error_entry_t));
 
 		if (!spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
 			bookmark_to_name(&se->se_bookmark, name, sizeof (name));
@@ -713,6 +712,7 @@ spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
 			}
 			zap_cursor_fini(&zc);
 		}
+		kmem_free(se, sizeof (spa_error_entry_t));
 	}
 }
author	Richard Yao <[email protected]>	2023-05-12 16:47:56 -0400
committer	Brian Behlendorf <[email protected]>	2023-05-15 10:29:01 -0700
commit	c87798d8ff6a63158e80acbbce8b034518a1656e (patch)
tree	a8a7e03b2b9c353a00772b46eb7f3bc0cf1e7762 /module
parent	7381ddf1abd16152646c921384c094ffbcae2271 (diff)