summaryrefslogtreecommitdiffstats
path: root/module
diff options
context:
space:
mode:
authorPaul Dagnelie <[email protected]>2020-06-03 19:53:21 -0700
committerGitHub <[email protected]>2020-06-03 19:53:21 -0700
commit99b281f1ae3833826b4e3cee4126a4ea5e6de987 (patch)
tree057d9c32dc38d1775a775f84d78bacb0d254972e /module
parent52998c7f36ff9e5bbeae38ac5df9b3f1608a290b (diff)
Fix double mutex_init bug in send code
It was possible to cause a kernel panic in the send code by initializing an already-initialized mutex, if a record was created with type DATA, destroyed with a different type (bypassing the mutex_destroy call) and then re-allocated as a DATA record again. We tweak the logic to not change the type of a record once it has been created, avoiding the issue. Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Jorgen Lundman <[email protected]> Signed-off-by: Paul Dagnelie <[email protected]> Closes #10374
Diffstat (limited to 'module')
-rw-r--r--module/zfs/dmu_send.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/module/zfs/dmu_send.c b/module/zfs/dmu_send.c
index a5df78edd..0117a17ce 100644
--- a/module/zfs/dmu_send.c
+++ b/module/zfs/dmu_send.c
@@ -1153,23 +1153,30 @@ send_cb(spa_t *spa, zilog_t *zilog, const blkptr_t *bp,
if (zb->zb_blkid == DMU_SPILL_BLKID)
ASSERT3U(BP_GET_TYPE(bp), ==, DMU_OT_SA);
- record = range_alloc(DATA, zb->zb_object, start, (start + span < start ?
- 0 : start + span), B_FALSE);
+ enum type record_type = DATA;
+ if (BP_IS_HOLE(bp))
+ record_type = HOLE;
+ else if (BP_IS_REDACTED(bp))
+ record_type = REDACT;
+ else
+ record_type = DATA;
+
+ record = range_alloc(record_type, zb->zb_object, start,
+ (start + span < start ? 0 : start + span), B_FALSE);
uint64_t datablksz = (zb->zb_blkid == DMU_SPILL_BLKID ?
BP_GET_LSIZE(bp) : dnp->dn_datablkszsec << SPA_MINBLOCKSHIFT);
+
if (BP_IS_HOLE(bp)) {
- record->type = HOLE;
record->sru.hole.datablksz = datablksz;
} else if (BP_IS_REDACTED(bp)) {
- record->type = REDACT;
record->sru.redact.datablksz = datablksz;
} else {
- record->type = DATA;
record->sru.data.datablksz = datablksz;
record->sru.data.obj_type = dnp->dn_type;
record->sru.data.bp = *bp;
}
+
bqueue_enqueue(&sta->q, record, sizeof (*record));
return (0);
}