From da5d4697a84f0baf7d8fb9dbdf2e1312a370c075 Mon Sep 17 00:00:00 2001
From: DeHackEd <DeHackEd@users.noreply.github.com>
Date: Fri, 17 Nov 2017 18:11:39 -0500
Subject: Fix ARC pointer overrun

Only access the `b_crypt_hdr` field of an ARC header if the content
is encrypted.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tom Caputi <tcaputi@datto.com>
Reviewed-by: George Melikov <mail@gmelikov.ru>
Reviewed-by: Giuseppe Di Natale <dinatale2@llnl.gov>
Signed-off-by: DHE <git@dehacked.net>
Closes #6877
---
 module/zfs/arc.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/module/zfs/arc.c b/module/zfs/arc.c
index 698357632..10b1c60d5 100644
--- a/module/zfs/arc.c
+++ b/module/zfs/arc.c
@@ -3155,17 +3155,19 @@ arc_buf_destroy_impl(arc_buf_t *buf)
 		ASSERT(hdr->b_l1hdr.b_bufcnt > 0);
 		hdr->b_l1hdr.b_bufcnt -= 1;
 
-		if (ARC_BUF_ENCRYPTED(buf))
+		if (ARC_BUF_ENCRYPTED(buf)) {
 			hdr->b_crypt_hdr.b_ebufcnt -= 1;
 
-		/*
-		 * If we have no more encrypted buffers and we've already
-		 * gotten a copy of the decrypted data we can free b_rabd to
-		 * save some space.
-		 */
-		if (hdr->b_crypt_hdr.b_ebufcnt == 0 && HDR_HAS_RABD(hdr) &&
-		    hdr->b_l1hdr.b_pabd != NULL && !HDR_IO_IN_PROGRESS(hdr)) {
-			arc_hdr_free_abd(hdr, B_TRUE);
+			/*
+			 * If we have no more encrypted buffers and we've
+			 * already gotten a copy of the decrypted data we can
+			 * free b_rabd to save some space.
+			 */
+			if (hdr->b_crypt_hdr.b_ebufcnt == 0 &&
+			    HDR_HAS_RABD(hdr) && hdr->b_l1hdr.b_pabd != NULL &&
+			    !HDR_IO_IN_PROGRESS(hdr)) {
+				arc_hdr_free_abd(hdr, B_TRUE);
+			}
 		}
 	}
 
-- 
cgit v1.2.3