From d692e6c36e1a9b77a7e4d2eaf5a38c7973cd9a5f Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Sun, 16 Oct 2022 00:02:47 -0400 Subject: [PATCH] abd_return_buf() should call zfs_refcount_remove_many() early Calling zfs_refcount_remove_many() after freeing memory means we pass a reference to freed memory as the holder. This is not believed to be able to cause a problem, but there is a bit of a tradition of fixing these issues when they appear so that they do not obscure more serious issues in static analyzer output, so we fix this one too. Clang's static analyzer found this with the help of CodeChecker's CTU analysis. Reviewed-by: Brian Behlendorf Signed-off-by: Richard Yao Closes #14043 --- module/zfs/abd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/module/zfs/abd.c b/module/zfs/abd.c index 11a1e5112544..d4921d0ba7db 100644 --- a/module/zfs/abd.c +++ b/module/zfs/abd.c @@ -667,15 +667,15 @@ abd_return_buf(abd_t *abd, void *buf, size_t n) { abd_verify(abd); ASSERT3U(abd->abd_size, >=, n); +#ifdef ZFS_DEBUG + (void) zfs_refcount_remove_many(&abd->abd_children, n, buf); +#endif if (abd_is_linear(abd)) { ASSERT3P(buf, ==, abd_to_buf(abd)); } else { ASSERT0(abd_cmp_buf(abd, buf, n)); zio_buf_free(buf, n); } -#ifdef ZFS_DEBUG - (void) zfs_refcount_remove_many(&abd->abd_children, n, buf); -#endif } void