Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible bug in traverse_visitbp #2060

Closed
tuxoko opened this issue Jan 18, 2014 · 7 comments
Closed

Possible bug in traverse_visitbp #2060

tuxoko opened this issue Jan 18, 2014 · 7 comments
Milestone

Comments

@tuxoko
Copy link
Contributor

tuxoko commented Jan 18, 2014

Hi all:

dmu_traverse.c L306: dnp = buf->b_data;
It modifies the input argument dnp.

and
dmu_traverse.c L367: (void) arc_buf_remove_ref(buf, &buf);
dnp now becomes possible dangling pointer.

and later
dmu_traverse.c L371: err = td->td_func(td->td_spa, NULL, bp, zb, dnp, td->td_arg);
dnp is accessed again.

This seems to be a bug to me.
Any comment?

@behlendorf
Copy link
Contributor

@tuxoko I suspect your right. I'd have expected the TRAVERSE_PRE and TRAVERSE_POST calls to pass the same dnode_phys_t and that's clearly not the case. This likely hasn't been a problem because many (maybe all) of the passed functions ignore that argument. For example, see the traverse_prefetcher() function.

We'll certainly not want to loose take of this and take a closer look. Thanks for filing an issue.

@tomposmiko
Copy link

Could this be the same issue?
I get these messages on a machine typically during a 'zfs send' job.

[4976916.149829] INFO: task spl_system_task:504 blocked for more than 120 seconds.
[4976916.149833] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[4976916.149835] spl_system_task D ffff88103fc34580     0   504      2 0x00000000
[4976916.149840]  ffff8820258af4a8 0000000000000046 ffff8820258affd8 0000000000014580
[4976916.149847]  ffff8820258affd8 0000000000014580 ffff88202621c650 ffff8809fe562628
[4976916.149851]  ffff8809fe562600 ffff8809fe562630 0000000000000000 0000000000000002
[4976916.149855] Call Trace:
[4976916.149864]  [<ffffffff816ec5f9>] schedule+0x29/0x70
[4976916.149891]  [<ffffffffa019fe5d>] cv_wait_common+0xed/0x1a0 [spl]
[4976916.149896]  [<ffffffff810913c0>] ? finish_task_switch+0x50/0xf0
[4976916.149900]  [<ffffffff81085510>] ? wake_up_atomic_t+0x30/0x30
[4976916.149909]  [<ffffffffa019ff25>] __cv_wait+0x15/0x20 [spl]
[4976916.149939]  [<ffffffffa02508fb>] traverse_prefetcher+0x9b/0x150 [zfs]
[4976916.149960]  [<ffffffffa0250ef9>] traverse_visitbp+0x2e9/0x6c0 [zfs]
[4976916.149977]  [<ffffffffa0238e29>] ? arc_read+0x549/0x8d0 [zfs]
[4976916.150000]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[4976916.150020]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[4976916.150041]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[4976916.150061]  [<ffffffffa0251114>] traverse_visitbp+0x504/0x6c0 [zfs]
[4976916.150082]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[4976916.150102]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[4976916.150122]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[4976916.150142]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[4976916.150162]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[4976916.150182]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[4976916.150203]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[4976916.150223]  [<ffffffffa02511c5>] traverse_visitbp+0x5b5/0x6c0 [zfs]
[4976916.150243]  [<ffffffffa0251993>] traverse_prefetch_thread+0x83/0xc0 [zfs]
[4976916.150263]  [<ffffffffa0250860>] ? dmu_recv_end+0x230/0x230 [zfs]
[4976916.150273]  [<ffffffffa019a6e7>] taskq_thread+0x237/0x4b0 [spl]
[4976916.150276]  [<ffffffff810913c0>] ? finish_task_switch+0x50/0xf0
[4976916.150281]  [<ffffffff81094520>] ? wake_up_state+0x20/0x20
[4976916.150290]  [<ffffffffa019a4b0>] ? taskq_cancel_id+0x1f0/0x1f0 [spl]
[4976916.150294]  [<ffffffff81084740>] kthread+0xc0/0xd0
[4976916.150298]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[4976916.150303]  [<ffffffff816f71ac>] ret_from_fork+0x7c/0xb0
[4976916.150307]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[5086717.983549] INFO: task spl_system_task:516 blocked for more than 120 seconds.
[5086717.983554] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[5086717.983557] spl_system_task D ffff88103fcf4580     0   516      2 0x00000000
[5086717.983564]  ffff882025edf708 0000000000000046 ffff882025edffd8 0000000000014580
[5086717.983572]  ffff882025edffd8 0000000000014580 ffff8820268f8000 ffff8801e89776a8
[5086717.983577]  ffff8801e8977680 ffff8801e89776b0 0000000000000000 0000000000000002
[5086717.983582] Call Trace:
[5086717.983594]  [<ffffffff816ec5f9>] schedule+0x29/0x70
[5086717.983619]  [<ffffffffa019fe5d>] cv_wait_common+0xed/0x1a0 [spl]
[5086717.983624]  [<ffffffff81085510>] ? wake_up_atomic_t+0x30/0x30
[5086717.983632]  [<ffffffffa019ff25>] __cv_wait+0x15/0x20 [spl]
[5086717.983665]  [<ffffffffa02508fb>] traverse_prefetcher+0x9b/0x150 [zfs]
[5086717.983685]  [<ffffffffa0250ef9>] traverse_visitbp+0x2e9/0x6c0 [zfs]
[5086717.983703]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5086717.983721]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5086717.983739]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5086717.983757]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5086717.983786]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5086717.983803]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5086717.983821]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[5086717.983837]  [<ffffffffa02511c5>] traverse_visitbp+0x5b5/0x6c0 [zfs]
[5086717.983842]  [<ffffffff8109c4f0>] ? dequeue_task_fair+0x440/0x640
[5086717.983859]  [<ffffffffa0251993>] traverse_prefetch_thread+0x83/0xc0 [zfs]
[5086717.983876]  [<ffffffffa0250860>] ? dmu_recv_end+0x230/0x230 [zfs]
[5086717.983884]  [<ffffffffa019a6e7>] taskq_thread+0x237/0x4b0 [spl]
[5086717.983889]  [<ffffffff810913c0>] ? finish_task_switch+0x50/0xf0
[5086717.983893]  [<ffffffff81094520>] ? wake_up_state+0x20/0x20
[5086717.983900]  [<ffffffffa019a4b0>] ? taskq_cancel_id+0x1f0/0x1f0 [spl]
[5086717.983904]  [<ffffffff81084740>] kthread+0xc0/0xd0
[5086717.983908]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[5086717.983913]  [<ffffffff816f71ac>] ret_from_fork+0x7c/0xb0
[5086717.983916]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[5176839.482083] INFO: task spl_system_task:515 blocked for more than 120 seconds.
[5176839.482087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[5176839.482089] spl_system_task D ffff88103fcd4580     0   515      2 0x00000000
[5176839.482094]  ffff8820279dd4a8 0000000000000046 ffff8820279ddfd8 0000000000014580
[5176839.482101]  ffff8820279ddfd8 0000000000014580 ffff882027695dc0 ffff8812a9ee30a8
[5176839.482104]  ffff8812a9ee3080 ffff8812a9ee30b0 0000000000000000 0000000000000002
[5176839.482109] Call Trace:
[5176839.482118]  [<ffffffff816ec5f9>] schedule+0x29/0x70
[5176839.482149]  [<ffffffffa019fe5d>] cv_wait_common+0xed/0x1a0 [spl]
[5176839.482153]  [<ffffffff816eb513>] ? __mutex_lock_slowpath+0xb3/0x1c0
[5176839.482157]  [<ffffffff81085510>] ? wake_up_atomic_t+0x30/0x30
[5176839.482166]  [<ffffffffa019ff25>] __cv_wait+0x15/0x20 [spl]
[5176839.482196]  [<ffffffffa02508fb>] traverse_prefetcher+0x9b/0x150 [zfs]
[5176839.482218]  [<ffffffffa0250ef9>] traverse_visitbp+0x2e9/0x6c0 [zfs]
[5176839.482234]  [<ffffffffa0238e29>] ? arc_read+0x549/0x8d0 [zfs]
[5176839.482257]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5176839.482278]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5176839.482298]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[5176839.482319]  [<ffffffffa0251114>] traverse_visitbp+0x504/0x6c0 [zfs]
[5176839.482339]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5176839.482359]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5176839.482379]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5176839.482399]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5176839.482420]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5176839.482440]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5176839.482460]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[5176839.482480]  [<ffffffffa02511c5>] traverse_visitbp+0x5b5/0x6c0 [zfs]
[5176839.482501]  [<ffffffffa0251993>] traverse_prefetch_thread+0x83/0xc0 [zfs]
[5176839.482521]  [<ffffffffa0250860>] ? dmu_recv_end+0x230/0x230 [zfs]
[5176839.482530]  [<ffffffffa019a6e7>] taskq_thread+0x237/0x4b0 [spl]
[5176839.482535]  [<ffffffff810913c0>] ? finish_task_switch+0x50/0xf0
[5176839.482540]  [<ffffffff81094520>] ? wake_up_state+0x20/0x20
[5176839.482548]  [<ffffffffa019a4b0>] ? taskq_cancel_id+0x1f0/0x1f0 [spl]
[5176839.482553]  [<ffffffff81084740>] kthread+0xc0/0xd0
[5176839.482557]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[5176839.482563]  [<ffffffff816f71ac>] ret_from_fork+0x7c/0xb0
[5176839.482566]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[5258080.840717] INFO: task spl_system_task:510 blocked for more than 120 seconds.
[5258080.840721] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[5258080.840723] spl_system_task D ffff88207fc34580     0   510      2 0x00000000
[5258080.840740]  ffff8820247fb550 0000000000000046 ffff8820247fbfd8 0000000000014580
[5258080.840746]  ffff8820247fbfd8 0000000000014580 ffff88202768ddc0 ffff8813d3a28da8
[5258080.840749]  ffff8813d3a28d80 ffff8813d3a28db0 0000000000000000 0000000000000002
[5258080.840753] Call Trace:
[5258080.840764]  [<ffffffff816ec5f9>] schedule+0x29/0x70
[5258080.840792]  [<ffffffffa019fe5d>] cv_wait_common+0xed/0x1a0 [spl]
[5258080.840797]  [<ffffffff81085510>] ? wake_up_atomic_t+0x30/0x30
[5258080.840805]  [<ffffffffa019ff25>] __cv_wait+0x15/0x20 [spl]
[5258080.840839]  [<ffffffffa02508fb>] traverse_prefetcher+0x9b/0x150 [zfs]
[5258080.840858]  [<ffffffffa0250ef9>] traverse_visitbp+0x2e9/0x6c0 [zfs]
[5258080.840875]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258080.840893]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[5258080.840910]  [<ffffffffa0251114>] traverse_visitbp+0x504/0x6c0 [zfs]
[5258080.840927]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258080.840944]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258080.840961]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258080.840978]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258080.840995]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258080.841011]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258080.841028]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[5258080.841045]  [<ffffffffa02511c5>] traverse_visitbp+0x5b5/0x6c0 [zfs]
[5258080.841062]  [<ffffffffa0251993>] traverse_prefetch_thread+0x83/0xc0 [zfs]
[5258080.841079]  [<ffffffffa0250860>] ? dmu_recv_end+0x230/0x230 [zfs]
[5258080.841088]  [<ffffffffa019a6e7>] taskq_thread+0x237/0x4b0 [spl]
[5258080.841093]  [<ffffffff810913c0>] ? finish_task_switch+0x50/0xf0
[5258080.841098]  [<ffffffff81094520>] ? wake_up_state+0x20/0x20
[5258080.841105]  [<ffffffffa019a4b0>] ? taskq_cancel_id+0x1f0/0x1f0 [spl]
[5258080.841109]  [<ffffffff81084740>] kthread+0xc0/0xd0
[5258080.841113]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[5258080.841118]  [<ffffffff816f71ac>] ret_from_fork+0x7c/0xb0
[5258080.841121]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[5258200.842697] INFO: task spl_system_task:510 blocked for more than 120 seconds.
[5258200.842701] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[5258200.842703] spl_system_task D ffff88207fc34580     0   510      2 0x00000000
[5258200.842708]  ffff8820247fb550 0000000000000046 ffff8820247fbfd8 0000000000014580
[5258200.842713]  ffff8820247fbfd8 0000000000014580 ffff88202768ddc0 ffff8813d3a28da8
[5258200.842716]  ffff8813d3a28d80 ffff8813d3a28db0 0000000000000000 0000000000000002
[5258200.842720] Call Trace:
[5258200.842730]  [<ffffffff816ec5f9>] schedule+0x29/0x70
[5258200.842755]  [<ffffffffa019fe5d>] cv_wait_common+0xed/0x1a0 [spl]
[5258200.842759]  [<ffffffff81085510>] ? wake_up_atomic_t+0x30/0x30
[5258200.842767]  [<ffffffffa019ff25>] __cv_wait+0x15/0x20 [spl]
[5258200.842797]  [<ffffffffa02508fb>] traverse_prefetcher+0x9b/0x150 [zfs]
[5258200.842816]  [<ffffffffa0250ef9>] traverse_visitbp+0x2e9/0x6c0 [zfs]
[5258200.842833]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258200.842854]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[5258200.842871]  [<ffffffffa0251114>] traverse_visitbp+0x504/0x6c0 [zfs]
[5258200.842888]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258200.842904]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258200.842921]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258200.842938]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258200.842955]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258200.842972]  [<ffffffffa025102a>] traverse_visitbp+0x41a/0x6c0 [zfs]
[5258200.842989]  [<ffffffffa0251a55>] traverse_dnode+0x85/0x130 [zfs]
[5258200.843005]  [<ffffffffa02511c5>] traverse_visitbp+0x5b5/0x6c0 [zfs]
[5258200.843022]  [<ffffffffa0251993>] traverse_prefetch_thread+0x83/0xc0 [zfs]
[5258200.843040]  [<ffffffffa0250860>] ? dmu_recv_end+0x230/0x230 [zfs]
[5258200.843048]  [<ffffffffa019a6e7>] taskq_thread+0x237/0x4b0 [spl]
[5258200.843052]  [<ffffffff810913c0>] ? finish_task_switch+0x50/0xf0
[5258200.843057]  [<ffffffff81094520>] ? wake_up_state+0x20/0x20
[5258200.843064]  [<ffffffffa019a4b0>] ? taskq_cancel_id+0x1f0/0x1f0 [spl]
[5258200.843068]  [<ffffffff81084740>] kthread+0xc0/0xd0
[5258200.843071]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120
[5258200.843076]  [<ffffffff816f71ac>] ret_from_fork+0x7c/0xb0
[5258200.843079]  [<ffffffff81084680>] ? kthread_create_on_node+0x120/0x120

ii dkms 2.2.0.3-1.1ubuntu4+zfs1saucy all Dynamic Kernel Module Support Framework
ii libzfs1 0.6.2-1
saucy amd64 Native ZFS filesystem library for Linux
ii mountall 2.51-zfs1 amd64 filesystem mounting tool
ii ubuntu-zfs 7saucy amd64 Native ZFS filesystem metapackage for Ubuntu.
ii zfs-dkms 0.6.2-1
saucy amd64 Native ZFS filesystem kernel modules for Linux
ii zfsutils 0.6.2-1~saucy amd64 Native ZFS management utilities for Linux

uname -a

Linux v302 3.11.0-15-generic #25-Ubuntu SMP Thu Jan 30 17:22:01 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

@ryao
Copy link
Contributor

ryao commented May 16, 2014

@tuxoko Nice catch. The following are potentially affected:

  • diff_cb
  • backup_cb
  • zdb_blkptr_cb

@sopmot Your problem is issue #1948. The issue @tuxoko caught is unrelated.

@ryao
Copy link
Contributor

ryao commented May 16, 2014

I just deadlocked zfs send by killing it when investigating #1948:

Interestingly, backup_cb appears in the stack trace:

[<ffffffffa01848bd>] taskq_wait_id+0x4d/0x90 [spl]
[<ffffffffa0323a88>] spa_taskq_dispatch_sync+0x68/0x80 [zfs]
[<ffffffffa02f4092>] dump_bytes+0x42/0x50 [zfs]
[<ffffffffa02f4676>] backup_cb+0x3f6/0x6d0 [zfs]
[<ffffffffa02f77ed>] traverse_visitbp+0x2cd/0x740 [zfs]
[<ffffffffa02f82d5>] traverse_dnode+0x75/0x120 [zfs]
[<ffffffffa02f7a8c>] traverse_visitbp+0x56c/0x740 [zfs]
[<ffffffffa02f795b>] traverse_visitbp+0x43b/0x740 [zfs]
[<ffffffffa02f795b>] traverse_visitbp+0x43b/0x740 [zfs]
[<ffffffffa02f795b>] traverse_visitbp+0x43b/0x740 [zfs]
[<ffffffffa02f795b>] traverse_visitbp+0x43b/0x740 [zfs]
[<ffffffffa02f795b>] traverse_visitbp+0x43b/0x740 [zfs]
[<ffffffffa02f795b>] traverse_visitbp+0x43b/0x740 [zfs]
[<ffffffffa02f82d5>] traverse_dnode+0x75/0x120 [zfs]
[<ffffffffa02f7b51>] traverse_visitbp+0x631/0x740 [zfs]
[<ffffffffa02f7dd4>] traverse_impl+0x174/0x310 [zfs]
[<ffffffffa02f7fb4>] traverse_dataset+0x44/0x50 [zfs]
[<ffffffffa02f5553>] dmu_send_impl+0x393/0x4b0 [zfs]
[<ffffffffa02f616d>] dmu_send_obj+0xad/0x110 [zfs]
[<ffffffffa0352606>] zfs_ioc_send+0xa6/0x280 [zfs]
[<ffffffffa0355b26>] zfsdev_ioctl+0x486/0x4b0 [zfs]
[<ffffffff81179af0>] do_vfs_ioctl+0x300/0x520
[<ffffffff81179d51>] SyS_ioctl+0x41/0x80
[<ffffffff8141c05f>] tracesys+0xdd/0xe2
[<ffffffffffffffff>] 0xffffffffffffffff

@tuxoko
Copy link
Contributor Author

tuxoko commented May 19, 2014

@ryao
Actually, I think @behlendorf is right.
Only callers with TRAVERSE_POST would be affected by this.
There are only btree_visit_cb and kill_blkptr called with TRAVERSE_POST and they don't use dnp.

So we might want to just "fixed" this and close this issue.

@behlendorf
Copy link
Contributor

Closing. For the reason described in the previous comment.

@tuxoko
Copy link
Contributor Author

tuxoko commented Apr 26, 2015

@behlendorf
Actually fbeddd6, which is added after my comment, added a piece of code in traverse_visitbp referencing dnp. So I think this still need to be addressed.

behlendorf pushed a commit to behlendorf/zfs that referenced this issue Apr 28, 2015
In traverse_visitbp(), the input argument dnp is modified in the middle to
point to a temporary buffer. Originally this doesn't matter, because no user
of TRAVERSE_POST dereferences it. However, in fbeddd6 a piece of code is added
dereferencing dnp after the modification, creating a possible bug.

We fix this by creating a new local variable cdnp for the DMU_OT_DNODE case,
so we don't modify the input argument. Also we introduce different local
variables in the DMU_OT_OBJSET case to prevent confusion between the input
argument.

Signed-off-by: Chunwei Chen <[email protected]>
Signed-off-by: Richard Yao <[email protected]>
Signed-off-by: Tim Chase <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Closes openzfs#2060
dasjoe pushed a commit to dasjoe/zfs that referenced this issue May 24, 2015
In traverse_visitbp(), the input argument dnp is modified in the middle to
point to a temporary buffer. Originally this doesn't matter, because no user
of TRAVERSE_POST dereferences it. However, in fbeddd6 a piece of code is added
dereferencing dnp after the modification, creating a possible bug.

We fix this by creating a new local variable cdnp for the DMU_OT_DNODE case,
so we don't modify the input argument. Also we introduce different local
variables in the DMU_OT_OBJSET case to prevent confusion between the input
argument.

Signed-off-by: Chunwei Chen <[email protected]>
Signed-off-by: Richard Yao <[email protected]>
Signed-off-by: Tim Chase <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Closes openzfs#2060
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants