Skip to content

Commit

Permalink
Illumos #1475: zfs spill block hold can access invalid spill blkptr
Browse files Browse the repository at this point in the history
Reviewed by: Dan McDonald <[email protected]>
Reviewed by: Gordon Ross <[email protected]>
Reviewed by: Matthew Ahrens <[email protected]>
Reviewed by: George Wilson <[email protected]>
Approved by: Garrett D'Amore <[email protected]>

References to Illumos issue:
  https://www.illumos.org/issues/1475

Ported-by: Richard Yao <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Closes #648
  • Loading branch information
trisk authored and behlendorf committed Apr 11, 2012
1 parent 5ffb9d1 commit 22cd4a4
Showing 1 changed file with 14 additions and 10 deletions.
24 changes: 14 additions & 10 deletions module/zfs/dmu_tx.c
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@
/*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
*/
/*
* Copyright 2011 Nexenta Systems, Inc. All rights reserved.
*/

#include <sys/dmu.h>
#include <sys/dmu_impl.h>
Expand Down Expand Up @@ -693,6 +696,8 @@ dmu_tx_hold_zap(dmu_tx_t *tx, uint64_t object, int add, const char *name)
ASSERT3P(dmu_ot[dn->dn_type].ot_byteswap, ==, zap_byteswap);

if (dn->dn_maxblkid == 0 && !add) {
blkptr_t *bp;

/*
* If there is only one block (i.e. this is a micro-zap)
* and we are not adding anything, the accounting is simple.
Expand All @@ -707,14 +712,13 @@ dmu_tx_hold_zap(dmu_tx_t *tx, uint64_t object, int add, const char *name)
* Use max block size here, since we don't know how much
* the size will change between now and the dbuf dirty call.
*/
bp = &dn->dn_phys->dn_blkptr[0];
if (dsl_dataset_block_freeable(dn->dn_objset->os_dsl_dataset,
&dn->dn_phys->dn_blkptr[0],
dn->dn_phys->dn_blkptr[0].blk_birth)) {
bp, bp->blk_birth))
txh->txh_space_tooverwrite += SPA_MAXBLOCKSIZE;
} else {
else
txh->txh_space_towrite += SPA_MAXBLOCKSIZE;
}
if (dn->dn_phys->dn_blkptr[0].blk_birth)
if (!BP_IS_HOLE(bp))
txh->txh_space_tounref += SPA_MAXBLOCKSIZE;
return;
}
Expand Down Expand Up @@ -1300,7 +1304,6 @@ dmu_tx_hold_spill(dmu_tx_t *tx, uint64_t object)
{
dnode_t *dn;
dmu_tx_hold_t *txh;
blkptr_t *bp;

txh = dmu_tx_hold_object_impl(tx, tx->tx_objset, object,
THT_SPILL, 0, 0);
Expand All @@ -1311,17 +1314,18 @@ dmu_tx_hold_spill(dmu_tx_t *tx, uint64_t object)
return;

/* If blkptr doesn't exist then add space to towrite */
bp = &dn->dn_phys->dn_spill;
if (BP_IS_HOLE(bp)) {
if (!(dn->dn_phys->dn_flags & DNODE_FLAG_SPILL_BLKPTR)) {
txh->txh_space_towrite += SPA_MAXBLOCKSIZE;
txh->txh_space_tounref = 0;
} else {
blkptr_t *bp;

bp = &dn->dn_phys->dn_spill;
if (dsl_dataset_block_freeable(dn->dn_objset->os_dsl_dataset,
bp, bp->blk_birth))
txh->txh_space_tooverwrite += SPA_MAXBLOCKSIZE;
else
txh->txh_space_towrite += SPA_MAXBLOCKSIZE;
if (bp->blk_birth)
if (!BP_IS_HOLE(bp))
txh->txh_space_tounref += SPA_MAXBLOCKSIZE;
}
}
Expand Down

0 comments on commit 22cd4a4

Please sign in to comment.