From 4a98780933fd0510b00a560f6e4e1e4fa79a50ac Mon Sep 17 00:00:00 2001 From: Brian Behlendorf Date: Mon, 4 Dec 2017 11:44:39 -0800 Subject: [PATCH] Preserve itx alloc size for zio_data_buf_free() Using zio_data_buf_alloc() to allocate the itx's may be unsafe because the itx->itx_lr.lrc_reclen field is not constant from allocation to free. Using a different itx->itx_lr.lrc_reclen size in zio_data_buf_free() can result in the allocation being returned to the wrong kmem cache. This issue can be avoided entirely by storing the allocation size in itx->itx_size and using that for zio_data_buf_free(). Reviewed by: Prakash Surya Signed-off-by: Brian Behlendorf Closes #6912 --- include/sys/zil.h | 1 + module/zfs/zil.c | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/sys/zil.h b/include/sys/zil.h index 95fd324b4..020a0b10f 100644 --- a/include/sys/zil.h +++ b/include/sys/zil.h @@ -394,6 +394,7 @@ typedef struct itx { uint8_t itx_sync; /* synchronous transaction */ zil_callback_t itx_callback; /* Called when the itx is persistent */ void *itx_callback_data; /* User data for the callback */ + size_t itx_size; /* allocated itx structure size */ uint64_t itx_oid; /* object id */ lr_t itx_lr; /* common part of log record */ /* followed by type-specific part of lr_xx_t and its immediate data */ diff --git a/module/zfs/zil.c b/module/zfs/zil.c index 6a1f190f5..4d714cefc 100644 --- a/module/zfs/zil.c +++ b/module/zfs/zil.c @@ -1214,17 +1214,20 @@ cont: itx_t * zil_itx_create(uint64_t txtype, size_t lrsize) { + size_t itxsize; itx_t *itx; lrsize = P2ROUNDUP_TYPED(lrsize, sizeof (uint64_t), size_t); + itxsize = offsetof(itx_t, itx_lr) + lrsize; - itx = zio_data_buf_alloc(offsetof(itx_t, itx_lr) + lrsize); + itx = zio_data_buf_alloc(itxsize); itx->itx_lr.lrc_txtype = txtype; itx->itx_lr.lrc_reclen = lrsize; itx->itx_lr.lrc_seq = 0; /* defensive */ itx->itx_sync = B_TRUE; /* default is synchronous */ itx->itx_callback = NULL; itx->itx_callback_data = NULL; + itx->itx_size = itxsize; return (itx); } @@ -1232,7 +1235,7 @@ zil_itx_create(uint64_t txtype, size_t lrsize) void zil_itx_destroy(itx_t *itx) { - zio_data_buf_free(itx, offsetof(itx_t, itx_lr)+itx->itx_lr.lrc_reclen); + zio_data_buf_free(itx, itx->itx_size); } /*