Fix use-afer-free regression in RAIDZ expansion

We should not dereference rra after the last zio_nowait() is called. It seems very unlikely, but ASAN in ztest managed to catch it. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Alexander Motin <mav@FreeBSD.org> Sponsored by: iXsystems, Inc. Closes #16868
2025-04-28 16:17:31 +00:00 · 2024-12-14 17:02:11 -05:00 · 2024-12-14 17:02:11 -05:00 · 696943533c
commit 696943533c
parent 2284a61129
1 changed files with 2 additions and 2 deletions
--- a/module/zfs/vdev_raidz.c
+++ b/module/zfs/vdev_raidz.c
@ -3914,8 +3914,8 @@ raidz_reflow_read_done(zio_t *zio)
 	if (atomic_dec_32_nv(&rra->rra_tbd) > 0)
 		return;
-	rra->rra_tbd = rra->rra_writes;
+	uint32_t writes = rra->rra_tbd = rra->rra_writes;
-	for (uint64_t i = 0; i < rra->rra_writes; i++)
+	for (uint64_t i = 0; i < writes; i++)
 		zio_nowait(rra->rra_zio[i]);
 }