From ff6266ee9bd0d6a59355b9980345819e6f68b50b Mon Sep 17 00:00:00 2001
From: Alexander Motin <mav@FreeBSD.org>
Date: Sat, 14 Dec 2024 17:02:11 -0500
Subject: [PATCH] Fix use-afer-free regression in RAIDZ expansion

We should not dereference rra after the last zio_nowait() is called.
It seems very unlikely, but ASAN in ztest managed to catch it.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by:	Alexander Motin <mav@FreeBSD.org>
Sponsored by:	iXsystems, Inc.
Closes #16868
---
 module/zfs/vdev_raidz.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/module/zfs/vdev_raidz.c b/module/zfs/vdev_raidz.c
index e4487c485..6103f780e 100644
--- a/module/zfs/vdev_raidz.c
+++ b/module/zfs/vdev_raidz.c
@@ -3914,8 +3914,8 @@ raidz_reflow_read_done(zio_t *zio)
 
 	if (atomic_dec_32_nv(&rra->rra_tbd) > 0)
 		return;
-	rra->rra_tbd = rra->rra_writes;
-	for (uint64_t i = 0; i < rra->rra_writes; i++)
+	uint32_t writes = rra->rra_tbd = rra->rra_writes;
+	for (uint64_t i = 0; i < writes; i++)
 		zio_nowait(rra->rra_zio[i]);
 }