Fix use after free regression in spa_remove_healed_errors()

6839ec6f1098c28ff7b772f1b31b832d05e6b567 placed code in
spa_remove_healed_errors() that uses a pointer after the kmem_free()
call that frees it.

Reported-by: Coverity (CID-1562375)
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: George Amanakis <gamanakis@gmail.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #14860

diff --git a/module/zfs/spa_errlog.c b/module/zfs/spa_errlog.c
index 31719063a227d9de38cbd27d9b9788c79d027af4..5fe35278683a7cfe96d661e1290e06fd6050afd7 100644 (file)
--- a/module/zfs/spa_errlog.c
+++ b/module/zfs/spa_errlog.c
@@ -683,7 +683,6 @@ spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
            &cookie)) != NULL) {
                remove_error_from_list(spa, s, &se->se_bookmark);
                remove_error_from_list(spa, l, &se->se_bookmark);
-               kmem_free(se, sizeof (spa_error_entry_t));
 
                if (!spa_feature_is_enabled(spa, SPA_FEATURE_HEAD_ERRLOG)) {
                        bookmark_to_name(&se->se_bookmark, name, sizeof (name));
@@ -713,6 +712,7 @@ spa_remove_healed_errors(spa_t *spa, avl_tree_t *s, avl_tree_t *l, dmu_tx_t *tx)
                        }
                        zap_cursor_fini(&zc);
                }
+               kmem_free(se, sizeof (spa_error_entry_t));
        }
 }