From: Roman Strashkin <Ramzec@users.noreply.github.com>
Date: Fri, 22 Mar 2019 20:11:36 +0000 (+0300)
Subject: Panic when running 'zpool split'
X-Git-Tag: zfs-0.8.0~108
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=234234ca4de9b2121f69d2cd3b2928197234336d;p=mirror_zfs.git

Panic when running 'zpool split'

Added missing remove of detachable VDEV from txg's DTL list
to avoid use-after-free for the split VDEV

Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Roman Strashkin <roman.strashkin@nexenta.com>
Closes #5565
Closes #7856
---

diff --git a/module/zfs/spa.c b/module/zfs/spa.c
index 9d798ebac..71744139e 100644
--- a/module/zfs/spa.c
+++ b/module/zfs/spa.c
@@ -6842,6 +6842,18 @@ spa_vdev_split_mirror(spa_t *spa, char *newname, nvlist_t *config,
 		dmu_tx_abort(tx);
 	for (c = 0; c < children; c++) {
 		if (vml[c] != NULL) {
+			vdev_t *tvd = vml[c]->vdev_top;
+
+			/*
+			 * Need to be sure the detachable VDEV is not
+			 * on any *other* txg's DTL list to prevent it
+			 * from being accessed after it's freed.
+			 */
+			for (int t = 0; t < TXG_SIZE; t++) {
+				(void) txg_list_remove_this(
+				    &tvd->vdev_dtl_list, vml[c], t);
+			}
+
 			vdev_split(vml[c]);
 			if (error == 0)
 				spa_history_log_internal(spa, "detach", tx,