From: Chunwei Chen <david.chen@osnexus.com>
Date: Sat, 28 May 2016 00:28:12 +0000 (-0700)
Subject: Fix use-after-free in splat_taskq_test7
X-Git-Tag: spl-0.7.12~105
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=ea5f1a200b974c8fdd51993c282d8ae0dc2aa871;p=mirror_spl.git

Fix use-after-free in splat_taskq_test7

This splat_vprint is using tq_arg->name after tq_arg is freed.

Signed-off-by: Chunwei Chen <david.chen@osnexus.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #557
---

diff --git a/module/splat/splat-taskq.c b/module/splat/splat-taskq.c
index 8f06f41..f26f828 100644
--- a/module/splat/splat-taskq.c
+++ b/module/splat/splat-taskq.c
@@ -1040,11 +1040,12 @@ splat_taskq_test7_impl(struct file *file, void *arg, boolean_t prealloc)
 
 	error = (tq_arg->depth == SPLAT_TASKQ_DEPTH_MAX ? 0 : -EINVAL);
 
+	splat_vprint(file, SPLAT_TASKQ_TEST7_NAME,
+	              "Taskq '%s' destroying\n", tq_arg->name);
+
 	kmem_free(tqe, sizeof (taskq_ent_t));
 	kmem_free(tq_arg, sizeof (splat_taskq_arg_t));
 
-	splat_vprint(file, SPLAT_TASKQ_TEST7_NAME,
-	              "Taskq '%s' destroying\n", tq_arg->name);
 	taskq_destroy(tq);
 
 	return (error);