Linux: Defer loading the object set in zfs_setattr()

We need to wait until after having done a zfs_enter() to load some
fields from the zfsvfs structure.  Otherwise a use-after-free is
possible in the face of a concurrent rollback.

Other functions in this file are careful to avoid this bug, I believe
this is the only instance.

Reviewed-by: Brian Atkinson <batkinson@lanl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Mark Johnston <markj@FreeBSD.org>
Closes #15752

diff --git a/module/os/linux/zfs/zfs_vnops_os.c b/module/os/linux/zfs/zfs_vnops_os.c
index 10162f62cda296bec68bb214f1b102d4af4777c9..2a766a585b708487301e73ac52f34d2e3f83f5b5 100644 (file)
--- a/module/os/linux/zfs/zfs_vnops_os.c
+++ b/module/os/linux/zfs/zfs_vnops_os.c
@@ -1856,7 +1856,7 @@ zfs_setattr(znode_t *zp, vattr_t *vap, int flags, cred_t *cr, zidmap_t *mnt_ns)
 {
        struct inode    *ip;
        zfsvfs_t        *zfsvfs = ZTOZSB(zp);
-       objset_t        *os = zfsvfs->z_os;
+       objset_t        *os;
        zilog_t         *zilog;
        dmu_tx_t        *tx;
        vattr_t         oldva;
@@ -1888,6 +1888,7 @@ zfs_setattr(znode_t *zp, vattr_t *vap, int flags, cred_t *cr, zidmap_t *mnt_ns)
        if ((err = zfs_enter_verify_zp(zfsvfs, zp, FTAG)) != 0)
                return (err);
        ip = ZTOI(zp);
+       os = zfsvfs->z_os;
 
        /*
         * If this is a xvattr_t, then get a pointer to the structure of