Fix ARC pointer overrun

Only access the `b_crypt_hdr` field of an ARC header if the content
is encrypted.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tom Caputi <tcaputi@datto.com>
Reviewed-by: George Melikov <mail@gmelikov.ru>
Reviewed-by: Giuseppe Di Natale <dinatale2@llnl.gov>
Signed-off-by: DHE <git@dehacked.net>
Closes #6877

diff --git a/module/zfs/arc.c b/module/zfs/arc.c
index 6983576321d7d7e15fcd462862090a950b14218c..10b1c60d538660b78c530451556acfcbfdf03cb4 100644 (file)
--- a/module/zfs/arc.c
+++ b/module/zfs/arc.c
@@ -3155,17 +3155,19 @@ arc_buf_destroy_impl(arc_buf_t *buf)
                ASSERT(hdr->b_l1hdr.b_bufcnt > 0);
                hdr->b_l1hdr.b_bufcnt -= 1;
 
-               if (ARC_BUF_ENCRYPTED(buf))
+               if (ARC_BUF_ENCRYPTED(buf)) {
                        hdr->b_crypt_hdr.b_ebufcnt -= 1;
 
-               /*
-                * If we have no more encrypted buffers and we've already
-                * gotten a copy of the decrypted data we can free b_rabd to
-                * save some space.
-                */
-               if (hdr->b_crypt_hdr.b_ebufcnt == 0 && HDR_HAS_RABD(hdr) &&
-                   hdr->b_l1hdr.b_pabd != NULL && !HDR_IO_IN_PROGRESS(hdr)) {
-                       arc_hdr_free_abd(hdr, B_TRUE);
+                       /*
+                        * If we have no more encrypted buffers and we've
+                        * already gotten a copy of the decrypted data we can
+                        * free b_rabd to save some space.
+                        */
+                       if (hdr->b_crypt_hdr.b_ebufcnt == 0 &&
+                           HDR_HAS_RABD(hdr) && hdr->b_l1hdr.b_pabd != NULL &&
+                           !HDR_IO_IN_PROGRESS(hdr)) {
+                               arc_hdr_free_abd(hdr, B_TRUE);
+                       }
                }
        }