Fix zfs_allow_log_destroy() NULL dereference

In zfs_ioc_log_history() function the tsd_set() function is called
with NULL which causes the zfs_allow_log_destroy() to be run.  In
this case the passed value will be NULL.  This is normally entirely
safe because strfree() maps directly to kfree() which may be passed
a NULL.  However, since alternate implementations of strfree() may
not handle this gracefully add a check for NULL.

Observed under an embedded Linux 2.6.32.41 kernel running the
automated testing while running the ZFS Test Suite.

Signed-off-by: caoxuewen <cao.xuewen@zte.com.cn>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #4872

diff --git a/module/zfs/zfs_ioctl.c b/module/zfs/zfs_ioctl.c
index 3cd3628ce616db37d39f2cd58857f8f3dacef064..8e187d59ce99abfd4b0c51a5aa8c198f15cb2ba6 100644 (file)
--- a/module/zfs/zfs_ioctl.c
+++ b/module/zfs/zfs_ioctl.c
@@ -3345,6 +3345,8 @@ zfs_ioc_log_history(const char *unused, nvlist_t *innvl, nvlist_t *outnvl)
         * we clear the TSD here.
         */
        poolname = tsd_get(zfs_allow_log_key);
+       if (poolname == NULL)
+               return (SET_ERROR(EINVAL));
        (void) tsd_set(zfs_allow_log_key, NULL);
        error = spa_open(poolname, &spa, FTAG);
        strfree(poolname);
@@ -6297,7 +6299,9 @@ static void
 zfs_allow_log_destroy(void *arg)
 {
        char *poolname = arg;
-       strfree(poolname);
+
+       if (poolname != NULL)
+               strfree(poolname);
 }
 
 #ifdef DEBUG