]> granicus.if.org Git - zfs/commitdiff
Fix use-after-free in splat_taskq_test7
authorChunwei Chen <david.chen@osnexus.com>
Sat, 28 May 2016 00:28:12 +0000 (17:28 -0700)
committerBrian Behlendorf <behlendorf1@llnl.gov>
Tue, 31 May 2016 18:58:42 +0000 (11:58 -0700)
This splat_vprint is using tq_arg->name after tq_arg is freed.

Signed-off-by: Chunwei Chen <david.chen@osnexus.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #557

module/splat/splat-taskq.c

index 8f06f413d5bc95d60cc9fc906a86ff193218713e..f26f828d960a878a3c9fcc7b27e7a8669a68fb98 100644 (file)
@@ -1040,11 +1040,12 @@ splat_taskq_test7_impl(struct file *file, void *arg, boolean_t prealloc)
 
        error = (tq_arg->depth == SPLAT_TASKQ_DEPTH_MAX ? 0 : -EINVAL);
 
+       splat_vprint(file, SPLAT_TASKQ_TEST7_NAME,
+                     "Taskq '%s' destroying\n", tq_arg->name);
+
        kmem_free(tqe, sizeof (taskq_ent_t));
        kmem_free(tq_arg, sizeof (splat_taskq_arg_t));
 
-       splat_vprint(file, SPLAT_TASKQ_TEST7_NAME,
-                     "Taskq '%s' destroying\n", tq_arg->name);
        taskq_destroy(tq);
 
        return (error);