From: Brian Behlendorf <behlendorf1@llnl.gov>
Date: Tue, 19 Jan 2016 18:41:21 +0000 (-0800)
Subject: Close possible zfs_znode_held() race
X-Git-Tag: zfs-0.7.0-rc1~280
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=37c56346cca55f60e36bb584e00966bba24af327;p=zfs

Close possible zfs_znode_held() race

Check if the lock is held while holding the z_hold_locks() lock.
This prevents a possible use-after-free bug for callers which are
not holding the lock.  There currently are no such callers so this
can't cause a problem today but it has been fixed regardless.

Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <tuxoko@gmail.com>
Closes #4244
Issue #4124
---

diff --git a/module/zfs/zfs_znode.c b/module/zfs/zfs_znode.c
index 03274a9b9..e4bd62fd2 100644
--- a/module/zfs/zfs_znode.c
+++ b/module/zfs/zfs_znode.c
@@ -248,17 +248,16 @@ zfs_znode_held(zfs_sb_t *zsb, uint64_t obj)
 {
 	znode_hold_t *zh, search;
 	int i = ZFS_OBJ_HASH(zsb, obj);
+	boolean_t held;
 
 	search.zh_obj = obj;
 
 	mutex_enter(&zsb->z_hold_locks[i]);
 	zh = avl_find(&zsb->z_hold_trees[i], &search, NULL);
+	held = (zh && MUTEX_HELD(&zh->zh_lock)) ? B_TRUE : B_FALSE;
 	mutex_exit(&zsb->z_hold_locks[i]);
 
-	if (zh && MUTEX_HELD(&zh->zh_lock))
-		return (B_TRUE);
-
-	return (B_FALSE);
+	return (held);
 }
 
 static znode_hold_t *