From: Brian Behlendorf <behlendorf1@llnl.gov>
Date: Wed, 12 Sep 2012 18:16:08 +0000 (-0700)
Subject: Move iput() after zfs_inode_update()
X-Git-Tag: zfs-0.6.0-rc11~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5915791096e6b5be0bad7d2e3f683b4e7908cf19;p=zfs

Move iput() after zfs_inode_update()

When replaying an unlink/remove operation via zfs_rmdir() the object
being removed will be instantiated by a call to zfs_dirent_lock().
This means that there is a single reference protecting the object.
Right before the call to zfs_inode_update() this reference is dropped
which may cause the object to be destroyed.  This will result in a
NULL dereference as shown by the stack trace is issue #782.

This likely isn't an issue during normal operation because there is
always an additional reference held on the object by the VFS.

Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #782
---

diff --git a/module/zfs/zfs_vnops.c b/module/zfs/zfs_vnops.c
index 75614340f..300330231 100644
--- a/module/zfs/zfs_vnops.c
+++ b/module/zfs/zfs_vnops.c
@@ -1900,13 +1900,13 @@ top:
 out:
 	zfs_dirent_unlock(dl);
 
+	zfs_inode_update(dzp);
+	zfs_inode_update(zp);
 	iput(ip);
 
 	if (zsb->z_os->os_sync == ZFS_SYNC_ALWAYS)
 		zil_commit(zilog, 0);
 
-	zfs_inode_update(dzp);
-	zfs_inode_update(zp);
 	ZFS_EXIT(zsb);
 	return (error);
 }