From: Brian Behlendorf <behlendorf1@llnl.gov>
Date: Thu, 3 Apr 2014 21:26:16 +0000 (-0700)
Subject: Revert "Fixed a use-after-free bug in zfs_zget()."
X-Git-Tag: zfs-0.6.3~64
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8ac67298b175f98de07e040456d0fe7b1841a5eb;p=zfs

Revert "Fixed a use-after-free bug in zfs_zget()."

This reverts commit 36df284366caa77cb40083d2e6bcce02274e2f05.

Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
---

diff --git a/module/zfs/zfs_znode.c b/module/zfs/zfs_znode.c
index 5e9941034..9e2afc161 100644
--- a/module/zfs/zfs_znode.c
+++ b/module/zfs/zfs_znode.c
@@ -859,19 +859,14 @@ zfs_zget(zfs_sb_t *zsb, uint64_t obj_num, znode_t **zpp)
 	znode_t		*zp;
 	int err;
 	sa_handle_t	*hdl;
-	struct inode	*ip;
 
 	*zpp = NULL;
 
-again:
-	ip = ilookup(zsb->z_sb, obj_num);
-
 	ZFS_OBJ_HOLD_ENTER(zsb, obj_num);
 
 	err = sa_buf_hold(zsb->z_os, obj_num, NULL, &db);
 	if (err) {
 		ZFS_OBJ_HOLD_EXIT(zsb, obj_num);
-		iput(ip);
 		return (err);
 	}
 
@@ -882,28 +877,14 @@ again:
 	    doi.doi_bonus_size < sizeof (znode_phys_t)))) {
 		sa_buf_rele(db, NULL);
 		ZFS_OBJ_HOLD_EXIT(zsb, obj_num);
-		iput(ip);
 		return (SET_ERROR(EINVAL));
 	}
 
 	hdl = dmu_buf_get_user(db);
 	if (hdl != NULL) {
-		if (ip == NULL) {
-			/*
-			 * ilookup returned NULL, which means
-			 * the znode is dying - but the SA handle isn't
-			 * quite dead yet, we need to drop any locks
-			 * we're holding, re-schedule the task and try again.
-			 */
-			sa_buf_rele(db, NULL);
-			ZFS_OBJ_HOLD_EXIT(zsb, obj_num);
-
-			schedule();
-			goto again;
-		}
-
 		zp = sa_get_userdata(hdl);
 
+
 		/*
 		 * Since "SA" does immediate eviction we
 		 * should never find a sa handle that doesn't
@@ -924,12 +905,9 @@ again:
 		sa_buf_rele(db, NULL);
 		mutex_exit(&zp->z_lock);
 		ZFS_OBJ_HOLD_EXIT(zsb, obj_num);
-		iput(ip);
 		return (err);
 	}
 
-	ASSERT3P(ip, ==, NULL);
-
 	/*
 	 * Not found create new znode/vnode but only if file exists.
 	 *