14982 zfs: Fix use-after-free in btree code

Reviewed by: Andy Stormont <andyjstormont@gmail.com> Reviewed by: Gordon Ross <Gordon.W.Ross@gmail.com> Reviewed by: Paul Zuchowski <p.zuchowski98@gmail.com> Approved by: Dan McDonald <danmcd@mnx.io>
author: Richard Yao <richard.yao@alumni.stonybrook.edu> 2022-09-12 14:22:15 -0400
committer: Toomas Soome <tsoome@me.com> 2022-12-02 23:11:30 +0200
commit: d80dfdaf76f414258d1bbd8ee0ffa6682fb15302 (patch)
tree: 8c89273cff1ea4ecfd72896ed6082b0cff2a5e25
parent: 616aa2dbfe5dffab5fbe77e81b10a221d2d2966a (diff)
download: illumos-gate-d80dfdaf76f414258d1bbd8ee0ffa6682fb15302.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/usr/src/uts/common/fs/zfs/btree.c b/usr/src/uts/common/fs/zfs/btree.c
index be6d08c26d..c48a5722c5 100644
--- a/usr/src/uts/common/fs/zfs/btree.c
+++ b/usr/src/uts/common/fs/zfs/btree.c
@@ -1608,8 +1608,8 @@ zfs_btree_remove_from_node(zfs_btree_t *tree, zfs_btree_core_t *node,
 	zfs_btree_poison_node_at(tree, keep_hdr, keep_hdr->bth_count, 1);
 
 	new_rm_hdr->bth_count = 0;
-	zfs_btree_node_destroy(tree, new_rm_hdr);
 	zfs_btree_remove_from_node(tree, parent, new_rm_hdr);
+	zfs_btree_node_destroy(tree, new_rm_hdr);
 }
 
 /* Remove the element at the specific location. */
@@ -1817,10 +1817,10 @@ zfs_btree_remove_idx(zfs_btree_t *tree, zfs_btree_index_t *where)
 
 	/* Move our elements to the left neighbor. */
 	bt_transfer_leaf(tree, rm, 0, rm_hdr->bth_count, keep, k_count + 1);
-	zfs_btree_node_destroy(tree, rm_hdr);
 
 	/* Remove the emptied node from the parent. */
 	zfs_btree_remove_from_node(tree, parent, rm_hdr);
+	zfs_btree_node_destroy(tree, rm_hdr);
 	zfs_btree_verify(tree);
 }
author	Richard Yao <richard.yao@alumni.stonybrook.edu>	2022-09-12 14:22:15 -0400
committer	Toomas Soome <tsoome@me.com>	2022-12-02 23:11:30 +0200
commit	d80dfdaf76f414258d1bbd8ee0ffa6682fb15302 (patch)
tree	8c89273cff1ea4ecfd72896ed6082b0cff2a5e25
parent	616aa2dbfe5dffab5fbe77e81b10a221d2d2966a (diff)
download	illumos-gate-d80dfdaf76f414258d1bbd8ee0ffa6682fb15302.tar.gz